CVE-2004-0183
CVSS5.0
发布时间 :2004-05-04 00:00:00
修订时间 :2016-10-17 22:41:33
NMCOPS    

[原文]TCPDUMP 3.8.1 and earlier allows remote attackers to cause a denial of service (crash) via ISAKMP packets containing a Delete payload with a large number of SPI's, which causes an out-of-bounds read, as demonstrated by the Striker ISAKMP Protocol Test Suite.


[CNNVD]TCPDump ISAKMP删除负载远程缓冲区溢出漏洞(CNNVD-200405-030)

        
        Tcpdump是一款监视网络通信和协议分析工具。
        Tcpdump的ISAKMP包显示函数中存在问题,远程攻击者可以利用这个漏洞进行拒绝服务攻击或以进程权限执行任意指令。
        tcpdump的ISAKMP包显示函数在处理显示ISAKMP删除负载时存在问题,由于TCPDUMP没有验证snap缓冲区中的(NSPIS * SPISIZE) fits,在尝试读取Snap缓冲区之外的数据时导致拒绝服务,或可能进程权限执行任意指令。目前没有详细漏洞细节提供。
        

- CVSS (基础分值)

CVSS分值: 5 [中等(MEDIUM)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

oval:org.mitre.oval:def:9971TCPDUMP 3.8.1 and earlier allows remote attackers to cause a denial of service (crash) via ISAKMP packets containing a Delete payload with a...
oval:org.mitre.oval:def:972tcpdump Delete Payload in ISAKMP Packets Vulnerability
*OVAL详细的描述了检测该漏洞的方法,你可以从相关的OVAL定义中找到更多检测该漏洞的技术细节。

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0183
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-0183
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200405-030
(官方数据源) CNNVD

- 其它链接及资源

http://marc.info/?l=bugtraq&m=108067265931525&w=2
(UNKNOWN)  BUGTRAQ  20040330 R7-0017: TCPDUMP ISAKMP payload handling denial-of-service vulnerabilities
http://securitytracker.com/id?1009593
(UNKNOWN)  SECTRACK  1009593
http://www.debian.org/security/2004/dsa-478
(VENDOR_ADVISORY)  DEBIAN  DSA-478
http://www.kb.cert.org/vuls/id/240790
(UNKNOWN)  CERT-VN  VU#240790
http://www.rapid7.com/advisories/R7-0017.html
(UNKNOWN)  MISC  http://www.rapid7.com/advisories/R7-0017.html
http://www.redhat.com/support/errata/RHSA-2004-219.html
(UNKNOWN)  REDHAT  RHSA-2004:219
http://www.securityfocus.com/bid/10003
(UNKNOWN)  BID  10003
http://www.tcpdump.org/tcpdump-changes.txt
(UNKNOWN)  CONFIRM  http://www.tcpdump.org/tcpdump-changes.txt
http://www.trustix.org/errata/2004/0015
(UNKNOWN)  TRUSTIX  2004-0015
http://xforce.iss.net/xforce/xfdb/15680
(UNKNOWN)  XF  tcpdump-isakmp-delete-bo(15680)
https://bugzilla.fedora.us/show_bug.cgi?id=1468
(UNKNOWN)  FEDORA  FEDORA-2004-1468

- 漏洞信息

TCPDump ISAKMP删除负载远程缓冲区溢出漏洞
中危 未知
2004-05-04 00:00:00 2005-10-20 00:00:00
远程  
        
        Tcpdump是一款监视网络通信和协议分析工具。
        Tcpdump的ISAKMP包显示函数中存在问题,远程攻击者可以利用这个漏洞进行拒绝服务攻击或以进程权限执行任意指令。
        tcpdump的ISAKMP包显示函数在处理显示ISAKMP删除负载时存在问题,由于TCPDUMP没有验证snap缓冲区中的(NSPIS * SPISIZE) fits,在尝试读取Snap缓冲区之外的数据时导致拒绝服务,或可能进程权限执行任意指令。目前没有详细漏洞细节提供。
        

- 公告与补丁

        厂商补丁:
        LBL
        ---
        目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
        LBL Upgrade tcpdump-3.8.3.tar.gz
        
        http://www.tcpdump.org/release/tcpdump-3.8.3.tar.gz

        Trustix
        -------
        目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
        Trustix Upgrade libpcap-0.8.2-1tr.i586.rpm
        ftp://ftp.trustix.org/pub/trustix/updates/1.5/rpms/libpcap-0.8.2-1tr.i586.rpm
        Trustix Upgrade tcpdump-3.8.2-1tr.i586.rpm
        ftp://ftp.trustix.org/pub/trustix/updates/1.5/rpms/tcpdump-3.8.2-1tr.i586.rpm

