CVE-2003-0850
CVSS7.5
发布时间 :2003-11-17 00:00:00
修订时间 :2016-10-17 22:38:02
NMCOS    

[原文]The TCP reassembly functionality in libnids before 1.18 allows remote attackers to cause "memory corruption" and possibly execute arbitrary code via "overlarge TCP packets."


[CNNVD]Libnids TCP包重组内存破坏漏洞(CNNVD-200311-052)

        
        Libnids是一款NIDS功能实现库。
        Libnids在处理TCP重组的时候缺少正确的缓冲区边界检查,远程攻击者可以利用这个漏洞进行缓冲区溢出攻击。
        Libnids提供IP分片,TCP流重组和端口扫描检测等功能,Libnids在处理过大的TCP包时存在问题,可导致发送恶意TCP包使使用Libnids TCP包重组功能的应用程序崩溃,精心提供恶意数据可能以应用程序进程在系统上执行任意指令。
        

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

cpe:/a:rafal_wojtczuk:libnids:1.12
cpe:/a:rafal_wojtczuk:libnids:1.13
cpe:/a:rafal_wojtczuk:libnids:1.16
cpe:/a:dug_song:dsniff:2.3
cpe:/a:rafal_wojtczuk:libnids:1.11
cpe:/a:rafal_wojtczuk:libnids:1.14
cpe:/a:rafal_wojtczuk:libnids:1.17

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0850
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2003-0850
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200311-052
(官方数据源) CNNVD

- 其它链接及资源

http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000773
(UNKNOWN)  CONECTIVA  CLA-2003:773
http://marc.info/?l=bugtraq&m=106728224210446&w=2
(UNKNOWN)  BUGTRAQ  20031027 Libnids <= 1.17 buffer overflow
http://sourceforge.net/project/shownotes.php?release_id=191323
(VENDOR_ADVISORY)  CONFIRM  http://sourceforge.net/project/shownotes.php?release_id=191323
http://www.debian.org/security/2004/dsa-410
(VENDOR_ADVISORY)  DEBIAN  DSA-410

- 漏洞信息

Libnids TCP包重组内存破坏漏洞
高危 边界条件错误
2003-11-17 00:00:00 2005-10-20 00:00:00
远程  
        
        Libnids是一款NIDS功能实现库。
        Libnids在处理TCP重组的时候缺少正确的缓冲区边界检查,远程攻击者可以利用这个漏洞进行缓冲区溢出攻击。
        Libnids提供IP分片,TCP流重组和端口扫描检测等功能,Libnids在处理过大的TCP包时存在问题,可导致发送恶意TCP包使使用Libnids TCP包重组功能的应用程序崩溃,精心提供恶意数据可能以应用程序进程在系统上执行任意指令。
        

- 公告与补丁

        厂商补丁:
        Conectiva
        ---------
        Conectiva已经为此发布了一个安全公告(CLA-2003:773)以及相应补丁:
        CLA-2003:773:libnids
        链接:
        http://distro.conectiva.com/atualizacoes/?id=a&anuncio=000773

