The CERT advisory doesn't go into any detail about the exact nature of the
packets that trigger the problem. However, the advisory refernces a FreeBSD
note and patch. Since this patch is in a different section of code than the
patches for teardrop/newtear/bonk/etc, it follows that the vulnerability and
exploit are also slightly different.
This also means that invulnerability to those attacks does not mean
invulnerability to this one.
A cursory look at the patch suggests that the problem has to do with short
packets with certain options set. Here's the patch for FreeBSD 3.0 and
2.2.x:
RCS file: /home/cvsup/freebsd/CVS/src/sys/netinet/ip_input.c,v
retrieving revision 1.104
retrieving revision 1.105
diff -u -r1.104 -r1.105
--- ip_input.c 1998/10/27 09:19:03 1.104
+++ ip_input.c 1998/11/11 21:17:59 1.105
@@ -513,7 +513,7 @@
*/
if (ip->ip_off & (IP_MF | IP_OFFMASK | IP_RF)) {
if (m->m_flags & M_EXT) { /* XXX */
- if ((m = m_pullup(m, sizeof (struct ip))) == 0) {
+ if ((m = m_pullup(m, hlen)) == 0) {
ipstat.ips_toosmall++;
#ifdef IPDIVERT
frag_divert_port = 0;
DS
> Have I missed something on the list lately about these illegal
> packets that
> CERT are adressing ("constructing a sequence of packets with certain
> characteristics, an intruder can cause vulnerable systems to crash, hang,
> or behave in unpredictable ways")?
>
> Or is this just the old teardrop/newtear/boink/bonk/nestea2 problem that
> they are talking about?
>
> Ulf
> ---
> Ulf Munkedal
> Partner
> Neupart & Munkedal
> http://www.n-m.com
> Tel +45 7020 6565
> Fax +45 7020 6065
> Public PGP Key: http://www.n-m.com/pgp/
> ---
> SecureTest
> - Vished for Internet-sikkerhed
>
>
> ----------
> From: aleph1at_private[SMTP:aleph1at_private]
> Reply To: Bugtraq List
> Sent: 22. december 1998 06:37
> To: BUGTRAQat_private
> Subject: CERT Advisory CA-98.13 - TCP/IP Denial of Service
>
> -----BEGIN PGP SIGNED MESSAGE-----
>
>
> CERT Advisory CA-98-13-tcp-denial-of-service
>
> Original Issue Date: December 21, 1998
>
> Last Revised
>
> Topic: Vulnerability in Certain TCP/IP Implementations
>
> Affected Systems
>
> Some systems with BSD-derived TCP/IP stacks. See Appendix A for a
> complete list of affected systems.
>
> Overview
>
> Intruders can disrupt service or crash systems with vulnerable TCP/IP
> stacks. No special access is required, and intruders can use
> source-address spoofing to conceal their true location.
>
> I. Description
>
> By carefully constructing a sequence of packets with certain
> characteristics, an intruder can cause vulnerable systems to crash,
> hang, or behave in unpredictable ways. This vulnerability is similar
> in its effect to other denial-of-service vulnerabilities, including
> the ones described in
>
> http://www.cert.org/advisories/CA-97.28.Teardrop_Land.html
>
> Specifically, intruders can use this vulnerability in conjunction with
> IP-source-address spoofing to make it difficult or impossible to know
> their location. They can also use the vulnerability in conjunction
> with broadcast packets to affect a large number of vulnerable machines
> with a small number of packets.
>
> II. Impact
>
> Any remote user can crash or hang a vulnerable machine, or cause the
> system to behave in unpredictable ways.
>
> III. Solution
>
> A. Install a patch from your vendor.
>
> Appendix A contains input from vendors who have provided information
> for this advisory. We will update the appendix as we receive more
> information. If you do not see your vendor's name, the CERT/CC did not
> hear from that vendor. Please contact your vendor directly.
>
> B. Configure your router or firewall to help prevent source-address
> spoofing.
>
> We encourage sites to configure their routers or firewalls to reduce
> the ability of intruders to use source-address spoofing. Currently,
> the best method to reduce the number of IP-spoofed packets exiting
> your network is to install filtering on your routers that requires
> packets leaving your network to have a source address from your
> internal network. This type of filter prevents a source IP-spoofing
> attack from your site by filtering all outgoing packets that contain a
> source address of a different network.
>
> A detailed description of this type of filtering is available in RFC
> 2267, "Network Ingress Filtering: Defeating Denial of Service Attacks
> which employ IP Source Address Spoofing" by Paul Ferguson of Cisco
> Systems, Inc. and Daniel Senie of Blazenet, Inc. We recommend it to
> both Internet Service Providers and sites that manage their own
> routers. The document is currently available at
>
> http://info.internet.isi.edu:80/in-notes/rfc/files/rfc2267.txt
>
> Note that this type of filtering does not protect a site from the
> attack itself, but it does reduce the ability of intruders to conceal
> their location, thereby discouraging attacks.
>
> Appendix A - Vendor Information
>
> Berkeley Software Design, Inc. (BSDI)
>
> BSDI's current release BSD/OS 4.0 is not vulnerable to this problem.
> BSD/OS 3.1 is vulnerable and a patch (M310-049) is available from
> BSDI's WWW server at http://www.bsdi.com/support/patches or via our
> ftp server from the directory
> ftp://ftp.bsdi.com/bsdi/patches/patches-3.1.
