首页 -> 安全研究

安全研究

安全漏洞
多家厂商TCP/IP实现处理相同源、目标IP数据包失败拒绝服务攻击漏洞

发布日期:1997-11-13
更新日期:1997-11-13

受影响系统:
Linux kernel 2.0.31
Linux kernel 2.0.30
Microsoft Windows NT 4.0SP6a
Microsoft Windows NT 4.0SP6
Microsoft Windows NT 4.0SP5
Microsoft Windows NT 4.0SP4
Microsoft Windows NT 4.0SP3
Microsoft Windows NT 4.0SP2
Microsoft Windows NT 4.0SP1
Microsoft Windows NT 4.0
Microsoft Windows 95
Novell Netware 4.1
SCO Open Desktop 3.0
SCO Open Server 5.0
SCO Unixware 2.1
Sun SunOS 4.1.4
Sun SunOS 4.1.3_U1
Cisco IOS
    - Cisco IOS 11.2
    - Cisco IOS 11.1
    - Cisco IOS 11.0
    - Cisco IOS 10.3
FreeBSD FreeBSD
    - FreeBSD 2.2.5
    - FreeBSD 2.2.4
    - FreeBSD 2.2.3
    - FreeBSD 2.2
    - FreeBSD 2.1.6
    - FreeBSD 2.1.5
    - FreeBSD 2.1
HP HP-UX
    - HP HP-UX 9.0
    - HP HP-UX 11.0
    - HP HP-UX 10.30
    - HP HP-UX 10.24
    - HP HP-UX 10.20
    - HP HP-UX 10.16
    - HP HP-UX 10.10
    - HP HP-UX 10.1
    - HP HP-UX 10.01
    - HP HP-UX 10.0
NetBSD NetBSD
    - NetBSD 1.2.1
    - NetBSD 1.2
    - NetBSD 1.1
    - NetBSD 1.0
BSDI BSD/OS kernel
    - BSDI BSD/OS 2.1
    - BSDI BSD/OS 2.0.1
    - BSDI BSD/OS 2.0
    - BSDI BSD/OS 1.1
描述:
BUGTRAQ  ID: 2666
CVE(CAN) ID: CVE-1999-0016

TCP/IP网络协议栈是大多数操作系统均实现的用于Internet联网的最被广为使用的网络协议。

早期BSD派生系统(Linux除外)及Windows系统TCP/IP协议栈实现上存在漏洞,远程攻击者可以利用此漏洞对服务器进行拒绝服务攻击。

发送一个源地址和目标地址相同,源端口和目的端口也相同的SYN包到有漏洞的目标系统,这就是著名的Land攻击。由于TCP/IP实现上的问题,目标系统对此种畸形包的处理可能会出问题。不同的系统对Land攻击反应不同,许多老版本的UNIX类操作系统将崩溃,NT的CPU资源占用将接近100%(大约持续五分钟)。

此漏洞相关信息在新闻组和邮件列表中可以用"Land denial of service"、"Land Attack"为关键字搜索到。

<*来源:m3lt (meltman@lagged.net
  
  链接:http://www.cert.org/advisories/CA-1997-28.html
        http://pintday.org/advisories/vendor/hp/hpsbux9801-076.html
        ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/SA-98:01.[需要添加].asc
        http://www.cisco.com/en/US/tech/tk648/tk364/technologies_security_advisory09186a00800b1693.shtml
        http://www.ciac.org/ciac/bulletins/i-027b.shtml
        http://www.stanford.edu/group/itss-ccs/security/Advisories/98-0763.html
        http://www.ciac.org/ciac/bulletins/i-036.shtml
        http://pintday.org/advisories/vendor/freebsd/sa-98_01.html
*>

建议:
厂商补丁:

FreeBSD
-------
FreeBSD已经为此发布了一个安全公告(SA-98:01)以及相应补丁:
SA-98:01:LAND attack can cause harm to running FreeBSD systems
链接:ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/SA-98:01.asc

补丁下载:

Apply the enclosed patch.  There are two patches, one for FreeBSD
     -current, and another for FreeBSD 2.2-stable.

    patch for -current prior to Jan 21, 1998.  Found in land-current.

    Index: tcp_input.c
    ===================================================================
    RCS file: /home/imp/FreeBSD/CVS/src/sys/netinet/tcp_input.c,v
    retrieving revision 1.67
    retrieving revision 1.68
    diff -u -r1.67 -r1.68
    --- tcp_input.c     1997/12/19 23:46:15     1.67
    +++ tcp_input.c     1998/01/21 02:05:59     1.68
    @@ -626,6 +613,7 @@
         * If the state is LISTEN then ignore segment if it contains an RST.
         * If the segment contains an ACK then it is bad and send a RST.
         * If it does not contain a SYN then it is not interesting; drop it.
    +    * If it is from this socket, drop it, it must be forged.
         * Don't bother responding if the destination was a broadcast.
         * Otherwise initialize tp->rcv_nxt, and tp->irs, select an initial
         * tp->iss, and send a segment:
    @@ -644,6 +632,9 @@
                        goto dropwithreset;
                if ((tiflags & TH_SYN) == 0)
                        goto drop;
    +           if ((ti->ti_dport == ti->ti_sport) &&
    +               (ti->ti_dst.s_addr == ti->ti_src.s_addr))
    +                   goto drop;
                /*
                 * RFC1122 4.2.3.10, p. 104: discard bcast/mcast SYN
                 * in_broadcast() should never return true on a received
    @@ -762,6 +753,23 @@
                }
    
