Re: Win98 Crash?

From: Bruno Coelho (bcoelhoat_private)
Date: Tue Jan 26 1999 - 12:56:26 PST

Next message: Larry W. Cashdollar: "Re: Digital Unix 4.0 exploitable buffer overflows"

Previous message: Nate Lawson: "Software Inertia"
Next in thread: Vanja Hrustic: "Re: Win98 Crash?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

OK, I tried to send the atack directly to the FW-1 Box. Nothing happens.
Since it's blocking ANY packets going to itself, I tried to reach an outside
box (through FW-1). Nothing happens to the FW-1...

Bruno Coelho

> -----Original Message-----
> From: Bugtraq List [mailto:BUGTRAQat_private]On Behalf Of dorqus
> maximus
> Sent: Monday, January 25, 1999 4:32 PM
> To: BUGTRAQat_private
> Subject: Re: Win98 Crash?
>
>
> DEF CON ZERO WINDOW wrote...
> >  But, because value is wrong, this "oshare packet" can't be transmitted
> > to the outside of the network. This is here well, and it is here badly,
> > too. But, even whose machine will be able to be killed in the same
> > segment.
>
> This oshare.c code may have crashed our Checkpoint Firewall-1,
> version 3.0b,
> Build Number: 3083. (Sun Sparc, Solaris 2.5.1)
>
> After running it I lost internet connectivity and saw
> the following on the console of our firewall server:
>
> FW-1: packet size too big (131060) from 0x01010101, ip_p=17
> FW-1: packet size too big (131060) from 0x01010101, ip_p=17
> FW-1: packet size too big (131060) from 0x01010101, ip_p=17
> FW-1: packet size too big (131060) from 0x01010101, ip_p=17
> FW-1: packet size too big (131060) from 0x01010101, ip_p=17
> FW-1: packet size too big (131060) from 0x01010101, ip_p=17
> FW-1: packet size too big (131060) from 0x01010101, ip_p=17
> FW-1: packet size too big (131060) from 0x01010101, ip_p=17
> FW-1: packet size too big (131060) from 0x01010101, ip_p=17
> FW-1: packet size too big (131060) from 0x01010101, ip_p=17
> FW-1: packet size too big (131060) from 0x01010101, ip_p=17
>
> The machine could not be soft booted and need to be hard booted
> (power cycled)
>
> I will not (or cannot) try and duplicate this, since I can't afford
> to crash our firewall again :)
>
> To give a brief network sketch:
>
> Linux Box (running oshare) -> Router -- Frame Relay -> Router
>  -> Firewall-1 machine -> Dest Win98 box
>
> I cannot confirm that this program crashed our firewall, but I would say
> it's a safe bet.
>
> I'm no C programmer, but I think this part here is the guilty part:
> (Line 65 or so)
>
>         ip->frag_off    = htons( 16383 );
> 	ip->ttl         = 0xff;
>         ip->protocol    = IPPROTO_UDP;
>         ip->saddr       = htonl( inet_addr( "1.1.1.1" ) );
>         ip->daddr       = dst_addr;
>         ip->check       = in_cksum( ( u_short *)ip, 44 );
>
> YMMV, of course.
>
> Dorqus
>

Next message: Larry W. Cashdollar: "Re: Digital Unix 4.0 exploitable buffer overflows"
Previous message: Nate Lawson: "Software Inertia"
Next in thread: Vanja Hrustic: "Re: Win98 Crash?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:31:13 PDT