The CERT advisory doesn't go into any detail about the exact nature of the packets that trigger the problem. However, the advisory refernces a FreeBSD note and patch. Since this patch is in a different section of code than the patches for teardrop/newtear/bonk/etc, it follows that the vulnerability and exploit are also slightly different. This also means that invulnerability to those attacks does not mean invulnerability to this one. A cursory look at the patch suggests that the problem has to do with short packets with certain options set. Here's the patch for FreeBSD 3.0 and 2.2.x: RCS file: /home/cvsup/freebsd/CVS/src/sys/netinet/ip_input.c,v retrieving revision 1.104 retrieving revision 1.105 diff -u -r1.104 -r1.105 --- ip_input.c 1998/10/27 09:19:03 1.104 +++ ip_input.c 1998/11/11 21:17:59 1.105 @@ -513,7 +513,7 @@ */ if (ip->ip_off & (IP_MF | IP_OFFMASK | IP_RF)) { if (m->m_flags & M_EXT) { /* XXX */ - if ((m = m_pullup(m, sizeof (struct ip))) == 0) { + if ((m = m_pullup(m, hlen)) == 0) { ipstat.ips_toosmall++; #ifdef IPDIVERT frag_divert_port = 0; DS > Have I missed something on the list lately about these illegal > packets that > CERT are adressing ("constructing a sequence of packets with certain > characteristics, an intruder can cause vulnerable systems to crash, hang, > or behave in unpredictable ways")? > > Or is this just the old teardrop/newtear/boink/bonk/nestea2 problem that > they are talking about? > > Ulf > --- > Ulf Munkedal > Partner > Neupart & Munkedal > http://www.n-m.com > Tel +45 7020 6565 > Fax +45 7020 6065 > Public PGP Key: http://www.n-m.com/pgp/ > --- > SecureTest > - Vished for Internet-sikkerhed > > > ---------- > From: aleph1at_private[SMTP:aleph1at_private] > Reply To: Bugtraq List > Sent: 22. december 1998 06:37 > To: BUGTRAQat_private > Subject: CERT Advisory CA-98.13 - TCP/IP Denial of Service > > -----BEGIN PGP SIGNED MESSAGE----- > > > CERT Advisory CA-98-13-tcp-denial-of-service > > Original Issue Date: December 21, 1998 > > Last Revised > > Topic: Vulnerability in Certain TCP/IP Implementations > > Affected Systems > > Some systems with BSD-derived TCP/IP stacks. See Appendix A for a > complete list of affected systems. > > Overview > > Intruders can disrupt service or crash systems with vulnerable TCP/IP > stacks. No special access is required, and intruders can use > source-address spoofing to conceal their true location. > > I. Description > > By carefully constructing a sequence of packets with certain > characteristics, an intruder can cause vulnerable systems to crash, > hang, or behave in unpredictable ways. This vulnerability is similar > in its effect to other denial-of-service vulnerabilities, including > the ones described in > > http://www.cert.org/advisories/CA-97.28.Teardrop_Land.html > > Specifically, intruders can use this vulnerability in conjunction with > IP-source-address spoofing to make it difficult or impossible to know > their location. They can also use the vulnerability in conjunction > with broadcast packets to affect a large number of vulnerable machines > with a small number of packets. > > II. Impact > > Any remote user can crash or hang a vulnerable machine, or cause the > system to behave in unpredictable ways. > > III. Solution > > A. Install a patch from your vendor. > > Appendix A contains input from vendors who have provided information > for this advisory. We will update the appendix as we receive more > information. If you do not see your vendor's name, the CERT/CC did not > hear from that vendor. Please contact your vendor directly. > > B. Configure your router or firewall to help prevent source-address > spoofing. > > We encourage sites to configure their routers or firewalls to reduce > the ability of intruders to use source-address spoofing. Currently, > the best method to reduce the number of IP-spoofed packets exiting > your network is to install filtering on your routers that requires > packets leaving your network to have a source address from your > internal network. This type of filter prevents a source IP-spoofing > attack from your site by filtering all outgoing packets that contain a > source address of a different network. > > A detailed description of this type of filtering is available in RFC > 2267, "Network Ingress Filtering: Defeating Denial of Service Attacks > which employ IP Source Address Spoofing" by Paul Ferguson of Cisco > Systems, Inc. and Daniel Senie of Blazenet, Inc. We recommend it to > both Internet Service Providers and sites that manage their own > routers. The document is currently available at > > http://info.internet.isi.edu:80/in-notes/rfc/files/rfc2267.txt > > Note that this type of filtering does not protect a site from the > attack itself, but it does reduce the ability of intruders to conceal > their location, thereby discouraging attacks. > > Appendix A - Vendor Information > > Berkeley Software Design, Inc. (BSDI) > > BSDI's current release BSD/OS 4.0 is not vulnerable to this problem. > BSD/OS 3.1 is vulnerable and a patch (M310-049) is available from > BSDI's WWW server at http://www.bsdi.com/support/patches or