CVE-2003-0211
CVSS5.0
发布时间 :2003-05-05 00:00:00
修订时间 :2016-10-17 22:30:44
NMCOES    

[原文]Memory leak in xinetd 2.3.10 allows remote attackers to cause a denial of service (memory consumption) via a large number of rejected connections.


[CNNVD]Xinet拒绝连接内存泄露远程拒绝服务攻击漏洞(CNNVD-200305-002)

        
        Xinetd是一个来源于BSD inetd的安全替代产品,最初是由panos@cs.colorado.edu开发的。
        Xinetd当连接被拒绝时会发生内存泄露,远程攻击者可以利用这个漏洞对xinetd服务进行拒绝服务攻击。
        问题存在于service.c代码中:
        void svc_request( struct service *sp )
        {
         connection_s *cp ;
         status_e ret_code;
        
        
         cp = conn_new( sp ) ;
         if ( cp == CONN_NULL )
         return ;
         if (sp->svc_not_generic)
         ret_code = spec_service_handler(sp, cp);
         else
         ret_code = svc_generic_handler(sp, cp);
        
        
         if ( ret_code != OK )
         {
         if ( SVC_LOGS_USERID_ON_FAILURE( sp ) )
         if( spec_service_handler( LOG_SERVICE( ps ), cp ) == FAILED ) {
         conn_free( cp, 1 );
         return;
         }
         CONN_CLOSE(cp);
         }
        }
        上面代码存在一些问题,xinetd中的sigchld处理程序(child_exit->server_end->
        svc_postmortem)一般用于释放连接数据,如果ret_code返回非真,连接就仅仅关闭而已,而不是调用close(cp->co_descriptor); 由于sigchld不调用而不释放cp。cp指向的内存区域为144字节,大量的拒绝连接可导致消耗大量系统内存而发生拒绝服务。
        不过此漏洞仅仅存在Xinetd配置为能拒绝错误连接的情况下产生。
        

- CVSS (基础分值)

CVSS分值: 5 [中等(MEDIUM)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

cpe:/a:xinetd:xinetd:2.3.0
cpe:/a:xinetd:xinetd:2.3.2
cpe:/a:xinetd:xinetd:2.3.1
cpe:/a:xinetd:xinetd:2.3.10Xinetd Xinetd 2.3.10
cpe:/a:xinetd:xinetd:2.3.4
cpe:/a:xinetd:xinetd:2.3.3
cpe:/a:xinetd:xinetd:2.3.6Xinetd Xinetd 2.3.6
cpe:/a:xinetd:xinetd:2.3.5Xinetd Xinetd 2.3.5
cpe:/a:xinetd:xinetd:2.3.8Xinetd Xinetd 2.3.8
cpe:/a:xinetd:xinetd:2.3.7Xinetd Xinetd 2.3.7
cpe:/a:xinetd:xinetd:2.3.9Xinetd Xinetd 2.3.9

- OVAL (用于检测的技术细节)

oval:org.mitre.oval:def:657xinitd Memory Leak Invites Denial of Service Attack
*OVAL详细的描述了检测该漏洞的方法,你可以从相关的OVAL定义中找到更多检测该漏洞的技术细节。

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0211
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2003-0211
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200305-002
(官方数据源) CNNVD

- 其它链接及资源

http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=88537
(UNKNOWN)  CONFIRM  http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=88537
http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000782
(UNKNOWN)  CONECTIVA  CLA-2003:782
http://marc.info/?l=bugtraq&m=105068673220605&w=2
(UNKNOWN)  BUGTRAQ  20030418 Xinetd 2.3.10 Memory Leaks
http://www.mandriva.com/security/advisories?name=MDKSA-2003:056
(UNKNOWN)  MANDRAKE  MDKSA-2003:056
http://www.redhat.com/support/errata/RHSA-2003-160.html
(UNKNOWN)  REDHAT  RHSA-2003:160

- 漏洞信息

Xinet拒绝连接内存泄露远程拒绝服务攻击漏洞
中危 设计错误
2003-05-05 00:00:00 2005-10-20 00:00:00
远程  
        
        Xinetd是一个来源于BSD inetd的安全替代产品,最初是由panos@cs.colorado.edu开发的。
        Xinetd当连接被拒绝时会发生内存泄露,远程攻击者可以利用这个漏洞对xinetd服务进行拒绝服务攻击。
        问题存在于service.c代码中:
        void svc_request( struct service *sp )
        {
         connection_s *cp ;
         status_e ret_code;
        
        
         cp = conn_new( sp ) ;
         if ( cp == CONN_NULL )
         return ;
         if (sp->svc_not_generic)
         ret_code = spec_service_handler(sp, cp);
         else
         ret_code = svc_generic_handler(sp, cp);
        
        
         if ( ret_code != OK )
         {
         if ( SVC_LOGS_USERID_ON_FAILURE( sp ) )
         if( spec_service_handler( LOG_SERVICE( ps ), cp ) == FAILED ) {
         conn_free( cp, 1 );
         return;
         }
         CONN_CLOSE(cp);
         }
        }
        上面代码存在一些问题,xinetd中的sigchld处理程序(child_exit->server_end->
        svc_postmortem)一般用于释放连接数据,如果ret_code返回非真,连接就仅仅关闭而已,而不是调用close(cp->co_descriptor); 由于sigchld不调用而不释放cp。cp指向的内存区域为144字节,大量的拒绝连接可导致消耗大量系统内存而发生拒绝服务。
        不过此漏洞仅仅存在Xinetd配置为能拒绝错误连接的情况下产生。
        

- 公告与补丁

        厂商补丁:
        Xinetd
        ------
        目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
        Xinetd Upgrade xinetd-2.3.11.tar.gz
        
        http://www.xinetd.org/xinetd-2.3.11.tar.gz

- 漏洞信息 (22508)

Xinetd 2.1.x/2.3.x Rejected Connection Memory Leakage Denial Of Service Vulnerability (EDBID:22508)
linux dos
2003-04-18 Verified
0 Steve Grubb
N/A [点击下载]
source: http://www.securityfocus.com/bid/7382/info

A denial of service vulnerability has been reported for Xinetd. The vulnerability exists due to memory leaks occuring when connections are rejected.

