漏洞信息详情
Netfilter跟踪连接远程拒绝服务攻击漏洞
- CNNVD编号:CNNVD-200308-180
- 危害等级: 中危
![图片[1]-Netfilter跟踪连接远程拒绝服务攻击漏洞-一一网](https://www.proyy.com/skycj/data/images/2021-05-16/30f462579bec41fc25e0b1d57503e6d6.png)
- CVE编号:
CVE-2003-0187
- 漏洞类型:
设计错误
- 发布时间:
2003-08-27
- 威胁类型:
远程
- 更新时间:
2005-10-20
- 厂 商:
linux - 漏洞来源:
Netfilter Core Tea… -
漏洞简介
Netfilter是一款Linux Kernel下的防火墙构架实现。
Netfilter在处理连接跟踪机制时存在问题,远程攻击者可以利用这个漏洞对使用连接跟踪模块的系统进行拒绝服务攻击。
2.4.20内核介绍了一个新的改变,是对一般连接列表支持。连接跟踪的核心是依据以前的识别\’\’UNCONFIRMED\’\’连接的行为。\’\’UNCONFIRMED\’\’也就是说我们只能看到一个方向的连接,由于连接跟踪不能识别连接是否正确,所以它们被分配了一个很高的超时值。
Netfilter发布了一个补丁使连接跟踪器不再依靠Linux连接列表API的任何特定行为。
漏洞公告
厂商补丁:
Linux
—–
采用如下补丁:
diff -urN –exclude-from=diff.exclude linux-2.4.20-base/include/linux/netfilter_ipv4/ip_conntrack.h linux-2.4.20-del/include/linux/netfilter_ipv4/ip_conntrack.h
— linux-2.4.20-base/include/linux/netfilter_ipv4/ip_conntrack.h Fri Nov 29 00:53:15 2002
+++ linux-2.4.20-del/include/linux/netfilter_ipv4/ip_conntrack.h Fri Feb 21 17:01:38 2003
-6,6 +6,7
#include
#include
+#include
#include
enum ip_conntrack_info
-41,6 +42,10
/* Conntrack should never be early-expired. */
IPS_ASSURED_BIT = 2,
IPS_ASSURED = (1 << IPS_ASSURED_BIT),
+
+ /* Connection is confirmed: originating packet has left box */
+ IPS_CONFIRMED_BIT = 3,
+ IPS_CONFIRMED = (1 << IPS_CONFIRMED_BIT),
};
#include
-159,7 +164,7
struct ip_conntrack_tuple_hash tuplehash[IP_CT_DIR_MAX];
/* Have we seen traffic both ways yet? (bitset) */
– volatile unsigned long status;
+ unsigned long status;
/* Timer function; drops refcnt when it goes off. */
struct timer_list timeout;
-254,7 +259,7
/* It’s confirmed if it is, or has been in the hash table. */
static inline int is_confirmed(struct ip_conntrack *ct)
{
– return ct->tuplehash[IP_CT_DIR_ORIGINAL].list.next != NULL;
+ return test_bit(IPS_CONFIRMED_BIT, &ct->status);
}
extern unsigned int ip_conntrack_htable_size;
diff -urN –exclude-from=diff.exclude linux-2.4.20-base/net/ipv4/netfilter/ip_conntrack_core.c linux-2.4.20-del/net/ipv4/netfilter/ip_conntrack_core.c
— linux-2.4.20-base/net/ipv4/netfilter/ip_conntrack_core.c Tue Feb 18 17:08:21 2003
+++ linux-2.4.20-del/net/ipv4/netfilter/ip_conntrack_core.c Fri Feb 21 17:01:39 2003
-292,9 +292,6
{
DEBUGP(“clean_from_lists(%p)\n”, ct);
MUST_BE_WRITE_LOCKED(&ip_conntrack_lock);
– /* Remove from both hash lists: must not NULL out next ptrs,
– otherwise we’ll look unconfirmed. Fortunately, LIST_DELETE
– doesn’t do this. –RR */
LIST_DELETE(&ip_conntrack_hash
[hash_conntrack(&ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple)],
