CVE-2003-1029
CVSS5.0
发布时间 :2004-02-17 00:00:00
修订时间 :2016-10-17 22:39:09
NMCOES    

[原文]The L2TP protocol parser in tcpdump 3.8.1 and earlier allows remote attackers to cause a denial of service (infinite loop and memory consumption) via a packet with invalid data to UDP port 1701, which causes l2tp_avp_print to use a bad length value when calling print_octets.


[CNNVD]TCPDump远程拒绝服务攻击漏洞(CNNVD-200402-082)

        
        TCPDump是一款功能强大的网络协议分析器。
        TCPDump在处理L2TP协议时存在问题,远程攻击者可以利用这个漏洞进行拒绝服务攻击。
        发送包含0xff、0x02字节给端口1701/udp,TCPDump中的L2TP协议解析器就会进入无限循环,消耗所有内存并产生段错误。
        此漏洞在OpenBSD 3.3和-current之前版本的tcpdump3.7上重现,其他版本也可能存在此问题。
        

- CVSS (基础分值)

CVSS分值: 5 [中等(MEDIUM)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

cpe:/a:lbl:tcpdump:3.4
cpe:/a:lbl:tcpdump:3.6.3
cpe:/a:lbl:tcpdump:3.7
cpe:/a:lbl:tcpdump:3.6.2
cpe:/a:lbl:tcpdump:3.5.2
cpe:/a:lbl:tcpdump:3.5

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-1029
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2003-1029
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200402-082
(官方数据源) CNNVD

- 其它链接及资源

http://lwn.net/Alerts/66805/
(UNKNOWN)  ENGARDE  ESA-20040119-002
http://marc.info/?l=bugtraq&m=107193841728533&w=2
(UNKNOWN)  BUGTRAQ  20031220 Remote crash in tcpdump from OpenBSD
http://marc.info/?l=bugtraq&m=107213553214985&w=2
(UNKNOWN)  BUGTRAQ  20031221 Re: Remote crash in tcpdump from OpenBSD
http://marc.info/?l=tcpdump-workers&m=107228187124962&w=2
(UNKNOWN)  MLIST  [tcpdump-workers] 20031224 Seg fault of tcpdump (v 3.8.1 and below) with malformed l2tp packets
http://www.debian.org/security/2004/dsa-425
(VENDOR_ADVISORY)  DEBIAN  DSA-425
http://www.mandriva.com/security/advisories?name=MDKSA-2004:008
(UNKNOWN)  MANDRAKE  MDKSA-2004:008
http://www.securityfocus.com/archive/1/archive/1/350238/30/21640/threaded
(UNKNOWN)  BUGTRAQ  20040119 [ESA-20040119-002] 'tcpdump' multiple vulnerabilities.
http://www.securitytracker.com/id?1008748
(UNKNOWN)  SECTRACK  1008748

- 漏洞信息

TCPDump远程拒绝服务攻击漏洞
中危 其他
2004-02-17 00:00:00 2009-02-20 00:00:00
远程  
        
        TCPDump是一款功能强大的网络协议分析器。
        TCPDump在处理L2TP协议时存在问题,远程攻击者可以利用这个漏洞进行拒绝服务攻击。
        发送包含0xff、0x02字节给端口1701/udp,TCPDump中的L2TP协议解析器就会进入无限循环,消耗所有内存并产生段错误。
        此漏洞在OpenBSD 3.3和-current之前版本的tcpdump3.7上重现,其他版本也可能存在此问题。
        

