[8809] in bugtraq

home help back first fref pref prev next nref lref last post

Re: CERT Advisory CA-98.13 - TCP/IP Denial of Service

daemon@ATHENA.MIT.EDU (David Schwartz)
Wed Dec 23 23:33:45 1998

Date: 	Wed, 23 Dec 1998 15:51:42 -0800
Reply-To: Bugtraq List <BUGTRAQ@NETSPACE.ORG>
From: David Schwartz <davids@WEBMASTER.COM>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To:  <01BE2E65.E061C130.munkedal@n-m.com>

        The CERT advisory doesn't go into any detail about the exact nature of the
packets that trigger the problem. However, the advisory refernces a FreeBSD
note and patch. Since this patch is in a different section of code than the
patches for teardrop/newtear/bonk/etc, it follows that the vulnerability and
exploit are also slightly different.

        This also means that invulnerability to those attacks does not mean
invulnerability to this one.

        A cursory look at the patch suggests that the problem has to do with short
packets with certain options set. Here's the patch for FreeBSD 3.0 and
2.2.x:

RCS file: /home/cvsup/freebsd/CVS/src/sys/netinet/ip_input.c,v
retrieving revision 1.104
retrieving revision 1.105
diff -u -r1.104 -r1.105
--- ip_input.c  1998/10/27 09:19:03     1.104
+++ ip_input.c  1998/11/11 21:17:59     1.105
@@ -513,7 +513,7 @@
         */
        if (ip->ip_off & (IP_MF | IP_OFFMASK | IP_RF)) {
                if (m->m_flags & M_EXT) {               /* XXX */
-                       if ((m = m_pullup(m, sizeof (struct ip))) == 0) {
+                       if ((m = m_pullup(m, hlen)) == 0) {
                                ipstat.ips_toosmall++;
 #ifdef IPDIVERT
                                frag_divert_port = 0;

