DEF CON ZERO WINDOW wrote... > But, because value is wrong, this "oshare packet" can't be transmitted > to the outside of the network. This is here well, and it is here badly, > too. But, even whose machine will be able to be killed in the same > segment. This oshare.c code may have crashed our Checkpoint Firewall-1, version 3.0b, Build Number: 3083. (Sun Sparc, Solaris 2.5.1) After running it I lost internet connectivity and saw the following on the console of our firewall server: FW-1: packet size too big (131060) from 0x01010101, ip_p=17 FW-1: packet size too big (131060) from 0x01010101, ip_p=17 FW-1: packet size too big (131060) from 0x01010101, ip_p=17 FW-1: packet size too big (131060) from 0x01010101, ip_p=17 FW-1: packet size too big (131060) from 0x01010101, ip_p=17 FW-1: packet size too big (131060) from 0x01010101, ip_p=17 FW-1: packet size too big (131060) from 0x01010101, ip_p=17 FW-1: packet size too big (131060) from 0x01010101, ip_p=17 FW-1: packet size too big (131060) from 0x01010101, ip_p=17 FW-1: packet size too big (131060) from 0x01010101, ip_p=17 FW-1: packet size too big (131060) from 0x01010101, ip_p=17 The machine could not be soft booted and need to be hard booted (power cycled) I will not (or cannot) try and duplicate this, since I can't afford to crash our firewall again :) To give a brief network sketch: Linux Box (running oshare) -> Router -- Frame Relay -> Router -> Firewall-1 machine -> Dest Win98 box I cannot confirm that this program crashed our firewall, but I would say it's a safe bet. I'm no C programmer, but I think this part here is the guilty part: (Line 65 or so) ip->frag_off = htons( 16383 ); ip->ttl = 0xff; ip->protocol = IPPROTO_UDP; ip->saddr = htonl( inet_addr( "1.1.1.1" ) ); ip->daddr = dst_addr; ip->check = in_cksum( ( u_short *)ip, 44 ); YMMV, of course. Dorqus
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:30:58 PDT