- 公告与补丁

        临时解决方法:
        如果您不能立刻安装补丁或者升级,CNNVD建议您采取以下措施以降低威胁:
        * Michele Marchetto提供如下第三方补丁:
        --- Makefile.old Tue Dec 23 12:56:49 2003
        +++ Makefile Tue Dec 23 12:58:15 2003
        @@ -23,7 +23,7 @@
        PROG= tcpdump
        MAN= tcpdump.8
        -CFLAGS+=-Wall -I${.CURDIR}/../../sbin/pfctl
        +CFLAGS+=-Wall -I/usr/src/sys -I${.CURDIR}/../../sbin/pfctl
        .PATH: ${.CURDIR}/../../sbin/pfctl
        CFLAGS+=-DCSLIP -DPPP -DHAVE_FDDI -DETHER_SERVICE -DRETSIGTYPE=void -DHAVE_NET_SLIP_H -DHAVE_ETHER_NTOHOST -DINET6
        --- print-l2tp.c.old Tue Dec 23 12:55:49 2003
        +++ print-l2tp.c Tue Dec 23 12:56:25 2003
        @@ -605,6 +605,8 @@
        printf(")");
        } else {
        printf(" invalid AVP %u", ntohs(*ptr));
        +
        + return;
        }
        if (length >= len && len > 0)
        厂商补丁:
        LBL
        ---
        Tcpdump 3.7.1版本不受此漏洞影响,建议用户下载使用,请到厂商的主页下载:
        
        http://www.tcpdump.org

- 漏洞信息 (23452)

Tcpdump 3.x L2TP Parser Remote Denial of Service Vulnerability (EDBID:23452)
linux dos
2003-12-20 Verified
0 Przemyslaw Frasunek
N/A [点击下载]
source: http://www.securityfocus.com/bid/9263/info

A vulnerability has been reported to exist in the software that may allow a remote attacker to cause a denial of service condition in tcpdump. The issue presents itself when an attacker sends a maliciously formatted packet containing 0xff,0x02 bytes to UDP port 1701 of a system running a vulnerable version of tcpdump.

This issue is reported to affect tcpdump 3.7 and prior running on OpenBSD 3.3 and -current, however other versions on different platforms could be affected as well. 

tcpdump -i lo0 -n udp and dst port 1701 &
perl -e 'print "\xff\x02"' | nc -u localhost 1701

Example packet data has been provided by Balaram Amgoth <ramgoth@yahoo.com>:
char packet[] = "\x82\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00";

		

- 漏洞信息

3556
tcpdump L2TP DoS
Denial of Service
Loss of Availability

- 漏洞描述

Unknown or Incomplete

- 时间线

2004-01-15 Unknow
Unknow Unknow

- 解决方案

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

Tcpdump L2TP Parser Remote Denial of Service Vulnerability
Failure to Handle Exceptional Conditions 9263
Yes No
2003-12-20 12:00:00 2009-07-12 12:56:00
The disclosure of this issue has been credited to Przemyslaw Frasunek <venglin@freebsd.lublin.pl>.