- 漏洞信息 (F32981)

Rapid7 Security Advisory 17 (PacketStormID:F32981)
2004-03-30 00:00:00
Rapid7  rapid7.com
advisory,protocol
CVE-2004-0183,CVE-2004-0184
[点击下载]

Rapid7 Security Advisory - tcpdump versions 3.8.1 and below contain multiple flaws in the packet display functions for the ISAKMP protocol. Upon receiving specially crafted ISAKMP packets, tcpdump will try to read beyond the end of the packet capture buffer and crash.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

_______________________________________________________________________
                     Rapid7, Inc. Security Advisory
       Visit http://www.rapid7.com/ to download NeXpose,
        the world's most advanced vulnerability scanner.
      Linux and Windows 2000/XP versions are available now!
_______________________________________________________________________

Rapid7 Advisory R7-0017
TCPDUMP ISAKMP payload handling denial-of-service vulnerabilities

   Published:  March 30, 2004
   Revision:   1.0
   http://www.rapid7.com/advisories/R7-0017.html

   CVE:    CAN-2004-0183, CAN-2004-0184

1. Affected system(s):

   KNOWN VULNERABLE:
    o TCPDUMP v3.8.1 and earlier versions

2. Summary

   TCPDUMP v3.8.1 and earlier versions contain multiple flaws in the
   packet display functions for the ISAKMP protocol.  Upon receiving
   specially crafted ISAKMP packets, TCPDUMP will try to read beyond
   the end of the packet capture buffer and crash.

3. Vendor status and information

   TCPDUMP
   http://www.tcpdump.org

   The vendor was notified and they have released an updated version
   of TCPDUMP, version 3.8.2, which fixes these defects.  Subsequently,
   the version number was bumped to 3.8.3 to match libpcap.

4. Solution

   Upgrade to version 3.8.3 of TCPDUMP.  You should also consider
   upgrading to version 0.8.3 of libpcap.  Note that many vendors
   package their own customized version of TCPDUMP and libpcap with
   their operating system distribution.  You may want to consider
   contacting your operating system vendor for an upgrade.

5. Detailed analysis

   To test the security and robustness of IPSEC implementations
   from multiple vendors, the security research team at Rapid7
   has designed the Striker ISAKMP Protocol Test Suite.  Striker
   is an ISAKMP packet generation tool that automatically produces
   and sends invalid and/or atypical ISAKMP packets.

   This advisory is the second in a series of vulnerability
   disclosures discovered with the Striker test suite.  Striker
   will be made available to qualified IPSEC vendors.  Please
   email advisory@rapid7.com for more information on obtaining
   Striker.

   There are two defects in the ISAKMP packet display functions in
   TCPDUMP.  Both of them require that verbose packet display be
   enabled with the -v option.  These defects result in out-of-bounds
   reads.

   Overflow in ISAKMP Delete payload with large number of SPI's
   CVE ID: CAN-2004-0183

      When displaying Delete payloads, TCPDUMP does not verify
      that (NSPIS * SPISIZE) fits within the snap buffer.

      An ISAKMP packet with a malformed Delete payload having
      a large self-reported number of SPI's will cause TCPDUMP
      to crash as it tries to read from beyond the end of the
      snap buffer.

      See section 3.15 of RFC 2408 for information on the
      Delete payload format.

   Integer underflow in ISAKMP Identification payload 
   CVE ID: CAN-2004-0184

      An ISAKMP packet with a malformed Identification payload
      with a self-reported payload length that becomes less than
      8 when its byte order is reversed will cause TCPDUMP to
      crash as it tries to read from beyond the end of the
      snap buffer.  TCPDUMP must be using a snaplen of 325 or
      greater for this underflow to be triggered.

      This is due to an inconsistency in the byte order conversion
      in the isakmp_id_print() function:

         if (sizeof(*p) < id.h.len)
            data = (u_char *)(p + 1);
         else 
            data = NULL;
         len = ntohs(id.h.len) - sizeof(*p);

      If id.h.len is equal to, say, 256 (and this fits within the snap
      buffer), then len will be equal to:

         ntohs(256) - sizeof(*p)

      which becomes a negative value on i386.

6. Contact Information

   Rapid7 Security Advisories
   Email:  advisory@rapid7.com
   Web:    http://www.rapid7.com/
   Phone:  +1 (617) 603-0700

7. Disclaimer and Copyright

   Rapid7, LLC is not responsible for the misuse of the information
   provided in our security advisories.  These advisories are a service
   to the professional security community.  There are NO WARRANTIES
   with regard to this information.  Any application or distribution of
   this information constitutes acceptance AS IS, at the user's own
   risk.  This information is subject to change without notice.

