Lucene search
Packet StormPACKETSTORM:15121HistoryAug 17, 1999 - 12:00 a.m.
cert-tcpip-DoS.txt
1999-08-1700:00:00
Packet Storm
packetstormsecurity.com
36
`Date: Wed, 23 Dec 1998 15:51:42 -0800
From: David Schwartz <[email protected]>
Reply-To: Bugtraq List <[email protected]>
To: [email protected]
Subject: Re: CERT Advisory CA-98.13 - TCP/IP Denial of Service
[ The following text is in the "Windows-1252" character set. ]
[ Your display is set for the "US-ASCII" character set. ]
[ Some characters may be displayed incorrectly. ]
The CERT advisory doesn't go into any detail about the exact nature of the
packets that trigger the problem. However, the advisory refernces a FreeBSD
note and patch. Since this patch is in a different section of code than the
patches for teardrop/newtear/bonk/etc, it follows that the vulnerability and
exploit are also slightly different.
This also means that invulnerability to those attacks does not mean
invulnerability to this one.
A cursory look at the patch suggests that the problem has to do with short
packets with certain options set. Here's the patch for FreeBSD 3.0 and
2.2.x:
RCS file: /home/cvsup/freebsd/CVS/src/sys/netinet/ip_input.c,v
retrieving revision 1.104
retrieving revision 1.105
diff -u -r1.104 -r1.105
--- ip_input.c 1998/10/27 09:19:03 1.104
+++ ip_input.c 1998/11/11 21:17:59 1.105
@@ -513,7 +513,7 @@
*/
if (ip->ip_off & (IP_MF | IP_OFFMASK | IP_RF)) {
if (m->m_flags & M_EXT) { /* XXX */
- if ((m = m_pullup(m, sizeof (struct ip))) == 0) {
+ if ((m = m_pullup(m, hlen)) == 0) {
ipstat.ips_toosmall++;
#ifdef IPDIVERT
frag_divert_port = 0;
DS
------------------------------------------------------------------------
Date: Mon, 21 Dec 1998 21:37:05 -0800
From: [email protected]
Reply-To: Bugtraq List <[email protected]>
To: [email protected]
Subject: CERT Advisory CA-98.13 - TCP/IP Denial of Service
-----BEGIN PGP SIGNED MESSAGE-----
CERT Advisory CA-98-13-tcp-denial-of-service
Original Issue Date: December 21, 1998
Last Revised
Topic: Vulnerability in Certain TCP/IP Implementations
Affected Systems
Some systems with BSD-derived TCP/IP stacks. See Appendix A for a
complete list of affected systems.
Overview
Intruders can disrupt service or crash systems with vulnerable TCP/IP
stacks. No special access is required, and intruders can use
source-address spoofing to conceal their true location.
I. Description
By carefully constructing a sequence of packets with certain
characteristics, an intruder can cause vulnerable systems to crash,
hang, or behave in unpredictable ways. This vulnerability is similar
in its effect to other denial-of-service vulnerabilities, including
the ones described in
http://www.cert.org/advisories/CA-97.28.Teardrop_Land.html
Specifically, intruders can use this vulnerability in conjunction with
IP-source-address spoofing to make it difficult or impossible to know
their location. They can also use the vulnerability in conjunction
with broadcast packets to affect a large number of vulnerable machines
with a small number of packets.
II. Impact
Any remote user can crash or hang a vulnerable machine, or cause the
system to behave in unpredictable ways.
III. Solution
A. Install a patch from your vendor.
Appendix A contains input from vendors who have provided information
for this advisory. We will update the appendix as we receive more
information. If you do not see your vendor's name, the CERT/CC did not
hear from that vendor. Please contact your vendor directly.
B. Configure your router or firewall to help prevent source-address spoofing.
We encourage sites to configure their routers or firewalls to reduce
the ability of intruders to use source-address spoofing. Currently,
the best method to reduce the number of IP-spoofed packets exiting
your network is to install filtering on your routers that requires
packets leaving your network to have a source address from your
internal network. This type of filter prevents a source IP-spoofing
attack from your site by filtering all outgoing packets that contain a
source address of a different network.
A detailed description of this type of filtering is available in RFC
2267, "Network Ingress Filtering: Defeating Denial of Service Attacks
which employ IP Source Address Spoofing" by Paul Ferguson of Cisco
Systems, Inc. and Daniel Senie of Blazenet, Inc. We recommend it to
both Internet Service Providers and sites that manage their own
routers. The document is currently available at
http://info.internet.isi.edu:80/in-notes/rfc/files/rfc2267.txt
Note that this type of filtering does not protect a site from the
attack itself, but it does reduce the ability of intruders to conceal
their location, thereby discouraging attacks.
Appendix A - Vendor Information
Berkeley Software Design, Inc. (BSDI)
BSDI's current release BSD/OS 4.0 is not vulnerable to this problem.
