Remote DoS in 6tunnel

2001-10-24T00:00:00
ID SECURITYVULNS:DOC:2126
Type securityvulns
Reporter Securityvulns
Modified 2001-10-24T00:00:00

Description

SUMMARY 6tunnel is a simple tunneling program for applications that don't speak IPv6. It's most used as an IRC proxy for clients without IPv6 support. A serious vulnerability in this program allow any user to crash 6tunnel locally and in some cases remotely.

SYSTEM / VERSIONS AFFECTED Older versions. 6tunnel 0.06 6tunnel 0.07 Version 0.07 should be included in the latest version of freeBSD ports and netBSD. It's even included by default in PLD ( http://www.pld.org.pl/ ) Version 0.08 has a wrong fix.

IMMUNE VERSIONS 6tunnel 0.09

DETAILED DESCRIPTION The socket opened when the client connects to 6tunnel is not correctly closed at the end of connection: in some cases, when the connection is closed by server (i.e. on IRC with a quit command, the IRC server close the connection) the socket will be closed after a short timeout. But if it's closed after a client disconnection, the socket remains in state CLOSE (as you can see with netstat) till 6tunnel will be killed or stopped. So flooding 6tunnel with connections/disconnections there are a lot of sockets not closed and after a variable number of connections (depending on OS,system,etc) 6tunnel will crash. Clients that were already connected before the crash won't be disconnected but it's not possible to make new connections. In order to crash 6tunnel remotely we must only be able to establish a connection.

OTHER INFORMATIONS: I reported this bug one week ago. After few hours the official maintainer <wojtekka@irc.pl> released a new version (6tunnel-0.08). This version was broken so I reported it with a working fix and after few days the corrected version (6tunnel-0.09) was released. This new version fixes even some memory leaks. You can find it here: ftp://213.146.38.146/pub/wojtekka/6tunnel-0.09.tar.gz

A simple IPv4/IPv6 connection flooder to demonstrate the DoS is attached.

Excuse me for my poor English. Regards. -- awayzzz <awayzzz@digibel.org>