   This advisory Copyright (C) 2004 Rapid7, LLC.  Permission is
   hereby granted to redistribute this advisory, providing that no
   changes are made and that the copyright notices and disclaimers
   remain intact.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (OpenBSD)

iD8DBQFAaa48MiAxz4wsmx8RAr4lAJ0Y69TpTaDZkRxARdTdq1iwgRv+RQCeMEw9
Oh6mpCe95vffPgf+7Ku2o+c=
=YXNu
-----END PGP SIGNATURE-----
    

- 漏洞信息

4751
tcpdump ISAKMP Delete Payload DoS
Denial of Service
Loss of Availability

- 漏洞描述

Unknown or Incomplete

- 时间线

2004-03-31 Unknow
Unknow Unknow

- 解决方案

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

TCPDump ISAKMP Delete Payload Buffer Overrun Vulnerability
Unknown 10003
Yes No
2004-03-30 12:00:00 2009-07-12 04:06:00
Discovery is credited to Rapid7.

- 受影响的程序版本

SGI ProPack 3.0
SGI ProPack 2.4
RedHat Linux 9.0 i386
RedHat Linux 7.3
LBL tcpdump 3.8.1
+ Mandriva Linux Mandrake 10.0
LBL tcpdump 3.7.2
+ MandrakeSoft Corporate Server 2.1 x86_64
+ MandrakeSoft Corporate Server 2.1
+ MandrakeSoft Multi Network Firewall 2.0
+ Mandriva Linux Mandrake 9.2 amd64
+ Mandriva Linux Mandrake 9.2
+ Mandriva Linux Mandrake 9.1 ppc
+ Mandriva Linux Mandrake 9.1
+ Turbolinux Turbolinux Advanced Server 6.0
+ Turbolinux Turbolinux Desktop 10.0
+ Turbolinux Turbolinux Server 8.0
+ Turbolinux Turbolinux Server 7.0
+ Turbolinux Turbolinux Server 6.5
+ Turbolinux Turbolinux Server 6.1
+ Turbolinux Turbolinux Workstation 8.0
+ Turbolinux Turbolinux Workstation 7.0
+ Turbolinux Turbolinux Workstation 6.1
+ Turbolinux Turbolinux Workstation 6.0
LBL tcpdump 3.7.1
+ FreeBSD FreeBSD 4.7 -RELEASE
+ FreeBSD FreeBSD 4.7
+ Gentoo Linux 1.4 _rc2
+ Gentoo Linux 1.4 _rc1
+ S.u.S.E. Linux 8.1
LBL tcpdump 3.7
+ FreeBSD FreeBSD 4.6 -RELEASE
+ FreeBSD FreeBSD 4.6
+ FreeBSD FreeBSD 4.5 -STABLE
+ FreeBSD FreeBSD 4.5 -RELEASE
+ FreeBSD FreeBSD 4.5
+ FreeBSD FreeBSD 4.4 -STABLE
+ FreeBSD FreeBSD 4.4 -RELENG
+ FreeBSD FreeBSD 4.4
+ FreeBSD FreeBSD 4.3 -STABLE
+ FreeBSD FreeBSD 4.3 -RELENG
+ FreeBSD FreeBSD 4.3 -RELEASE
+ FreeBSD FreeBSD 4.3
+ FreeBSD FreeBSD 4.2 -STABLE
+ FreeBSD FreeBSD 4.2 -RELEASE
+ FreeBSD FreeBSD 4.2
LBL tcpdump 3.6.3
+ EnGarde Secure Community 2.0
+ EnGarde Secure Community 1.0.1
+ EnGarde Secure Professional 1.5
+ EnGarde Secure Professional 1.2
+ EnGarde Secure Professional 1.1
LBL tcpdump 3.6.2
+ Caldera OpenLinux Server 3.1.1
+ Caldera OpenLinux Server 3.1
+ Caldera OpenLinux Workstation 3.1.1
+ Caldera OpenLinux Workstation 3.1
+ Conectiva Linux 8.0
+ Conectiva Linux 7.0
+ Conectiva Linux 6.0
+ Conectiva Linux 5.1
+ Conectiva Linux 5.0
+ Debian Linux 3.0 sparc
+ Debian Linux 3.0 s/390
+ Debian Linux 3.0 ppc
+ Debian Linux 3.0 mipsel
+ Debian Linux 3.0 mips
+ Debian Linux 3.0 m68k
+ Debian Linux 3.0 ia-64
+ Debian Linux 3.0 ia-32
