[14819] in bugtraq
Re: Denial of service attack against tcpdump
daemon@ATHENA.MIT.EDU (Sebastian)
Sat May 6 21:07:07 2000
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Message-Id: <20000503215105.A11915@nb.in-berlin.de>
Date: Wed, 3 May 2000 21:51:05 +0200
Reply-To: Sebastian <scut@NB.IN-BERLIN.DE>
From: Sebastian <scut@NB.IN-BERLIN.DE>
X-To: bretonh@PARANOIA.PGCI.CA
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <Pine.SOL.4.10.10005021942380.2077-100000@paranoia.pgci.ca>; from
bretonh@PARANOIA.PGCI.CA on Tue, May 02, 2000 at 07:46:33PM -0400
On Tue, May 02, 2000 at 07:46:33PM -0400, bretonh@PARANOIA.PGCI.CA wrote:
> Greetings.
Hi.
> There is a way to disable tcpdump running on a remote host. By sending a
> carefully crafted UDP packet on the network which tcpdump monitors, it is
> possible, under certain circonstances, to make tcpdump fall into an infinite
> loop.
> [...]
> If this jump offset is set to its own location and if a program trying to
> decompress the domain name does not have any type of counter or strategy to
> avoid infinite loops, then the program will jump to the same offset in the
> packet over and over again.
Known issue for about one year now. There are several other methods to take
tcpdump down, two others with domain names (zlip*.c) and one with IP header
length fiddling. A detailed description + exploits were posted already on
bugtraq, though at that time tcpdump had no maintainer and there was no
fix issued. Also Etherreal and other sniffers are affected by this.
> Cheers,
> Hugo Breton
> bretonh@pgci.ca
ciao,
scut / teso
--
- scut@nb.in-berlin.de - http://nb.in-berlin.de/scut/ --- you don't need a --
-- lot of people to be great, you need a few great to be the best ------------
http://3261000594/scut/pgp - 5453 AC95 1E02 FDA7 50D2 A42D 427E 6DEF 745A 8E07
-- data in VK/USA Mayfly experienced, awaiting transfer location, hi echelon -
