CVE-2002-0314
CVSS5.0
发布时间 :2002-06-25 00:00:00
修订时间 :2016-10-17 22:18:57
NMCOS    

[原文]fasttrack p2p, as used in (1) KaZaA before 1.5, (2) grokster, and (3) morpheus allows remote attackers to cause a denial of service (memory exhaustion) via a series of client-to-client messages, which pops up new windows per message.


[CNNVD]FastTrack P2P技术信息服务存在拒绝服务漏洞(CNNVD-200206-072)

        
        KaZaA, Grokster和Morpheus是基于FastTrack P2P技术的文件共享客户端,它们运行于Microsoft Windows平台,并已经移植到Linux平台。
        基于FastTrack P2P技术的文件共享客户端存在拒绝服务问题。
        反复的发送消息到运行有漏洞客户端的主机将会耗尽它的资源。虽然可以用客户端忽略恶意重复信息的特性来减轻这个漏洞的影响,但它还存在攻击者伪造身份的漏洞。
        基于FastTrack P2P技术的文件共享客户端如果有消息功能可能都会有这个漏洞。
        KaZaA的1.5版本不受影响。
        

- CVSS (基础分值)

CVSS分值: 5 [中等(MEDIUM)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

cpe:/a:fasttrack:kazaa:1.3.3
cpe:/a:grokster:grokster:1.3.3
cpe:/a:fasttrack:kazaa:1.4
cpe:/a:grokster:grokster:1.3
cpe:/a:music_city_networks:morpheus:1.3.3
cpe:/a:fasttrack:kazaa:1.3
cpe:/a:music_city_networks:morpheus:1.3
cpe:/a:fasttrack:kazaa:1.2

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0314
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2002-0314
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200206-072
(官方数据源) CNNVD

- 其它链接及资源

http://marc.info/?l=bugtraq&m=101441689224760&w=2
(UNKNOWN)  BUGTRAQ  20020222 Morpheus, Kazaa and Grokster Remote DoS. Also Identity faking vulnerability.
http://www.iss.net/security_center/static/8273.php
(VENDOR_ADVISORY)  XF  fasttrack-message-service-dos(8273)
http://www.securityfocus.com/bid/4122
(VENDOR_ADVISORY)  BID  4122

- 漏洞信息

FastTrack P2P技术信息服务存在拒绝服务漏洞
中危 其他
2002-06-25 00:00:00 2005-10-20 00:00:00
远程  
        
        KaZaA, Grokster和Morpheus是基于FastTrack P2P技术的文件共享客户端,它们运行于Microsoft Windows平台,并已经移植到Linux平台。
        基于FastTrack P2P技术的文件共享客户端存在拒绝服务问题。
        反复的发送消息到运行有漏洞客户端的主机将会耗尽它的资源。虽然可以用客户端忽略恶意重复信息的特性来减轻这个漏洞的影响,但它还存在攻击者伪造身份的漏洞。
        基于FastTrack P2P技术的文件共享客户端如果有消息功能可能都会有这个漏洞。
        KaZaA的1.5版本不受影响。
        

- 公告与补丁

        临时解决方法:
        如果您不能立刻安装补丁或者升级,CNNVD建议您采取以下措施以降低威胁:
        * 暂时没有好的临时解决方法。
        厂商补丁:
        Fast Track
        ----------
        目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
        KaZaA 1.5不受影响,请升级到该版本:
        KaZaA Upgrade KaZaA 1.5
        
        http://www.kazaa.com/en/index.htm

- 漏洞信息

59554
fasttrack Client-to-client Message Saturation Remote DoS
Remote / Network Access Denial of Service
Loss of Availability
Exploit Public

- 漏洞描述

Unknown or Incomplete

- 时间线

2002-02-22 Unknow
Unknow Unknow

- 解决方案

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

FastTrack P2P Technology Message Service Denial Of Service Vulnerability
Failure to Handle Exceptional Conditions 4122
Yes No
2002-02-17 12:00:00 2009-07-11 10:56:00
This vulnerability was submitted to BugTraq on February 17th, 2002 by mrjade 2k2 <mrjade@softhome.net>.