&ct->tuplehash[IP_CT_DIR_ORIGINAL]);
-467,6 +464,7
ct->timeout.expires += jiffies;
add_timer(&ct->timeout);
atomic_inc(&ct->ct_general.use);
+ set_bit(IPS_CONFIRMED_BIT, &ct->status);
WRITE_UNLOCK(&ip_conntrack_lock);
return NF_ACCEPT;
}
-585,7 +583,7
connection. Too bad: we’re in trouble anyway. */
static inline int unreplied(const struct ip_conntrack_tuple_hash *i)
{
– return !(i->ctrack->status & IPS_ASSURED);
+ return !(test_bit(IPS_ASSURED_BIT, &i->ctrack->status));
}
static int early_drop(struct list_head *chain)
-720,7 +718,7
conntrack, expected);
/* Welcome, Mr. Bond. We’ve been expecting you… */
IP_NF_ASSERT(master_ct(conntrack));
– conntrack->status = IPS_EXPECTED;
+ __set_bit(IPS_EXPECTED_BIT, &conntrack->status);
conntrack->master = expected;
expected->sibling = conntrack;
LIST_DELETE(&ip_conntrack_expect_list, expected);
-768,11 +766,11
*set_reply = 1;
} else {
/* Once we’ve had two way comms, always ESTABLISHED. */
– if (h->ctrack->status & IPS_SEEN_REPLY) {
+ if (test_bit(IPS_SEEN_REPLY_BIT, &h->ctrack->status)) {
DEBUGP(“ip_conntrack_in: normal packet for %p\n”,
h->ctrack);
*ctinfo = IP_CT_ESTABLISHED;
– } else if (h->ctrack->status & IPS_EXPECTED) {
+ } else if (test_bit(IPS_EXPECTED_BIT, &h->ctrack->status)) {
DEBUGP(“ip_conntrack_in: related packet for %p\n”,
h->ctrack);
*ctinfo = IP_CT_RELATED;
diff -urN –exclude-from=diff.exclude linux-2.4.20-base/net/ipv4/netfilter/ip_conntrack_proto_tcp.c linux-2.4.20-del/net/ipv4/netfilter/ip_conntrack_proto_tcp.c
— linux-2.4.20-base/net/ipv4/netfilter/ip_conntrack_proto_tcp.c Tue Feb 18 17:07:26 2003
+++ linux-2.4.20-del/net/ipv4/netfilter/ip_conntrack_proto_tcp.c Fri Feb 21 17:03:35 2003
-192,7 +192,7
have an established connection: this is a fairly common
problem case, so we can delete the conntrack
immediately. –RR */
– if (!(conntrack->status & IPS_SEEN_REPLY) && tcph->rst) {
+ if (!test_bit(IPS_SEEN_REPLY_BIT, &conntrack->status) && tcph->rst) {
WRITE_UNLOCK(&tcp_lock);
&
参考网址
来源: BUGTRAQ
名称: 20030802 [SECURITY] Netfilter Security Advisory: Conntrack list_del() DoS
链接:http://marc.theaimsgroup.com/?l=bugtraq&m=105986028426824&w=2
来源: US Government Resource: oval:org.mitre.oval:def:260
名称: oval:org.mitre.oval:def:260
链接:http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:260
![[桜井宁宁]COS和泉纱雾超可爱写真福利集-一一网](https://www.proyy.com/skycj/data/images/2020-12-13/4d3cf227a85d7e79f5d6b4efb6bde3e8.jpg)
![[桜井宁宁] 爆乳奶牛少女cos写真-一一网](https://www.proyy.com/skycj/data/images/2020-12-13/d40483e126fcf567894e89c65eaca655.jpg)