+ Debian Linux 3.0 hppa
+ Debian Linux 3.0 arm
+ Debian Linux 3.0 alpha
+ Debian Linux 3.0
+ FreeBSD FreeBSD 4.3
+ FreeBSD FreeBSD 4.2
+ FreeBSD FreeBSD 4.1.1
+ FreeBSD FreeBSD 4.1
+ FreeBSD FreeBSD 4.0
+ HP Secure OS software for Linux 1.0
+ MandrakeSoft Corporate Server 1.0.1
+ MandrakeSoft Single Network Firewall 7.2
+ Mandriva Linux Mandrake 8.2
+ Mandriva Linux Mandrake 8.1
+ Mandriva Linux Mandrake 8.0
+ Mandriva Linux Mandrake 7.2
+ Mandriva Linux Mandrake 7.1
+ RedHat Linux 7.2 ia64
+ RedHat Linux 7.2 i386
+ RedHat Linux 7.1 ia64
+ RedHat Linux 7.1 i386
+ RedHat Linux 7.1 alpha
+ RedHat Linux 7.0 i386
+ RedHat Linux 7.0 alpha
+ RedHat Linux 6.2 sparc
+ RedHat Linux 6.2 i386
+ RedHat Linux 6.2 alpha
+ S.u.S.E. Linux 8.0
+ Trustix Secure Linux 1.5
+ Trustix Secure Linux 1.2
+ Trustix Secure Linux 1.1
LBL tcpdump 3.5.2
LBL tcpdump 3.5 alpha
LBL tcpdump 3.5
+ FreeBSD FreeBSD 4.1.1
+ FreeBSD FreeBSD 4.1
+ FreeBSD FreeBSD 4.0
+ FreeBSD FreeBSD 3.x
+ S.u.S.E. Linux 8.0
+ S.u.S.E. Linux 7.3
LBL tcpdump 3.4 a6
+ Debian Linux 2.2 sparc
+ Debian Linux 2.2 powerpc
+ Debian Linux 2.2 IA-32
+ Debian Linux 2.2 arm
+ Debian Linux 2.2 alpha
+ Debian Linux 2.2 68k
+ Debian Linux 2.2
+ S.u.S.E. Firewall Adminhost VPN
+ S.u.S.E. Linux 7.2
+ S.u.S.E. Linux 7.1
+ S.u.S.E. Linux 7.0
+ S.u.S.E. Linux 6.4
+ S.u.S.E. Linux Admin-CD for Firewall
+ S.u.S.E. Linux Connectivity Server
+ S.u.S.E. Linux Database Server 0
+ S.u.S.E. Linux Enterprise Server for S/390
+ S.u.S.E. Linux Live-CD for Firewall
+ S.u.S.E. SuSE eMail Server III
+ SuSE SUSE Linux Enterprise Server 7
LBL tcpdump 3.4
+ RedHat Linux 7.1 ia64
+ RedHat Linux 7.1 i386
+ RedHat Linux 7.1 alpha
+ RedHat Linux 7.0 i386
+ RedHat Linux 7.0 alpha
+ RedHat Linux 6.2 sparc
+ RedHat Linux 6.2 i386
+ RedHat Linux 6.2 alpha
LBL tcpdump 3.8.3
+ Debian Linux 3.1 sparc
+ Debian Linux 3.1 s/390
+ Debian Linux 3.1 ppc
+ Debian Linux 3.1 mipsel
+ Debian Linux 3.1 mips
+ Debian Linux 3.1 m68k
+ Debian Linux 3.1 ia-64
+ Debian Linux 3.1 ia-32
+ Debian Linux 3.1 hppa
+ Debian Linux 3.1 arm
+ Debian Linux 3.1 amd64
+ Debian Linux 3.1 alpha
+ Debian Linux 3.1
+ Turbolinux Appliance Server 1.0 Workgroup Edition
+ Turbolinux Appliance Server 1.0 Hosting Edition
+ Turbolinux Appliance Server Hosting Edition 1.0
+ Turbolinux Appliance Server Workgroup Edition 1.0
+ Turbolinux Home
+ Turbolinux Turbolinux 10 F...
+ Turbolinux Turbolinux Desktop 10.0
+ Turbolinux Turbolinux Server 8.0
+ Turbolinux Turbolinux Server 7.0
+ Turbolinux Turbolinux Workstation 8.0
+ Turbolinux Turbolinux Workstation 7.0
+ Ubuntu Ubuntu Linux 5.0 4 powerpc
+ Ubuntu Ubuntu Linux 5.0 4 i386
+ Ubuntu Ubuntu Linux 5.0 4 amd64
+ Ubuntu Ubuntu Linux 4.1 ppc
+ Ubuntu Ubuntu Linux 4.1 ia64
+ Ubuntu Ubuntu Linux 4.1 ia32
LBL tcpdump 3.8.2