        补丁下载:
        Conectiva Upgrade libnids-1.18-1U70_1cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/7.0/RPMS/libnids-1.18-1U70_1cl.i386.rpm
        Conectiva Upgrade libnids-devel-1.18-1U70_1cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/7.0/RPMS/libnids-devel-1.18-1U70_1cl.i386.rpm
        Conectiva Upgrade libnids-devel-static-1.18-1U70_1cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/7.0/RPMS/libnids-devel-static-1.18-1U70_1cl.i386.rpm
        Conectiva Upgrade libnids-1.18-1U80_1cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/8/RPMS/libnids-1.18-1U80_1cl.i386.rpm
        Conectiva Upgrade libnids-devel-1.18-1U80_1cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/8/RPMS/libnids-devel-1.18-1U80_1cl.i386.rpm
        Conectiva Upgrade libnids-devel-static-1.18-1U80_1cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/8/RPMS/libnids-devel-static-1.18-1U80_1cl.i386.rpm
        Conectiva Upgrade libnids-1.18-8448U90_1cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/9/RPMS/libnids-1.18-8448U90_1cl.i386.rpm
        Conectiva Upgrade libnids-devel-1.18-8448U90_1cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/9/RPMS/libnids-devel-1.18-8448U90_1cl.i386.rpm
        Conectiva Upgrade libnids-devel-static-1.18-8448U90_1cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/9/RPMS/libnids-devel-static-1.18-8448U90_1cl.i386.rpm
        Dug Song dsniff 2.3:
        Conectiva Upgrade dsniff-2.3-4U70_1cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/7.0/RPMS/dsniff-2.3-4U70_1cl.i386.rpm
        Conectiva Upgrade dsniff-2.3-7U80_1cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/8/RPMS/dsniff-2.3-7U80_1cl.i386.rpm
        Conectiva Upgrade dsniff-webspy-2.3-7U80_1cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/8/RPMS/dsniff-webspy-2.3-7U80_1cl.i386.rpm
        Conectiva Upgrade dsniff-2.3-24591U90_1cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/9/RPMS/dsniff-2.3-24591U90_1cl.i386.rpm
        Conectiva Upgrade dsniff-webspy-2.3-24591U90_1cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/9/RPMS/dsniff-webspy-2.3-24591U90_1cl.i386.rpm
        Rafal Wojtczuk
        --------------
        目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
        Rafal Wojtczuk Upgrade Libnids 1.18
        https://sourceforge.net/project/showfiles.php?group_id=92215

- 漏洞信息

2716
Libnids TCP Reassembly Module Overflow
Remote / Network Access Input Manipulation
Loss of Integrity
Exploit Unknown

- 漏洞描述

Libnids contains a flaw that may allow a remote attacker to execute arbitrary code. The issue is due to an unchecked buffer in the TCP reassembly module. If an attacker sends a specially crafted packet, they may be able to overflow the buffer and execute arbitrary privileges as root.

- 时间线

2003-10-28 Unknow
Unknow Unknow

- 解决方案

Upgrade to version 1.18 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

- 漏洞信息

Libnids TCP Packet Reassembly Memory Corruption Vulnerability
Boundary Condition Error 8905
Yes No
2003-10-15 12:00:00 2009-07-11 11:56:00
The discovery of this issue has been credited to Robert Watson <rwatson@FreeBSD.org>.

- 受影响的程序版本

Rafal Wojtczuk Libnids 1.17
Rafal Wojtczuk Libnids 1.16
+ Conectiva Linux 9.0
+ Conectiva Linux 8.0
+ Conectiva Linux 7.0
Rafal Wojtczuk Libnids 1.14
Rafal Wojtczuk Libnids 1.13
Rafal Wojtczuk Libnids 1.12
Rafal Wojtczuk Libnids 1.11
Dug Song dsniff 2.3
Rafal Wojtczuk Libnids 1.18

- 不受影响的程序版本

Rafal Wojtczuk Libnids 1.18

- 漏洞讨论

A vulnerability has been discovered in Libnids that could result in memory corruption. The problem is said to occur while handling TCP packets of excessive size. As a result of this condition, it is believed that an attacker could potentially execute arbitrary code within the context of a program implementing the use of the Libnids TCP packet reassembly functionality.

- 漏洞利用

Currently we are not aware of any exploits for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com &lt;mailto:vuldb@securityfocus.com&gt;.

- 解决方案

Libnids 1.18 has been released and addresses this issue. Users are advised to upgrade as soon as possible. It should be noted that applications that were statically linked to a vulnerable version of Libnids will not be fixed by this upgrade. The application will have to be re-linked to an invulnerable version of the library.

Gentoo has released an advisory (200311-07) to address this issue, Gentoo have advised that all Gentoo Linux users who are running 'net-libs/libnids' to update their systems using the following commands:

emerge sync
emerge '>=net-libs/libnids-1.18'
emerge clean

Conectiva has released a security advisory (CLA-2003:773) containing fixes to address this issue.

Debian has released an advisory (DSA 410-1) to address this issue. Please see the attached advisory for details on obtaining and applying fixes.


Rafal Wojtczuk Libnids 1.11

Rafal Wojtczuk Libnids 1.12

Rafal Wojtczuk Libnids 1.13

Rafal Wojtczuk Libnids 1.14

Rafal Wojtczuk Libnids 1.16

Rafal Wojtczuk Libnids 1.17

Dug Song dsniff 2.3

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站