Dear bugtraq@, I found this bug in nylon 0.2, but according to CVS logs it was already fixed in nylon project Tue Jun 25 00:27:07 2002 UTC (3 months, 2 weeks ago), http://mesh.eecs.umich.edu/cvsweb/nylon/ So, just update to newer version. Details: #if defined(SENDN) || defined(RECVN) ssize_t #if defined(RECVN) recvn #elif defined(SENDN) sendn #endif (int s, void *buf, size_t len, int flags) { unsigned bytes = 0, bytes_left = len; while (bytes_left > 0) { if ( (bytes = #if defined(RECVN) recv #elif defined(SENDN) send #endif (s, buf+(len-bytes_left), bytes_left, flags)) != -1 ) bytes_left -= bytes; else return -1; } return len; } #endif /* defined(SENDN) || defined(RECVN) */ This function fails to check if recv() returns 0. The problem is if remote side closes connection during recv(). In this case all recv() calls for socket always return 0. Program enters into endless loop with 100% CPU usage. There is no any kind of timeout. Exploit is trivial. nylon is in ports collection for FreeBSD and probably other systems. References: [1] Nylon 0.2 DoS source code (Unix/Windows) http://www.security.nnov.ru/files/3nylont.c [2] Different Proxy-related software http://www.security.nnov.ru/soft /ZARAZA http://www.security.nnov.ru
This archive was generated by hypermail 2b30 : Thu Oct 10 2002 - 11:50:12 PDT