>
> Cisco Systems
>
> Cisco is not vulnerable.
>
> Compaq Computer Corporation
>
> SOURCE: (c) Copyright 1994, 1995, 1996, 1997, 1998 Compaq Computer
> Corporation.
>
> All rights reserved.
>
> SOURCE: Compaq Computer Corporation
> Compaq Services
> Software Security Response Team USA
>
> This reported problem is not present for the as shipped, Compaq's
> Digital ULTRIX or Compaq's Digital UNIX Operating Systems Software.
>
> - Compaq Computer Corporation
>
> Data General Corporation
>
> We are investigating. We will provide an update when our investigation
> is complete.
>
> FreeBSD, Inc.
>
> FreeBSD 2.2.8 is not vulnerable.
> FreeBSD versions prior to 2.2.8 are vulnerable.
> FreeBSD 3.0 is also vulnerable.
> FreeBSD 3.0-current as of 1998/11/12 is not vulnerable.
>
> A patch is available at
> ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/CA-98-13/patch
>
> Fujitsu
>
> Regarding this vulnerability, Fujitsu's UXP/V operating system is not
> vulnerable.
>
> Hewlett-Packard Company
>
> HP is not vulnerable.
>
> IBM Corporation
>
> AIX is not vulnerable.
>
> IBM and AIX are registered trademarks of International Business
> Machines Corporation.
>
> Livingston Enterprises, Inc.
>
> Livingston systems are not vulnerable.
>
> Computer Associates International
>
> CA systems are not vulnerable.
>
> Microsoft Corporation
>
> Microsoft is not vulnerable.
>
> NEC Corporation
>
> NEC Corporation EWS-UX, UP-UX and UX/4800 Unix systems are not
> vulnerable to this problem.
>
> OpenBSD
>
> Security fixes for this problem are now available for 2.3 and 2.4.
>
> For 2.3, see
>
> www.openbsd.org/errata23.html#tcpfix
>
> For our 2.4 release which is available on CD on Dec 1, see
>
> www.openbsd.org/errata.html#tcpfix
>
> The bug is fixed in our -current source tree.
>
> Sun Microsystems, Inc.
>
> We have confirmed that SunOS and Solaris are not vulnerable to the DOS
> attack.
>
> Wind River Systems, Inc.
>
> We've taken a look at our networking code and have determined that
> this is not a problem in the currently shipping version of the VxWorks
> RTOS.
> _________________________________________________________________
>
> Contributors
>
> The vulnerability was originally discovered by Joel Boutros of the
> Enterprise Security Services team of Cambridge Technology Partners.
> Guido van Rooij of FreeBSD, Inc., provided an analysis of the
> vulnerability and information regarding its scope and extent.
> ______________________________________________________________________
>
> This document is available from:
> http://www.cert.org/advisories/CA-98-13-tcp-denial-of-service.html.
> ______________________________________________________________________
>
> CERT/CC Contact Information
>
> Email: certat_private
> Phone: +1 412-268-7090 (24-hour hotline)
> Fax: +1 412-268-6989
> Postal address:
> CERT Coordination Center
> Software Engineering Institute
> Carnegie Mellon University
> Pittsburgh PA 15213-3890
> U.S.A.
>
> CERT personnel answer the hotline 08:00-20:00 EST(GMT-5) / EDT(GMT-4)
> Monday through Friday; they are on call for emergencies during other
> hours, on U.S. holidays, and on weekends.
>
> Using encryption
>
> We strongly urge you to encrypt sensitive information sent by email.
> Our public PGP key is available from http://www.cert.org/CERT_PGP.key.
> If you prefer to use DES, please call the CERT hotline for more
> information.
>
> Getting security information
>
> CERT publications and other security information are available from
> our web site http://www.cert.org/.
>
> To be added to our mailing list for advisories and bulletins, send
> email to cert-advisory-requestat_private and include SUBSCRIBE
> your-email-address in the subject of your message.
>
> Copyright 1998 Carnegie Mellon University.
> Conditions for use, disclaimers, and sponsorship information can be
> found in http://www.cert.org/legal_stuff.html.
>
> * CERT is registered in the U.S. Patent and Trademark Office
> ______________________________________________________________________
>
> NO WARRANTY
> Any material furnished by Carnegie Mellon University and the Software
> Engineering Institute is furnished on an "as is" basis. Carnegie
> Mellon University makes no warranties of any kind, either expressed or
> implied as to any matter including, but not limited to, warranty of
> fitness for a particular purpose or merchantability, exclusivity or
> results obtained from use of the material. Carnegie Mellon University
> does not make any warranty of any kind with respect to freedom from
> patent, trademark, or copyright infringement.
> _________________________________________________________________
>
> Revision History
>
> -----BEGIN PGP SIGNATURE-----
> Version: 2.6.2
>
> iQCVAwUBNn64knVP+x0t4w7BAQHd/wQAv+1cQif/KNdFZ1ObARzlJJUd9T0Za5WM
> GjZwrlYR3CIm+eByVbGGizCYTXzuiTjQdenKxfDXAXXwqZRIvFbpjU3qWY6kCicf
> BhTbvzOOIT/ROhr9fWRwPqqPMKUyUYaJCbeWYWeV6PFJ6fYhWrBihiE+yml4n1Xp
> k2lHvwHl9lE=
> =9kEz
> -----END PGP SIGNATURE-----
>
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:26:06 PDT