- 受影响的程序版本

OpenBSD OpenBSD 3.3
LBL tcpdump 3.8.1
+ Mandriva Linux Mandrake 10.0
LBL tcpdump 3.7.2
+ MandrakeSoft Corporate Server 2.1 x86_64
+ MandrakeSoft Corporate Server 2.1
+ MandrakeSoft Multi Network Firewall 2.0
+ Mandriva Linux Mandrake 9.2 amd64
+ Mandriva Linux Mandrake 9.2
+ Mandriva Linux Mandrake 9.1 ppc
+ Mandriva Linux Mandrake 9.1
+ Turbolinux Turbolinux Advanced Server 6.0
+ Turbolinux Turbolinux Desktop 10.0
+ Turbolinux Turbolinux Server 8.0
+ Turbolinux Turbolinux Server 7.0
+ Turbolinux Turbolinux Server 6.5
+ Turbolinux Turbolinux Server 6.1
+ Turbolinux Turbolinux Workstation 8.0
+ Turbolinux Turbolinux Workstation 7.0
+ Turbolinux Turbolinux Workstation 6.1
+ Turbolinux Turbolinux Workstation 6.0
LBL tcpdump 3.7.1
+ FreeBSD FreeBSD 4.7 -RELEASE
+ FreeBSD FreeBSD 4.7
+ Gentoo Linux 1.4 _rc2
+ Gentoo Linux 1.4 _rc1
+ S.u.S.E. Linux 8.1
LBL tcpdump 3.7
+ FreeBSD FreeBSD 4.6 -RELEASE
+ FreeBSD FreeBSD 4.6
+ FreeBSD FreeBSD 4.5 -STABLE
+ FreeBSD FreeBSD 4.5 -RELEASE
+ FreeBSD FreeBSD 4.5
+ FreeBSD FreeBSD 4.4 -STABLE
+ FreeBSD FreeBSD 4.4 -RELENG
+ FreeBSD FreeBSD 4.4
+ FreeBSD FreeBSD 4.3 -STABLE
+ FreeBSD FreeBSD 4.3 -RELENG
+ FreeBSD FreeBSD 4.3 -RELEASE
+ FreeBSD FreeBSD 4.3
+ FreeBSD FreeBSD 4.2 -STABLE
+ FreeBSD FreeBSD 4.2 -RELEASE
+ FreeBSD FreeBSD 4.2
LBL tcpdump 3.6.3
+ EnGarde Secure Community 2.0
+ EnGarde Secure Community 1.0.1
+ EnGarde Secure Professional 1.5
+ EnGarde Secure Professional 1.2
+ EnGarde Secure Professional 1.1
LBL tcpdump 3.6.2
+ Caldera OpenLinux Server 3.1.1
+ Caldera OpenLinux Server 3.1
+ Caldera OpenLinux Workstation 3.1.1
+ Caldera OpenLinux Workstation 3.1
+ Conectiva Linux 8.0
+ Conectiva Linux 7.0
+ Conectiva Linux 6.0
+ Conectiva Linux 5.1
+ Conectiva Linux 5.0
+ Debian Linux 3.0 sparc
+ Debian Linux 3.0 s/390
+ Debian Linux 3.0 ppc
+ Debian Linux 3.0 mipsel
+ Debian Linux 3.0 mips
+ Debian Linux 3.0 m68k
+ Debian Linux 3.0 ia-64
+ Debian Linux 3.0 ia-32
+ Debian Linux 3.0 hppa
+ Debian Linux 3.0 arm
+ Debian Linux 3.0 alpha
+ Debian Linux 3.0
+ FreeBSD FreeBSD 4.3
+ FreeBSD FreeBSD 4.2
+ FreeBSD FreeBSD 4.1.1
+ FreeBSD FreeBSD 4.1
+ FreeBSD FreeBSD 4.0
+ HP Secure OS software for Linux 1.0
+ MandrakeSoft Corporate Server 1.0.1
+ MandrakeSoft Single Network Firewall 7.2
+ Mandriva Linux Mandrake 8.2
+ Mandriva Linux Mandrake 8.1
+ Mandriva Linux Mandrake 8.0
+ Mandriva Linux Mandrake 7.2
+ Mandriva Linux Mandrake 7.1
+ RedHat Linux 7.2 ia64
+ RedHat Linux 7.2 i386
+ RedHat Linux 7.1 ia64
+ RedHat Linux 7.1 i386
+ RedHat Linux 7.1 alpha
+ RedHat Linux 7.0 i386
+ RedHat Linux 7.0 alpha
+ RedHat Linux 6.2 sparc
+ RedHat Linux 6.2 i386
+ RedHat Linux 6.2 alpha
+ S.u.S.E. Linux 8.0
+ Trustix Secure Linux 1.5
+ Trustix Secure Linux 1.2
+ Trustix Secure Linux 1.1
LBL tcpdump 3.5.2
LBL tcpdump 3.5
+ FreeBSD FreeBSD 4.1.1
+ FreeBSD FreeBSD 4.1
+ FreeBSD FreeBSD 4.0
+ FreeBSD FreeBSD 3.x
+ S.u.S.E. Linux 8.0
+ S.u.S.E. Linux 7.3
LBL tcpdump 3.4
+ RedHat Linux 7.1 ia64
+ RedHat Linux 7.1 i386
+ RedHat Linux 7.1 alpha
+ RedHat Linux 7.0 i386
+ RedHat Linux 7.0 alpha
+ RedHat Linux 6.2 sparc
+ RedHat Linux 6.2 i386
+ RedHat Linux 6.2 alpha
OpenBSD OpenBSD 3.5
OpenBSD OpenBSD 3.4
LBL tcpdump 3.7.2
+ MandrakeSoft Corporate Server 2.1 x86_64
+ MandrakeSoft Corporate Server 2.1
+ MandrakeSoft Multi Network Firewall 2.0
+ Mandriva Linux Mandrake 9.2 amd64
+ Mandriva Linux Mandrake 9.2
+ Mandriva Linux Mandrake 9.1 ppc
+ Mandriva Linux Mandrake 9.1
+ Turbolinux Turbolinux Advanced Server 6.0
+ Turbolinux Turbolinux Desktop 10.0
+ Turbolinux Turbolinux Server 8.0
+ Turbolinux Turbolinux Server 7.0
+ Turbolinux Turbolinux Server 6.5
+ Turbolinux Turbolinux Server 6.1
+ Turbolinux Turbolinux Workstation 8.0
+ Turbolinux Turbolinux Workstation 7.0
+ Turbolinux Turbolinux Workstation 6.1
+ Turbolinux Turbolinux Workstation 6.0
LBL tcpdump 3.7.1
+ FreeBSD FreeBSD 4.7 -RELEASE
+ FreeBSD FreeBSD 4.7
+ Gentoo Linux 1.4 _rc2
+ Gentoo Linux 1.4 _rc1
+ S.u.S.E. Linux 8.1