BSD/OS 3.1 is vulnerable and a patch (M310-049) is available from
BSDI's WWW server at http://www.bsdi.com/support/patches or via our
ftp server from the directory
ftp://ftp.bsdi.com/bsdi/patches/patches-3.1.
Cisco Systems
Cisco is not vulnerable.
Compaq Computer Corporation
SOURCE: (c) Copyright 1994, 1995, 1996, 1997, 1998 Compaq Computer
Corporation.
All rights reserved.
SOURCE: Compaq Computer Corporation
Compaq Services
Software Security Response Team USA
This reported problem is not present for the as shipped, Compaq's
Digital ULTRIX or Compaq's Digital UNIX Operating Systems Software.
- Compaq Computer Corporation
Data General Corporation
We are investigating. We will provide an update when our investigation
is complete.
FreeBSD, Inc.
FreeBSD 2.2.8 is not vulnerable.
FreeBSD versions prior to 2.2.8 are vulnerable.
FreeBSD 3.0 is also vulnerable.
FreeBSD 3.0-current as of 1998/11/12 is not vulnerable.
A patch is available at
ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/CA-98-13/patch
Fujitsu
Regarding this vulnerability, Fujitsu's UXP/V operating system is not
vulnerable.
Hewlett-Packard Company
HP is not vulnerable.
IBM Corporation
AIX is not vulnerable.
IBM and AIX are registered trademarks of International Business
Machines Corporation.
Livingston Enterprises, Inc.
Livingston systems are not vulnerable.
Computer Associates International
CA systems are not vulnerable.
Microsoft Corporation
Microsoft is not vulnerable.
NEC Corporation
NEC Corporation EWS-UX, UP-UX and UX/4800 Unix systems are not
vulnerable to this problem.
OpenBSD
Security fixes for this problem are now available for 2.3 and 2.4.
For 2.3, see
www.openbsd.org/errata23.html#tcpfix
For our 2.4 release which is available on CD on Dec 1, see
www.openbsd.org/errata.html#tcpfix
The bug is fixed in our -current source tree.
Sun Microsystems, Inc.
We have confirmed that SunOS and Solaris are not vulnerable to the DOS
attack.
Wind River Systems, Inc.
We've taken a look at our networking code and have determined that
this is not a problem in the currently shipping version of the VxWorks
RTOS.
_________________________________________________________________
Contributors
The vulnerability was originally discovered by Joel Boutros of the
Enterprise Security Services team of Cambridge Technology Partners.
Guido van Rooij of FreeBSD, Inc., provided an analysis of the
vulnerability and information regarding its scope and extent.
______________________________________________________________________
This document is available from:
http://www.cert.org/advisories/CA-98-13-tcp-denial-of-service.html.
______________________________________________________________________
CERT/CC Contact Information
Email: [email protected]
Phone: +1 412-268-7090 (24-hour hotline)
Fax: +1 412-268-6989
Postal address:
CERT Coordination Center
Software Engineering Institute
Carnegie Mellon University
Pittsburgh PA 15213-3890
U.S.A.
CERT personnel answer the hotline 08:00-20:00 EST(GMT-5) / EDT(GMT-4)
Monday through Friday; they are on call for emergencies during other
hours, on U.S. holidays, and on weekends.
Using encryption
We strongly urge you to encrypt sensitive information sent by email.
Our public PGP key is available from http://www.cert.org/CERT_PGP.key.
If you prefer to use DES, please call the CERT hotline for more
information.
Getting security information
CERT publications and other security information are available from
our web site http://www.cert.org/.
To be added to our mailing list for advisories and bulletins, send
email to [email protected] and include SUBSCRIBE
your-email-address in the subject of your message.
Copyright 1998 Carnegie Mellon University.
Conditions for use, disclaimers, and sponsorship information can be
found in http://www.cert.org/legal_stuff.html.
* CERT is registered in the U.S. Patent and Trademark Office
______________________________________________________________________
NO WARRANTY
Any material furnished by Carnegie Mellon University and the Software
Engineering Institute is furnished on an "as is" basis. Carnegie
Mellon University makes no warranties of any kind, either expressed or
implied as to any matter including, but not limited to, warranty of
fitness for a particular purpose or merchantability, exclusivity or
results obtained from use of the material. Carnegie Mellon University
does not make any warranty of any kind with respect to freedom from
patent, trademark, or copyright infringement.
_________________________________________________________________
Revision History
-----BEGIN PGP SIGNATURE-----
Version: 2.6.2
iQCVAwUBNn64knVP+x0t4w7BAQHd/wQAv+1cQif/KNdFZ1ObARzlJJUd9T0Za5WM
GjZwrlYR3CIm+eByVbGGizCYTXzuiTjQdenKxfDXAXXwqZRIvFbpjU3qWY6kCicf
BhTbvzOOIT/ROhr9fWRwPqqPMKUyUYaJCbeWYWeV6PFJ6fYhWrBihiE+yml4n1Xp
k2lHvwHl9lE=
=9kEz
-----END PGP SIGNATURE-----
`