[23405] in bugtraq
IPRoute Fragmentation Denial of Service Vulnerability
daemon@ATHENA.MIT.EDU (Chris Gragsone)
Wed Dec 5 17:26:11 2001
Message-ID: <3C0E53B3.6050108@realwarp.net>
Date: Wed, 05 Dec 2001 12:04:51 -0500
From: Chris Gragsone <maetrics@realwarp.net>
MIME-Version: 1.0
To: bugtraq <bugtraq@securityfocus.com>
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
IPRoute Fragmentation Denial of Service Vulnerability
by Chris Gragsone and The TechnoDragon
Foot Clan
Date: December 2, 2001
Advisory ID: Foot-20011202
Impact of vulnerability: Denial of Service
Exploitable: Remotely
Maximum Risk: Moderate
Affected Software:
IPRoute v1.18
IPRoute v0.974
IPRoute v0.973
Vulnerability Description:
IPRoute, by David F. Mischler, is PC-based router software for networks
running the Internet Protocol (IP). It can act as a dial on demand or
dedicated router between a LAN and a PPP, SLIP, ethernet, wireless IP or
cablemodem link and allow transparent access from a LAN to the Internet
using a single IP address through Network Address Translation (NAT).
IPRoute can also act as a PPP server for dialup connections or route
between LANs.
The implementation of the router in IPRoute does not correctly handle
tiny fragmented packets, which split up the tcp header. If a series of
tiny fragmented packets were recieved by IPRoute, it would cause IPRoute
to fail. IPRoute could be put back into normal service by restarting the
interface, but all connections during the attack would drop. It is not
necessary for the attacker to establish a session through IPRoute in
order to exploit this vulnerability.
ZapNET! firewalls are based on IPRoute and may also be vulnerable.
The specific sequence of data packets involved with this vulnerability
cannot be generated as part of a legitimate connection.
Vulnerability Reproduction:
Simply "nmap -sS -f ip-address". IPRoute will be unable to send or
receive via the interface affected until it is manually restarted.
References:
http://www.trunkmonkey.com/homenetwork/iproute/
http://www.sans.org/infosecFAQ/threats/frag_attacks.htm
Contact:
http://footclan.realwarp.net Chris Gragsone (maetrics@realwarp.net)
The TechnoDrgon (tdragon@mailandnews.com)
Disclaimer:
The contents of this advisory are copyright (c)2001 Foot Clan and may be
distributed freely provided that no fee is charged for this distribution
and proper credit is given.
