IPRoute Fragmentation Denial of Service Vulnerability

From: Chris Gragsone (maetricsat_private)
Date: Wed Dec 05 2001 - 09:04:51 PST

Next message: Patrick Cantwell: "Re: *ALERT* BID 3581: Wu-Ftpd File Globbing Heap Corruption Vulnerability"

Previous message: Jeff Sampson: "Re: IE Denial of service (sorta)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

IPRoute Fragmentation Denial of Service Vulnerability
by Chris Gragsone and The TechnoDragon
Foot Clan

Date: December 2, 2001
Advisory ID: Foot-20011202
Impact of vulnerability: Denial of Service
Exploitable: Remotely
Maximum Risk: Moderate

Affected Software:
IPRoute v1.18
IPRoute v0.974
IPRoute v0.973

Vulnerability Description:

IPRoute, by David F. Mischler, is PC-based router software for networks 
running the Internet Protocol (IP). It can act as a dial on demand or 
dedicated router between a LAN and a PPP, SLIP, ethernet, wireless IP or 
cablemodem link and allow transparent access from a LAN to the Internet 
using a single IP address through Network Address Translation (NAT). 
IPRoute can also act as a PPP server for dialup connections or route 
between LANs.

The implementation of the router in IPRoute does not correctly handle 
tiny fragmented packets, which split up the tcp header. If a series of 
tiny fragmented packets were recieved by IPRoute, it would cause IPRoute 
to fail. IPRoute could be put back into normal service by restarting the 
interface, but all connections during the attack would drop. It is not 
necessary for the attacker to establish a session through IPRoute in 
order to exploit this vulnerability.
ZapNET! firewalls are based on IPRoute and may also be vulnerable.

The specific sequence of data packets involved with this vulnerability 
cannot be generated as part of a legitimate connection.

Vulnerability Reproduction:
Simply "nmap -sS -f ip-address". IPRoute will be unable to send or 
receive via the interface affected until it is manually restarted.

References:
http://www.trunkmonkey.com/homenetwork/iproute/
http://www.sans.org/infosecFAQ/threats/frag_attacks.htm

Contact:
http://footclan.realwarp.net Chris Gragsone (maetricsat_private)
The TechnoDrgon (tdragonat_private)

Disclaimer:
The contents of this advisory are copyright (c)2001 Foot Clan and may be 
distributed freely provided that no fee is charged for this distribution 
and proper credit is given.

Next message: Patrick Cantwell: "Re: *ALERT* BID 3581: Wu-Ftpd File Globbing Heap Corruption Vulnerability"
Previous message: Jeff Sampson: "Re: IE Denial of service (sorta)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Dec 05 2001 - 14:24:05 PST