[20847] in bugtraq
fpf module and packet fragmentation:local/remote DoS.
daemon@ATHENA.MIT.EDU (XR Agent)
Mon Jun 4 12:32:34 2001
Date: Sat, 2 Jun 2001 13:45:26 -0700
Message-Id: <200106022045.NAA30296@mail8.bigmailbox.com>
Content-Type: text/plain
Content-Disposition: inline
Content-Transfer-Encoding: binary
Mime-Version: 1.0
From: "XR Agent" <prp_sc@antionline.org>
To: bugtraq@securityfocus.com
Fpf kernel module by |CyRaX| [cyrax@pkcrew.org] (www.pkcrew.org) alters linux tcp/ip stack to emulate other OS'es against nmap/queso fingerprints using parser by FuSyS that reads nmap-os-fingerprints
for os emulation choice.
However, attempts to send fragmented packets to local or remote machine with nmap (-sS -f, -sN -f, -sX -f, -sF -f, -sA -f) or hping (hping -f) using host with loaded fpf.o lead to kernel panic ("Aiee, killing interrupt handle. Kernel panic: Attempted to kill the idle task ! In interrupt handler - not syncing.") if run from console or force immediate reboot if the packet sending tool is run from an xterm. When fpf.o - running machine recieves nmap / hping fragmented packets from remote hosts system freezes.
Security through obscurity was never a pefect solution, but in the current case there is also a hefty price to pay: complete inability of tcp/ip stack of "obscured" machine to deal with packet fragmentation.
Tested on Slackware 7.1 kernel 2.2.16 (i386).
Regards,
_clf3_ (PrP_Sc@antionline.org)
Veneficio, ergo sum.
------------------------------------------------------------
Email account furnished courtesy of AntiOnline - http://www.AntiOnline.com
AntiOnline - The Internet's Information Security Super Center!
