Linux Kernel Route Cache条目远程拒绝服务攻击漏洞[转]

KornLee

发布时间：2003-05-18
更新时间：2003-05-25
严重程度：中
威胁程度：远程拒绝服务
错误类型：设计错误
利用方式：服务器模式

BUGTRAQ ID：7601
CVE(CAN) ID：CAN-2003-0244

受影响系统
Linux kernel 2.4
Linux kernel 2.4.1
Linux kernel 2.4.2
    + Caldera OpenLinux Server 3.1
    + Caldera OpenLinux Workstation 3.1
    + RedHat Linux 7.1 alpha
    + RedHat Linux 7.1 i386
Linux kernel 2.4.3
    + MandrakeSoft Linux Mandrake 8.0
    + MandrakeSoft Linux Mandrake 8.0 ppc
Linux kernel 2.4.4
    + S.u.S.E. Linux 7.2
Linux kernel 2.4.5
    + Slackware Linux 8.0
Linux kernel 2.4.6
Linux kernel 2.4.7
    + RedHat Linux 7.2
    + S.u.S.E. Linux 7.1
    + S.u.S.E. Linux 7.2
Linux kernel 2.4.8
    + MandrakeSoft Linux Mandrake 8.0
    + MandrakeSoft Linux Mandrake 8.1
    + MandrakeSoft Linux Mandrake 8.2
Linux kernel 2.4.9
    + RedHat Enterprise Linux AS 2.1
    + RedHat Enterprise Linux ES 2.1
    + RedHat Enterprise Linux WS 2.1
    + RedHat Linux 7.1 alpha
    + RedHat Linux 7.1 i386
    + RedHat Linux 7.1 ia64
    + RedHat Linux 7.2 alpha
    + RedHat Linux 7.2 i386
    + RedHat Linux 7.2 ia64
    + Sun Linux 5.0
    + Sun Linux 5.0.3
Linux kernel 2.4.10
    + S.u.S.E. Linux 7.3
Linux kernel 2.4.11
Linux kernel 2.4.12
    + Conectiva Linux 7.0
Linux kernel 2.4.13
    + Caldera OpenLinux Server 3.1.1
    + Caldera OpenLinux Workstation 3.1.1
Linux kernel 2.4.14
Linux kernel 2.4.15
Linux kernel 2.4.16
    + Sun Cobalt RaQ 550
Linux kernel 2.4.17
Linux kernel 2.4.18
    + Astaro Security Linux 2.0 16
    + Astaro Security Linux 2.0 23
    + MandrakeSoft Linux Mandrake 8.0
    + MandrakeSoft Linux Mandrake 8.1
    + MandrakeSoft Linux Mandrake 8.2
    + RedHat Linux 7.3
    + RedHat Linux 8.0
    + S.u.S.E. Linux 7.1
    + S.u.S.E. Linux 7.2
    + S.u.S.E. Linux 7.3
    + S.u.S.E. Linux 8.0
Linux kernel 2.4.19
    + Conectiva Linux 8.0
    + MandrakeSoft Linux Mandrake 9.0
    + S.u.S.E. Linux 8.1
Linux kernel 2.4.20
    + CRUX CRUX Linux 1.0
    + RedHat Linux 9.0 i386
RedHat Enterprise Linux AS 2.1 IA64
RedHat Linux Advanced Work Station 2.1
详细描述
Linux kernel不正确处理部分通信，攻击者可以利用小的资源使Linux停止对正常请求的响应。

问题存在于路由通信中，Linux内核的网络代码在处理具有相同IPv4源和目的地址，及相同TOS值的包时存在问题，攻击者发送此类包给Linux，可导致每个包的路由条目连接到相同的HASH链中，当系统查询路由列表时消耗资源非常大，连续发送此包可导致系统崩溃。

测试代码
尚无

解决方案
降低路由缓冲大小：

# echo 4096 > /proc/sys/net/ipv4/route/max_size
# echo 2048 > /proc/sys/net/ipv4/route/gc_thresh

补丁下载：

Red Hat Linux 7.1:

SRPMS:
ftp://updates.redhat.com/7.1/en/ ... 2.4.20-13.7.src.rpm

athlon:
ftp://updates.redhat.com/7.1/en/ ... .20-13.7.athlon.rpm
ftp://updates.redhat.com/7.1/en/ ... .20-13.7.athlon.rpm

i386:
ftp://updates.redhat.com/7.1/en/ ... .4.20-13.7.i386.rpm
ftp://updates.redhat.com/7.1/en/ ... .4.20-13.7.i386.rpm
ftp://updates.redhat.com/7.1/en/ ... .4.20-13.7.i386.rpm
ftp://updates.redhat.com/7.1/en/ ... .4.20-13.7.i386.rpm

i586:
ftp://updates.redhat.com/7.1/en/ ... .4.20-13.7.i586.rpm
ftp://updates.redhat.com/7.1/en/ ... .4.20-13.7.i586.rpm

i686:
ftp://updates.redhat.com/7.1/en/ ... .4.20-13.7.i686.rpm
ftp://updates.redhat.com/7.1/en/ ... .4.20-13.7.i686.rpm
ftp://updates.redhat.com/7.1/en/ ... .4.20-13.7.i686.rpm

Red Hat Linux 7.2:

SRPMS:
ftp://updates.redhat.com/7.2/en/ ... 2.4.20-13.7.src.rpm

athlon:
ftp://updates.redhat.com/7.2/en/ ... .20-13.7.athlon.rpm
ftp://updates.redhat.com/7.2/en/ ... .20-13.7.athlon.rpm

i386:
ftp://updates.redhat.com/7.2/en/ ... .4.20-13.7.i386.rpm
ftp://updates.redhat.com/7.2/en/ ... .4.20-13.7.i386.rpm
ftp://updates.redhat.com/7.2/en/ ... .4.20-13.7.i386.rpm
ftp://updates.redhat.com/7.2/en/ ... .4.20-13.7.i386.rpm

i586:
ftp://updates.redhat.com/7.2/en/ ... .4.20-13.7.i586.rpm
ftp://updates.redhat.com/7.2/en/ ... .4.20-13.7.i586.rpm

i686:
ftp://updates.redhat.com/7.2/en/ ... .4.20-13.7.i686.rpm
ftp://updates.redhat.com/7.2/en/ ... .4.20-13.7.i686.rpm
ftp://updates.redhat.com/7.2/en/ ... .4.20-13.7.i686.rpm

Red Hat Linux 7.3:

SRPMS:
ftp://updates.redhat.com/7.3/en/ ... 2.4.20-13.7.src.rpm

athlon:
ftp://updates.redhat.com/7.3/en/ ... .20-13.7.athlon.rpm
ftp://updates.redhat.com/7.3/en/ ... .20-13.7.athlon.rpm

i386:
ftp://updates.redhat.com/7.3/en/ ... .4.20-13.7.i386.rpm
ftp://updates.redhat.com/7.3/en/ ... .4.20-13.7.i386.rpm
ftp://updates.redhat.com/7.3/en/ ... .4.20-13.7.i386.rpm
ftp://updates.redhat.com/7.3/en/ ... .4.20-13.7.i386.rpm

i586:
ftp://updates.redhat.com/7.3/en/ ... .4.20-13.7.i586.rpm
ftp://updates.redhat.com/7.3/en/ ... .4.20-13.7.i586.rpm

i686:
ftp://updates.redhat.com/7.3/en/ ... .4.20-13.7.i686.rpm
ftp://updates.redhat.com/7.3/en/ ... .4.20-13.7.i686.rpm
ftp://updates.redhat.com/7.3/en/ ... .4.20-13.7.i686.rpm

Red Hat Linux 8.0:

SRPMS:
ftp://updates.redhat.com/8.0/en/ ... 2.4.20-13.8.src.rpm
ftp://updates.redhat.com/8.0/en/ ... -0.4-44.8.1.src.rpm

athlon:
ftp://updates.redhat.com/8.0/en/ ... .20-13.8.athlon.rpm
ftp://updates.redhat.com/8.0/en/ ... .20-13.8.athlon.rpm

i386:
ftp://updates.redhat.com/8.0/en/ ... .4.20-13.8.i386.rpm
ftp://updates.redhat.com/8.0/en/ ... .4.20-13.8.i386.rpm
ftp://updates.redhat.com/8.0/en/ ... .4.20-13.8.i386.rpm
ftp://updates.redhat.com/8.0/en/ ... .4.20-13.8.i386.rpm
ftp://updates.redhat.com/8.0/en/ ... 0.4-44.8.1.i386.rpm

i586:
ftp://updates.redhat.com/8.0/en/ ... .4.20-13.8.i586.rpm
ftp://updates.redhat.com/8.0/en/ ... .4.20-13.8.i586.rpm

i686:
ftp://updates.redhat.com/8.0/en/ ... .4.20-13.8.i686.rpm
ftp://updates.redhat.com/8.0/en/ ... .4.20-13.8.i686.rpm
ftp://updates.redhat.com/8.0/en/ ... .4.20-13.8.i686.rpm

Red Hat Linux 9:

SRPMS:
ftp://updates.redhat.com/9/en/os/SRPMS/kernel-2.4.20-13.9.src.rpm

athlon:
ftp://updates.redhat.com/9/en/os ... .20-13.9.athlon.rpm
ftp://updates.redhat.com/9/en/os ... .20-13.9.athlon.rpm

i386:
ftp://updates.redhat.com/9/en/os/i386/kernel-2.4.20-13.9.i386.rpm
ftp://updates.redhat.com/9/en/os ... .4.20-13.9.i386.rpm
ftp://updates.redhat.com/9/en/os ... .4.20-13.9.i386.rpm
ftp://updates.redhat.com/9/en/os ... .4.20-13.9.i386.rpm

i586:
ftp://updates.redhat.com/9/en/os/i586/kernel-2.4.20-13.9.i586.rpm
ftp://updates.redhat.com/9/en/os ... .4.20-13.9.i586.rpm

i686:
ftp://updates.redhat.com/9/en/os/i686/kernel-2.4.20-13.9.i686.rpm
ftp://updates.redhat.com/9/en/os ... .4.20-13.9.i686.rpm
ftp://updates.redhat.com/9/en/os ... .4.20-13.9.i686.rpm

相关信息
参考：http://www.securityfocus.com/advisories/5384
http://www.securityfocus.com/advisories/5419
http://www.securityfocus.com/advisories/5377
http://www.enyo.de/fw/security/notes/linux-dst-cache-dos.html
http://www.cs.rice.edu/~scrosby/hash/
http://www.kernel.org/pub/linux/ ... ng/patch-2.4.21.log
http://marc.theaimsgroup.com/?l= ... p;m=104956079213417

Snoopy

有谁实现过吗？

冰块

实现过？晕了。不该在这里问的吧。
这有不是黑客论坛。。
只有那些傻呼呼的自以为是黑客的家伙们
看着别人写的教程，用着别人写的工具，入侵
自己人的网站。