- 不受影响的程序版本

OpenBSD OpenBSD 3.5
OpenBSD OpenBSD 3.4
LBL tcpdump 3.7.2
+ MandrakeSoft Corporate Server 2.1 x86_64
+ MandrakeSoft Corporate Server 2.1
+ MandrakeSoft Multi Network Firewall 2.0
+ Mandriva Linux Mandrake 9.2 amd64
+ Mandriva Linux Mandrake 9.2
+ Mandriva Linux Mandrake 9.1 ppc
+ Mandriva Linux Mandrake 9.1
+ Turbolinux Turbolinux Advanced Server 6.0
+ Turbolinux Turbolinux Desktop 10.0
+ Turbolinux Turbolinux Server 8.0
+ Turbolinux Turbolinux Server 7.0
+ Turbolinux Turbolinux Server 6.5
+ Turbolinux Turbolinux Server 6.1
+ Turbolinux Turbolinux Workstation 8.0
+ Turbolinux Turbolinux Workstation 7.0
+ Turbolinux Turbolinux Workstation 6.1
+ Turbolinux Turbolinux Workstation 6.0
LBL tcpdump 3.7.1
+ FreeBSD FreeBSD 4.7 -RELEASE
+ FreeBSD FreeBSD 4.7
+ Gentoo Linux 1.4 _rc2
+ Gentoo Linux 1.4 _rc1
+ S.u.S.E. Linux 8.1

- 漏洞讨论

A vulnerability has been reported to exist in the software that may allow a remote attacker to cause a denial of service condition in tcpdump. The issue presents itself when an attacker sends a maliciously formatted packet containing 0xff,0x02 bytes to UDP port 1701 of a system running a vulnerable version of tcpdump.

This issue is reported to affect tcpdump 3.7 and prior running on OpenBSD 3.3 and -current, however other versions on different platforms could be affected as well.

- 漏洞利用

The following proof of concept has been provided:

tcpdump -i lo0 -n udp and dst port 1701 &amp;
perl -e 'print "\xff\x02"' | nc -u localhost 1701

Example packet data has been provided by Balaram Amgoth &lt;ramgoth@yahoo.com&gt;:
char packet[] = "\x82\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00";

- 解决方案

It has been reported that tcpdump versions 3.7.1 are not vulnerable to this issue. Users are advised to update to the non-vulnerable versions.

OpenPKG has released an advisory OpenPKG-SA-2004.002 to address this and other issues. Please see the referenced advisory for more information.

Guardian Digital has release advisory ESA-20040119-002 to address this issue. Affected users are recommended use of the Guardian Digital Secure Network to update vulnerable systems.

Mandrake has released advisory MDKSA-2004:008 to address this issue. Please see the referenced advisory for more information.

Conectiva has released an advisory CLSA-2004:832 to address this and other issues in tcpdump. Please see the advisory in web references for more information.


LBL tcpdump 3.4

LBL tcpdump 3.6.2

LBL tcpdump 3.7.2

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站