- 不受影响的程序版本

LBL tcpdump 3.8.3
+ Debian Linux 3.1 sparc
+ Debian Linux 3.1 s/390
+ Debian Linux 3.1 ppc
+ Debian Linux 3.1 mipsel
+ Debian Linux 3.1 mips
+ Debian Linux 3.1 m68k
+ Debian Linux 3.1 ia-64
+ Debian Linux 3.1 ia-32
+ Debian Linux 3.1 hppa
+ Debian Linux 3.1 arm
+ Debian Linux 3.1 amd64
+ Debian Linux 3.1 alpha
+ Debian Linux 3.1
+ Turbolinux Appliance Server 1.0 Workgroup Edition
+ Turbolinux Appliance Server 1.0 Hosting Edition
+ Turbolinux Appliance Server Hosting Edition 1.0
+ Turbolinux Appliance Server Workgroup Edition 1.0
+ Turbolinux Home
+ Turbolinux Turbolinux 10 F...
+ Turbolinux Turbolinux Desktop 10.0
+ Turbolinux Turbolinux Server 8.0
+ Turbolinux Turbolinux Server 7.0
+ Turbolinux Turbolinux Workstation 8.0
+ Turbolinux Turbolinux Workstation 7.0
+ Ubuntu Ubuntu Linux 5.0 4 powerpc
+ Ubuntu Ubuntu Linux 5.0 4 i386
+ Ubuntu Ubuntu Linux 5.0 4 amd64
+ Ubuntu Ubuntu Linux 4.1 ppc
+ Ubuntu Ubuntu Linux 4.1 ia64
+ Ubuntu Ubuntu Linux 4.1 ia32
LBL tcpdump 3.8.2

- 漏洞讨论

tcpdump is prone to a remotely exploitable buffer overrun vulnerability.

This issue exists in tcpdump's ISAKMP packet display functions. This issue affects how ISAKMP Delete payloads are handled. This may cause a denial of service or potentially be leveraged to execute arbitrary code.

- 漏洞利用

Currently we are not aware of any exploits for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com &lt;mailto:vuldb@securityfocus.com&gt;.

- 解决方案

Mandrake has released an advisory (MDKSA-2004:030) and fixes to address this issue. Mandrake users are advised to apply these fixes as soon as possible. Further information regarding obtaining and applying fixes can be found in the referenced advisory.

Trustix has released an advisory that includes updates for this issue.

Debian has released advisory DSA 478-1 and fixes dealing with this issue.

OpenPKG has provided advisory SA-2004.010 and an update dealing with this issue.

Slackware has released advisory SSA:2004-108-01 to provide fixes for this issue. Please see the attached advisory for details on obtaining and applying fixes.

RedHat has released advisory FEDORA-2004-120 to provide fixes for Fedora. Please see the attached advisory for details on obtaining and applying fixes.

Red Hat has released advisory RHSA-2004:219-07 and fixes to address this and other issues on Red Hat Linux Enterprise platforms. Customers who are affected by this issue are advised to apply the appropriate updates. Customers subscribed to the Red Hat Network may apply the appropriate fixes using the Red Hat Update Agent (up2date). Please see referenced advisory for additional information.

This issue is addressed in tcpdump 3.8.3.

Turbolinux has released advisory TLSA-2004-16 to provide fixes for this issue. Please see the attached advisory for details on obtaining and applying fixes.

SGI has released an advisory (20040603-01-U) to address this and other issues in SGI ProPack 3. Please see the referenced advisory for more information.

SGI has released an advisory (20040602-01-U) to address this and other issues in SGI ProPack 2.4. Please see the referenced advisory for more information.

The Fedora Legacy project has released advisory FLSA:1468 along with fixes to address this, and other issues. Please see the referenced advisory for further information.


SGI ProPack 2.4

SGI ProPack 3.0

LBL tcpdump 3.4 a6

LBL tcpdump 3.4

LBL tcpdump 3.5 alpha

LBL tcpdump 3.5

LBL tcpdump 3.5.2

LBL tcpdump 3.6.2

LBL tcpdump 3.6.3

LBL tcpdump 3.7

LBL tcpdump 3.7.1

LBL tcpdump 3.7.2

LBL tcpdump 3.8.1

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站