Numerous, repeated connections to a vulnerable Xinetd server will result in the consumption of all available memory resources thereby causing a denial of service condition. 

while true; do telnet localhost chargen < /dev/null; done; 		

- 漏洞信息

12125
xinetd Rejected Connection Saturation DoS
Denial of Service
Loss of Availability

- 漏洞描述

Unknown or Incomplete

- 时间线

2003-04-16 Unknow
Unknow Unknow

- 解决方案

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

Xinetd Rejected Connection Memory Leakage Denial Of Service Vulnerability
Design Error 7382
Yes No
2003-04-18 12:00:00 2009-07-11 09:07:00
Discovery of this vulnerability credited to Steve Grubb <linux_4ever@yahoo.com>.

- 受影响的程序版本

Xinetd Xinetd 2.3.10
+ Conectiva Linux 9.0
+ Mandriva Linux Mandrake 9.1 ppc
+ Mandriva Linux Mandrake 9.1
+ Terra Soft Solutions Yellow Dog Linux 3.0
Xinetd Xinetd 2.3.9
Xinetd Xinetd 2.3.8
Xinetd Xinetd 2.3.7
+ Mandriva Linux Mandrake 9.0
Xinetd Xinetd 2.3.6
+ MandrakeSoft Corporate Server 2.1
+ Mandriva Linux Mandrake 8.2 ppc
+ Mandriva Linux Mandrake 8.2
Xinetd Xinetd 2.3.5
+ Gentoo Linux 0.7
+ Gentoo Linux 0.5
Xinetd Xinetd 2.3.4
Xinetd Xinetd 2.3.3
Xinetd Xinetd 2.3.2
Xinetd Xinetd 2.3.1
Xinetd Xinetd 2.3
+ Conectiva Linux 7.0
+ Conectiva Linux 6.0
+ Immunix Immunix OS 7.0
Xinetd Xinetd 2.1.8 .9pre15
+ Immunix Immunix OS 7.0 beta
+ Immunix Immunix OS 7.0
Xinetd Xinetd 2.1.8 .9pre14
+ Mandriva Linux Mandrake 8.0
+ RedHat Linux 7.1
Xinetd Xinetd 2.1.8 .9pre13
Xinetd Xinetd 2.1.8 .9pre12
+ MandrakeSoft Single Network Firewall 7.2
+ Mandriva Linux Mandrake 7.2
Sun Linux 5.0.5
RedHat xinetd-2.3.7-2.i386.rpm
+ RedHat Linux 8.0
RedHat xinetd-2.3.4-0.8.i386.rpm
+ RedHat Linux 7.3
RedHat xinetd-2.3.3-1.ia64.rpm
+ RedHat Linux 7.2 ia64
RedHat xinetd-2.3.3-1.i386.rpm
+ RedHat Linux 7.2 i386
RedHat xinetd-2.3.10-6.i386.rpm
+ RedHat Linux 9.0 i386
RedHat xinetd-2.1.8.9pre9-6.i386.rpm
+ RedHat Linux 7.0
RedHat xinetd-2.1.8.9pre14-6.i386.rpm
+ RedHat Linux 7.1
Xinetd Xinetd 2.3.11

- 不受影响的程序版本

Xinetd Xinetd 2.3.11

- 漏洞讨论

A denial of service vulnerability has been reported for Xinetd. The vulnerability exists due to memory leaks occuring when connections are rejected.

Numerous, repeated connections to a vulnerable Xinetd server will result in the consumption of all available memory resources thereby causing a denial of service condition.

- 漏洞利用

The following proof of concept was provided:

while true; do telnet localhost chargen &lt; /dev/null; done;

- 解决方案

Sun has released updates for Sun Linux 5.0.5.

Red Hat has released a security advisory (RHSA-2003:160-01) containing fixes to address this issue. Users are advised to upgrade as soon as possible. Red Hat has also released an advisory (RHSA-2003:161-07) which contains upgrade details for Enterprise distributions, which are available through the Red Hat Network.

Conectiva has released an advisory CLA-2003:782 to address this issue. Please see the referenced advisory for detailed information about obtaining fixes.

Conectiva has also released an advisory (CLSA-2003:790) including a fix to address this issue in CLEE 1.0.

Fixes available:


RedHat xinetd-2.3.7-2.i386.rpm

RedHat xinetd-2.1.8.9pre14-6.i386.rpm

RedHat xinetd-2.3.4-0.8.i386.rpm

RedHat xinetd-2.3.3-1.i386.rpm

RedHat xinetd-2.3.3-1.ia64.rpm

RedHat xinetd-2.3.10-6.i386.rpm

Xinetd Xinetd 2.1.8 .9pre12

Xinetd Xinetd 2.3

Xinetd Xinetd 2.3.1

Xinetd Xinetd 2.3.10

Xinetd Xinetd 2.3.2

Xinetd Xinetd 2.3.3

Xinetd Xinetd 2.3.4

Xinetd Xinetd 2.3.5

Xinetd Xinetd 2.3.6

Xinetd Xinetd 2.3.7

Xinetd Xinetd 2.3.8

Xinetd Xinetd 2.3.9

Sun Linux 5.0.5

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站