OK, I tried to send the atack directly to the FW-1 Box. Nothing happens. Since it's blocking ANY packets going to itself, I tried to reach an outside box (through FW-1). Nothing happens to the FW-1... Bruno Coelho > -----Original Message----- > From: Bugtraq List [mailto:BUGTRAQat_private]On Behalf Of dorqus > maximus > Sent: Monday, January 25, 1999 4:32 PM > To: BUGTRAQat_private > Subject: Re: Win98 Crash? > > > DEF CON ZERO WINDOW wrote... > > But, because value is wrong, this "oshare packet" can't be transmitted > > to the outside of the network. This is here well, and it is here badly, > > too. But, even whose machine will be able to be killed in the same > > segment. > > This oshare.c code may have crashed our Checkpoint Firewall-1, > version 3.0b, > Build Number: 3083. (Sun Sparc, Solaris 2.5.1) > > After running it I lost internet connectivity and saw > the following on the console of our firewall server: > > FW-1: packet size too big (131060) from 0x01010101, ip_p=17 > FW-1: packet size too big (131060) from 0x01010101, ip_p=17 > FW-1: packet size too big (131060) from 0x01010101, ip_p=17 > FW-1: packet size too big (131060) from 0x01010101, ip_p=17 > FW-1: packet size too big (131060) from 0x01010101, ip_p=17 > FW-1: packet size too big (131060) from 0x01010101, ip_p=17 > FW-1: packet size too big (131060) from 0x01010101, ip_p=17 > FW-1: packet size too big (131060) from 0x01010101, ip_p=17 > FW-1: packet size too big (131060) from 0x01010101, ip_p=17 > FW-1: packet size too big (131060) from 0x01010101, ip_p=17 > FW-1: packet size too big (131060) from 0x01010101, ip_p=17 > > The machine could not be soft booted and need to be hard booted > (power cycled) > > I will not (or cannot) try and duplicate this, since I can't afford > to crash our firewall again :) > > To give a brief network sketch: > > Linux Box (running oshare) -> Router -- Frame Relay -> Router > -> Firewall-1 machine -> Dest Win98 box > > I cannot confirm that this program crashed our firewall, but I would say > it's a safe bet. > > I'm no C programmer, but I think this part here is the guilty part: > (Line 65 or so) > > ip->frag_off = htons( 16383 ); > ip->ttl = 0xff; > ip->protocol = IPPROTO_UDP; > ip->saddr = htonl( inet_addr( "1.1.1.1" ) ); > ip->daddr = dst_addr; > ip->check = in_cksum( ( u_short *)ip, 44 ); > > YMMV, of course. > > Dorqus >
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:31:13 PDT