        /*
    +    * If the state is SYN_RECEIVED:
    +    *      if seg contains SYN/ACK, send a RST.
    +    *      if seg contains an ACK, but not for our SYN/ACK, send a RST.
    +    */
    +   case TCPS_SYN_RECEIVED:
    +           if (tiflags & TH_ACK) {
    +                   if (tiflags & TH_SYN) {
    +                           tcpstat.tcps_badsyn++;
    +                           goto dropwithreset;
    +                   }
    +                   if (SEQ_LEQ(ti->ti_ack, tp->snd_una) ||
    +                       SEQ_GT(ti->ti_ack, tp->snd_max))
    +                           goto dropwithreset;
    +           }
    +           break;
    +
    +   /*
         * If the state is SYN_SENT:
         *      if seg contains an ACK, but not for our SYN, drop the input.
         *      if seg contains a RST, then drop the connection.
    @@ -1176,14 +1184,11 @@
        switch (tp->t_state) {
    
        /*
    -    * In SYN_RECEIVED state if the ack ACKs our SYN then enter
    -    * ESTABLISHED state and continue processing, otherwise
    -    * send an RST.
    +    * In SYN_RECEIVED state, the ack ACKs our SYN, so enter
    +    * ESTABLISHED state and continue processing.
    +    * The ACK was checked above.
         */
        case TCPS_SYN_RECEIVED:
    -           if (SEQ_GT(tp->snd_una, ti->ti_ack) ||
    -               SEQ_GT(ti->ti_ack, tp->snd_max))
    -                   goto dropwithreset;
    
                tcpstat.tcps_connects++;
                soisconnected(so);

    patch for 2.2.5 and 2.2.5-stable before Jan 30, 1998 found in land-22

    Index: tcp_input.c
    ===================================================================
    RCS file: /home/imp/FreeBSD/CVS/src/sys/netinet/tcp_input.c,v
    retrieving revision 1.54.2.6
    retrieving revision 1.54.2.7
    diff -u -r1.54.2.6 -r1.54.2.7
    --- tcp_input.c     1997/11/20 21:45:34     1.54.2.6
    +++ tcp_input.c     1998/01/30 19:13:55     1.54.2.7
    @@ -627,6 +614,7 @@
         * If the state is LISTEN then ignore segment if it contains an RST.
         * If the segment contains an ACK then it is bad and send a RST.
         * If it does not contain a SYN then it is not interesting; drop it.
    +    * If it is from this socket, drop it, it must be forged.
         * Don't bother responding if the destination was a broadcast.
         * Otherwise initialize tp->rcv_nxt, and tp->irs, select an initial
         * tp->iss, and send a segment:
    @@ -646,6 +634,9 @@
                        goto dropwithreset;
                if ((tiflags & TH_SYN) == 0)
                        goto drop;
    +           if ((ti->ti_dport == ti->ti_sport) &&
    +               (ti->ti_dst.s_addr == ti->ti_src.s_addr))
    +                   goto drop;
                /*
                 * RFC1122 4.2.3.10, p. 104: discard bcast/mcast SYN
                 * in_broadcast() should never return true on a received
    @@ -765,6 +756,23 @@
                }
    
        /*
    +    * If the state is SYN_RECEIVED:
    +    *      if seg contains SYN/ACK, send a RST.
    +    *      if seg contains an ACK, but not for our SYN/ACK, send a RST.
    +    */
    +   case TCPS_SYN_RECEIVED:
    +           if (tiflags & TH_ACK) {
    +                   if (tiflags & TH_SYN) {
    +                           tcpstat.tcps_badsyn++;
    +                           goto dropwithreset;
    +                   }
    +                   if (SEQ_LEQ(ti->ti_ack, tp->snd_una) ||
    +                       SEQ_GT(ti->ti_ack, tp->snd_max))
    +                           goto dropwithreset;
    +           }
    +           break;
    +
    +   /*
         * If the state is SYN_SENT:
         *      if seg contains an ACK, but not for our SYN, drop the input.
         *      i

HP
--
HP已经为此发布了一个安全公告(HPSBUX9801-076)以及相应补丁:
HPSBUX9801-076:Security Vulnerability with land on HP-UX
链接:

补丁下载:

升级到以下版本将不受land 攻击影响。

      HP-UX release 11.00 HP9000 Series 700/800     PHNE_14017
      HP-UX release 10.30 HP9000 Series 700/800     PHNE_13671
      HP-UX release 10.20 HP9000 Series 800         PHNE_13468
      HP-UX release 10.24 HP9000 Series 700         PHNE_13888
      HP-UX release 10.24 HP9000 Series 800         PHNE_13889
      HP-UX release 10.20 HP9000 Series 800         PHNE_13468
      HP-UX release 10.20 HP9000 Series 700         PHNE_13469
      HP-UX release 10.16 HP9000 Series 700         PHKL_14242
      HP-UX release 10.16 HP9000 Series 800         PHKL_14243
      HP-UX release 10.10 HP9000 Series 800         PHNE_13470
      HP-UX release 10.10 HP9000 Series 700         PHNE_13471
      HP-UX release 10.01 HP9000 Series 800         PHNE_13472
      HP-UX release 10.01 HP9000 Series 700         PHNE_13473
      HP-UX release 10.00 HP9000 Series 800         PHNE_13474
      HP-UX release 10.00 HP9000 Series 700         PHNE_13475
      HP-UX release  9.04 HP9000 Series 800         PHNE_13476
      HP-UX release  9.0[3,5,7] HP9000 Series 700   PHNE_13477
      HP-UX release  9.01 HP9000 Series 700         PHNE_13478
      HP-UX release  9.00 HP9000 Series 800         PHNE_13479

Novell
------
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:

http://www.novell.com/

浏览次数:21471
严重程度:0(网友投票)
本安全漏洞由绿盟科技翻译整理,版权所有,未经许可,不得转载
绿盟科技给您安全的保障