- 受影响的程序版本

Music City Networks Morpheus 1.3.3
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional
- Microsoft Windows 95
- Microsoft Windows 98
- Microsoft Windows ME
- Microsoft Windows NT Workstation 4.0 SP6a
- Microsoft Windows NT Workstation 4.0 SP5
- Microsoft Windows NT Workstation 4.0 SP4
- Microsoft Windows NT Workstation 4.0 SP3
- Microsoft Windows NT Workstation 4.0 SP2
- Microsoft Windows NT Workstation 4.0 SP1
- Microsoft Windows NT Workstation 4.0
- Microsoft Windows XP Home
Music City Networks Morpheus 1.3
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional
- Microsoft Windows 95
- Microsoft Windows 98
- Microsoft Windows NT 4.0 SP6a
- Microsoft Windows NT 4.0 SP6
- Microsoft Windows NT 4.0 SP5
- Microsoft Windows NT 4.0 SP4
- Microsoft Windows NT 4.0 SP3
- Microsoft Windows NT 4.0 SP2
- Microsoft Windows NT 4.0 SP1
- Microsoft Windows NT 4.0
Grokster Grokster 1.3.3
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional
- Microsoft Windows 95
- Microsoft Windows 98
- Microsoft Windows ME
- Microsoft Windows NT Workstation 4.0 SP6a
- Microsoft Windows NT Workstation 4.0 SP5
- Microsoft Windows NT Workstation 4.0 SP4
- Microsoft Windows NT Workstation 4.0 SP3
- Microsoft Windows NT Workstation 4.0 SP2
- Microsoft Windows NT Workstation 4.0 SP1
- Microsoft Windows NT Workstation 4.0
- Microsoft Windows XP Home
Grokster Grokster 1.3
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional
- Microsoft Windows 95
- Microsoft Windows 98
- Microsoft Windows ME
- Microsoft Windows NT Workstation 4.0 SP6a
- Microsoft Windows NT Workstation 4.0 SP5
- Microsoft Windows NT Workstation 4.0 SP4
- Microsoft Windows NT Workstation 4.0 SP3
- Microsoft Windows NT Workstation 4.0 SP2
- Microsoft Windows NT Workstation 4.0 SP1
- Microsoft Windows NT Workstation 4.0
- Microsoft Windows XP Home
FastTrack KaZaA 1.4
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional
- Microsoft Windows 95
- Microsoft Windows 98
- Microsoft Windows ME
- Microsoft Windows NT Workstation 4.0 SP6a
- Microsoft Windows NT Workstation 4.0 SP5
- Microsoft Windows NT Workstation 4.0 SP4
- Microsoft Windows NT Workstation 4.0 SP3
- Microsoft Windows NT Workstation 4.0 SP2
- Microsoft Windows NT Workstation 4.0 SP1
- Microsoft Windows NT Workstation 4.0
- Microsoft Windows XP Home
FastTrack KaZaA 1.3.3
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional
- Microsoft Windows 95
- Microsoft Windows 98
- Microsoft Windows ME
- Microsoft Windows NT Workstation 4.0 SP6a
- Microsoft Windows NT Workstation 4.0 SP5
- Microsoft Windows NT Workstation 4.0 SP4
- Microsoft Windows NT Workstation 4.0 SP3
- Microsoft Windows NT Workstation 4.0 SP2
- Microsoft Windows NT Workstation 4.0 SP1
- Microsoft Windows NT Workstation 4.0
- Microsoft Windows XP Home
FastTrack KaZaA 1.3
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional
- Microsoft Windows 95
- Microsoft Windows 98
- Microsoft Windows NT 4.0 SP6a
- Microsoft Windows NT 4.0 SP6
- Microsoft Windows NT 4.0 SP5
- Microsoft Windows NT 4.0 SP4
- Microsoft Windows NT 4.0 SP3
- Microsoft Windows NT 4.0 SP2
- Microsoft Windows NT 4.0 SP1
- Microsoft Windows NT 4.0
FastTrack KaZaA 1.2
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional
- Microsoft Windows 95
- Microsoft Windows 98
- Microsoft Windows ME
- Microsoft Windows NT Workstation 4.0 SP6a
- Microsoft Windows NT Workstation 4.0 SP5
- Microsoft Windows NT Workstation 4.0 SP4
- Microsoft Windows NT Workstation 4.0 SP3
- Microsoft Windows NT Workstation 4.0 SP2
- Microsoft Windows NT Workstation 4.0 SP1
- Microsoft Windows NT Workstation 4.0
- Microsoft Windows XP Home
FastTrack KaZaA 1.5
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional
- Microsoft Windows 95
- Microsoft Windows 98
- Microsoft Windows ME
- Microsoft Windows NT Workstation 4.0 SP6a
- Microsoft Windows NT Workstation 4.0 SP5
- Microsoft Windows NT Workstation 4.0 SP4
- Microsoft Windows NT Workstation 4.0 SP3
- Microsoft Windows NT Workstation 4.0 SP2
- Microsoft Windows NT Workstation 4.0 SP1
- Microsoft Windows NT Workstation 4.0
- Microsoft Windows XP Home

- 不受影响的程序版本

FastTrack KaZaA 1.5
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional
- Microsoft Windows 95
- Microsoft Windows 98
- Microsoft Windows ME
- Microsoft Windows NT Workstation 4.0 SP6a
- Microsoft Windows NT Workstation 4.0 SP5
- Microsoft Windows NT Workstation 4.0 SP4
- Microsoft Windows NT Workstation 4.0 SP3
- Microsoft Windows NT Workstation 4.0 SP2
- Microsoft Windows NT Workstation 4.0 SP1
- Microsoft Windows NT Workstation 4.0
- Microsoft Windows XP Home

- 漏洞讨论

KaZaA, Grokster and Morpheus are file-sharing clients based on FastTrack P2P technologies. They will run on Microsoft Windows 9x/ME/NT/2000/XP systems. Ports also exist for variants of the Linux operating system.

It has been reported that it is possible to starve resources on a host running a vulnerable client by repeatedly sending messages. While normally this issue could be mitigated by using the features provided by the client to ignore a malicious user who is repeatedly sending messages, it has been discovered that it is also possible for an attacker to spoof their identity.

The identity spoofing issue is described in BugTraq 4121 "FastTrack P2P Technology Message Service Identity Spoofing Vulnerability".

Any versions of file-sharing clients based on FastTrack P2P technologies which include the messaging functionality should be considered prone to this issue.

This issue has reportedly been addressed in KaZaA v1.5.

- 漏洞利用

There is no exploit code required.

- 解决方案

This issue has reportedly been addressed in KaZaA version 1.5.


FastTrack KaZaA 1.2

FastTrack KaZaA 1.3

FastTrack KaZaA 1.3.3

FastTrack KaZaA 1.4

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站