via our > ftp server from the directory > ftp://ftp.bsdi.com/bsdi/patches/patches-3.1. > > Cisco Systems > > Cisco is not vulnerable. > > Compaq Computer Corporation > > SOURCE: (c) Copyright 1994, 1995, 1996, 1997, 1998 Compaq Computer > Corporation. > > All rights reserved. > > SOURCE: Compaq Computer Corporation > Compaq Services > Software Security Response Team USA > > This reported problem is not present for the as shipped, Compaq's > Digital ULTRIX or Compaq's Digital UNIX Operating Systems Software. > > - Compaq Computer Corporation > > Data General Corporation > > We are investigating. We will provide an update when our investigation > is complete. > > FreeBSD, Inc. > > FreeBSD 2.2.8 is not vulnerable. > FreeBSD versions prior to 2.2.8 are vulnerable. > FreeBSD 3.0 is also vulnerable. > FreeBSD 3.0-current as of 1998/11/12 is not vulnerable. > > A patch is available at > ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/CA-98-13/patch > > Fujitsu > > Regarding this vulnerability, Fujitsu's UXP/V operating system is not > vulnerable. > > Hewlett-Packard Company > > HP is not vulnerable. > > IBM Corporation > > AIX is not vulnerable. > > IBM and AIX are registered trademarks of International Business > Machines Corporation. > > Livingston Enterprises, Inc. > > Livingston systems are not vulnerable. > > Computer Associates International > > CA systems are not vulnerable. > > Microsoft Corporation > > Microsoft is not vulnerable. > > NEC Corporation > > NEC Corporation EWS-UX, UP-UX and UX/4800 Unix systems are not > vulnerable to this problem. > > OpenBSD > > Security fixes for this problem are now available for 2.3 and 2.4. > > For 2.3, see > > www.openbsd.org/errata23.html#tcpfix > > For our 2.4 release which is available on CD on Dec 1, see > > www.openbsd.org/errata.html#tcpfix > > The bug is fixed in our -current source tree. > > Sun Microsystems, Inc. > > We have confirmed that SunOS and Solaris are not vulnerable to the DOS > attack. > > Wind River Systems, Inc. > > We've taken a look at our networking code and have determined that > this is not a problem in the currently shipping version of the VxWorks > RTOS. > _________________________________________________________________ > > Contributors > > The vulnerability was originally discovered by Joel Boutros of the > Enterprise Security Services team of Cambridge Technology Partners. > Guido van Rooij of FreeBSD, Inc., provided an analysis of the > vulnerability and information regarding its scope and extent. > ______________________________________________________________________ > > This document is available from: > http://www.cert.org/advisories/CA-98-13-tcp-denial-of-service.html. > ______________________________________________________________________ > > CERT/CC Contact Information > > Email: certat_private > Phone: +1 412-268-7090 (24-hour hotline) > Fax: +1 412-268-6989 > Postal address: > CERT Coordination Center > Software Engineering Institute > Carnegie Mellon University > Pittsburgh PA 15213-3890 > U.S.A. > > CERT personnel answer the hotline 08:00-20:00 EST(GMT-5) / EDT(GMT-4) > Monday through Friday; they are on call for emergencies during other > hours, on U.S. holidays, and on weekends. > > Using encryption > > We strongly urge you to encrypt sensitive information sent by email. > Our public PGP key is available from http://www.cert.org/CERT_PGP.key. > If you prefer to use DES, please call the CERT hotline for more > information. > > Getting security information > > CERT publications and other security information are available from > our web site http://www.cert.org/. > > To be added to our mailing list for advisories and bulletins, send > email to cert-advisory-requestat_private and include SUBSCRIBE > your-email-address in the subject of your message. > > Copyright 1998 Carnegie Mellon University. > Conditions for use, disclaimers, and sponsorship information can be > found in http://www.cert.org/legal_stuff.html. > > * CERT is registered in the U.S. Patent and Trademark Office > ______________________________________________________________________ > > NO WARRANTY > Any material furnished by Carnegie Mellon University and the Software > Engineering Institute is furnished on an "as is" basis. Carnegie > Mellon University makes no warranties of any kind, either expressed or > implied as to any matter including, but not limited to, warranty of > fitness for a particular purpose or merchantability, exclusivity or > results obtained from use of the material. Carnegie Mellon University > does not make any warranty of any kind with respect to freedom from > patent, trademark, or copyright infringement. > _________________________________________________________________ > > Revision History > > -----BEGIN PGP SIGNATURE----- > Version: 2.6.2 > > iQCVAwUBNn64knVP+x0t4w7BAQHd/wQAv+1cQif/KNdFZ1ObARzlJJUd9T0Za5WM > GjZwrlYR3CIm+eByVbGGizCYTXzuiTjQdenKxfDXAXXwqZRIvFbpjU3qWY6kCicf > BhTbvzOOIT/ROhr9fWRwPqqPMKUyUYaJCbeWYWeV6PFJ6fYhWrBihiE+yml4n1Xp > k2lHvwHl9lE= > =9kEz > -----END PGP SIGNATURE----- >
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:26:06 PDT