发布时间 :2003-11-17 00:00:00
修订时间 :2016-10-17 22:38:02

[原文]The TCP reassembly functionality in libnids before 1.18 allows remote attackers to cause "memory corruption" and possibly execute arbitrary code via "overlarge TCP packets."

[CNNVD]Libnids TCP包重组内存破坏漏洞(CNNVD-200311-052)

        Libnids提供IP分片,TCP流重组和端口扫描检测等功能,Libnids在处理过大的TCP包时存在问题,可导致发送恶意TCP包使使用Libnids TCP包重组功能的应用程序崩溃,精心提供恶意数据可能以应用程序进程在系统上执行任意指令。

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)


- OVAL (用于检测的技术细节)


- 官方数据库链接
(官方数据源) MITRE
(官方数据源) NVD
(官方数据源) CNNVD

- 其它链接及资源
(UNKNOWN)  BUGTRAQ  20031027 Libnids <= 1.17 buffer overflow

- 漏洞信息

Libnids TCP包重组内存破坏漏洞
高危 边界条件错误
2003-11-17 00:00:00 2005-10-20 00:00:00
        Libnids提供IP分片,TCP流重组和端口扫描检测等功能,Libnids在处理过大的TCP包时存在问题,可导致发送恶意TCP包使使用Libnids TCP包重组功能的应用程序崩溃,精心提供恶意数据可能以应用程序进程在系统上执行任意指令。

- 公告与补丁


        Conectiva Upgrade libnids-1.18-1U70_1cl.i386.rpm
        Conectiva Upgrade libnids-devel-1.18-1U70_1cl.i386.rpm
        Conectiva Upgrade libnids-devel-static-1.18-1U70_1cl.i386.rpm
        Conectiva Upgrade libnids-1.18-1U80_1cl.i386.rpm
        Conectiva Upgrade libnids-devel-1.18-1U80_1cl.i386.rpm
        Conectiva Upgrade libnids-devel-static-1.18-1U80_1cl.i386.rpm
        Conectiva Upgrade libnids-1.18-8448U90_1cl.i386.rpm
        Conectiva Upgrade libnids-devel-1.18-8448U90_1cl.i386.rpm
        Conectiva Upgrade libnids-devel-static-1.18-8448U90_1cl.i386.rpm
        Dug Song dsniff 2.3:
        Conectiva Upgrade dsniff-2.3-4U70_1cl.i386.rpm
        Conectiva Upgrade dsniff-2.3-7U80_1cl.i386.rpm
        Conectiva Upgrade dsniff-webspy-2.3-7U80_1cl.i386.rpm
        Conectiva Upgrade dsniff-2.3-24591U90_1cl.i386.rpm
        Conectiva Upgrade dsniff-webspy-2.3-24591U90_1cl.i386.rpm
        Rafal Wojtczuk
        Rafal Wojtczuk Upgrade Libnids 1.18

- 漏洞信息

Libnids TCP Reassembly Module Overflow
Remote / Network Access Input Manipulation
Loss of Integrity
Exploit Unknown

- 漏洞描述

Libnids contains a flaw that may allow a remote attacker to execute arbitrary code. The issue is due to an unchecked buffer in the TCP reassembly module. If an attacker sends a specially crafted packet, they may be able to overflow the buffer and execute arbitrary privileges as root.

- 时间线

2003-10-28 Unknow
Unknow Unknow

- 解决方案

Upgrade to version 1.18 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

- 漏洞信息

Libnids TCP Packet Reassembly Memory Corruption Vulnerability
Boundary Condition Error 8905
Yes No
2003-10-15 12:00:00 2009-07-11 11:56:00
The discovery of this issue has been credited to Robert Watson <>.

- 受影响的程序版本

Rafal Wojtczuk Libnids 1.17
Rafal Wojtczuk Libnids 1.16
+ Conectiva Linux 9.0
+ Conectiva Linux 8.0
+ Conectiva Linux 7.0
Rafal Wojtczuk Libnids 1.14
Rafal Wojtczuk Libnids 1.13
Rafal Wojtczuk Libnids 1.12
Rafal Wojtczuk Libnids 1.11
Dug Song dsniff 2.3
Rafal Wojtczuk Libnids 1.18

- 不受影响的程序版本

Rafal Wojtczuk Libnids 1.18

- 漏洞讨论

A vulnerability has been discovered in Libnids that could result in memory corruption. The problem is said to occur while handling TCP packets of excessive size. As a result of this condition, it is believed that an attacker could potentially execute arbitrary code within the context of a program implementing the use of the Libnids TCP packet reassembly functionality.

- 漏洞利用

Currently we are not aware of any exploits for this issue. If you feel we are in error or are aware of more recent information, please mail us at: &lt;;.

- 解决方案

Libnids 1.18 has been released and addresses this issue. Users are advised to upgrade as soon as possible. It should be noted that applications that were statically linked to a vulnerable version of Libnids will not be fixed by this upgrade. The application will have to be re-linked to an invulnerable version of the library.

Gentoo has released an advisory (200311-07) to address this issue, Gentoo have advised that all Gentoo Linux users who are running 'net-libs/libnids' to update their systems using the following commands:

emerge sync
emerge '>=net-libs/libnids-1.18'
emerge clean

Conectiva has released a security advisory (CLA-2003:773) containing fixes to address this issue.

Debian has released an advisory (DSA 410-1) to address this issue. Please see the attached advisory for details on obtaining and applying fixes.

Rafal Wojtczuk Libnids 1.11

Rafal Wojtczuk Libnids 1.12

Rafal Wojtczuk Libnids 1.13

Rafal Wojtczuk Libnids 1.14

Rafal Wojtczuk Libnids 1.16

Rafal Wojtczuk Libnids 1.17

Dug Song dsniff 2.3

- 相关参考