        DS

> Have I missed something on the list lately about these illegal
> packets that
> CERT are adressing ("constructing a sequence of packets with certain
> characteristics, an intruder can cause vulnerable systems to crash, hang,
> or behave in unpredictable ways")?
>
> Or is this just the old teardrop/newtear/boink/bonk/nestea2 problem that
> they are talking about?
>
> Ulf
> ---
> Ulf Munkedal
> Partner
> Neupart & Munkedal
> http://www.n-m.com
> Tel +45 7020 6565
> Fax +45 7020 6065
> Public PGP Key: http://www.n-m.com/pgp/
> ---
> SecureTest
> - Vished for Internet-sikkerhed
>
>
> ----------
> From:   aleph1@UNDERGROUND.ORG[SMTP:aleph1@UNDERGROUND.ORG]
> Reply To:       Bugtraq List
> Sent:   22. december 1998 06:37
> To:     BUGTRAQ@netspace.org
> Subject:        CERT Advisory CA-98.13 - TCP/IP Denial of Service
>
> -----BEGIN PGP SIGNED MESSAGE-----
>
>
> CERT Advisory CA-98-13-tcp-denial-of-service
>
>    Original Issue Date: December 21, 1998
>
>    Last Revised
>
> Topic: Vulnerability in Certain TCP/IP Implementations
>
> Affected Systems
>
>    Some systems with BSD-derived TCP/IP stacks. See Appendix A for a
>    complete list of affected systems.
>
> Overview
>
>    Intruders can disrupt service or crash systems with vulnerable TCP/IP
>    stacks. No special access is required, and intruders can use
>    source-address spoofing to conceal their true location.
>
> I. Description
>
>    By carefully constructing a sequence of packets with certain
>    characteristics, an intruder can cause vulnerable systems to crash,
>    hang, or behave in unpredictable ways. This vulnerability is similar
>    in its effect to other denial-of-service vulnerabilities, including
>    the ones described in
>
>      http://www.cert.org/advisories/CA-97.28.Teardrop_Land.html
>
>    Specifically, intruders can use this vulnerability in conjunction with
>    IP-source-address spoofing to make it difficult or impossible to know
>    their location. They can also use the vulnerability in conjunction
>    with broadcast packets to affect a large number of vulnerable machines
>    with a small number of packets.
>
> II. Impact
>
>    Any remote user can crash or hang a vulnerable machine, or cause the
>    system to behave in unpredictable ways.
>
> III. Solution
>
> A. Install a patch from your vendor.
>
>    Appendix A contains input from vendors who have provided information
>    for this advisory. We will update the appendix as we receive more
>    information. If you do not see your vendor's name, the CERT/CC did not
>    hear from that vendor. Please contact your vendor directly.
>
> B. Configure your router or firewall to help prevent source-address
> spoofing.
>
>    We encourage sites to configure their routers or firewalls to reduce
>    the ability of intruders to use source-address spoofing. Currently,
>    the best method to reduce the number of IP-spoofed packets exiting
>    your network is to install filtering on your routers that requires
>    packets leaving your network to have a source address from your
>    internal network. This type of filter prevents a source IP-spoofing
>    attack from your site by filtering all outgoing packets that contain a
>    source address of a different network.
>
>    A detailed description of this type of filtering is available in RFC
>    2267, "Network Ingress Filtering: Defeating Denial of Service Attacks
>    which employ IP Source Address Spoofing" by Paul Ferguson of Cisco
>    Systems, Inc. and Daniel Senie of Blazenet, Inc. We recommend it to
>    both Internet Service Providers and sites that manage their own
>    routers. The document is currently available at
>
>      http://info.internet.isi.edu:80/in-notes/rfc/files/rfc2267.txt
>
>    Note that this type of filtering does not protect a site from the
>    attack itself, but it does reduce the ability of intruders to conceal
>    their location, thereby discouraging attacks.
>
> Appendix A - Vendor Information
>
>    Berkeley Software Design, Inc. (BSDI)
>
>    BSDI's current release BSD/OS 4.0 is not vulnerable to this problem.
>    BSD/OS 3.1 is vulnerable and a patch (M310-049) is available from
>    BSDI's WWW server at http://www.bsdi.com/support/patches or via our
>    ftp server from the directory
>    ftp://ftp.bsdi.com/bsdi/patches/patches-3.1.
>
>    Cisco Systems
>
>    Cisco is not vulnerable.
>
>    Compaq Computer Corporation
>
>    SOURCE: (c) Copyright 1994, 1995, 1996, 1997, 1998 Compaq Computer
>    Corporation.
>
>    All rights reserved.
>
>    SOURCE: Compaq Computer Corporation
>    Compaq Services
>    Software Security Response Team USA
>
>    This reported problem is not present for the as shipped, Compaq's
>    Digital ULTRIX or Compaq's Digital UNIX Operating Systems Software.
>
>      - Compaq Computer Corporation
>
>    Data General Corporation
>
>    We are investigating. We will provide an update when our investigation
>    is complete.
>
>    FreeBSD, Inc.
>
>    FreeBSD 2.2.8 is not vulnerable.
>    FreeBSD versions prior to 2.2.8 are vulnerable.
>    FreeBSD 3.0 is also vulnerable.
>    FreeBSD 3.0-current as of 1998/11/12 is not vulnerable.
>
>    A patch is available at
>    ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/CA-98-13/patch
>
>    Fujitsu
>
>    Regarding this vulnerability, Fujitsu's UXP/V operating system is not
>    vulnerable.
>
>    Hewlett-Packard Company
>
>    HP is not vulnerable.
>
>    IBM Corporation
>
>    AIX is not vulnerable.
>
>    IBM and AIX are registered trademarks of International Business
>    Machines Corporation.
>
>    Livingston Enterprises, Inc.
>
>    Livingston systems are not vulnerable.
>
>    Computer Associates International
>
>    CA systems are not vulnerable.
>
>    Microsoft Corporation
>
>    Microsoft is not vulnerable.
>
>    NEC Corporation
>
>    NEC Corporation EWS-UX, UP-UX and UX/4800 Unix systems are not
>    vulnerable to this problem.
>
>    OpenBSD
>
>    Security fixes for this problem are now available for 2.3 and 2.4.
>
>    For 2.3, see
>
>      www.openbsd.org/errata23.html#tcpfix
>
>    For our 2.4 release which is available on CD on Dec 1, see
>
>      www.openbsd.org/errata.html#tcpfix
>
>    The bug is fixed in our -current source tree.
>
>    Sun Microsystems, Inc.
>
>    We have confirmed that SunOS and Solaris are not vulnerable to the DOS
>    attack.
>
>    Wind River Systems, Inc.
>
>    We've taken a look at our networking code and have determined that
>    this is not a problem in the currently shipping version of the VxWorks
>    RTOS.
>      _________________________________________________________________
>
> Contributors
>
>    The vulnerability was originally discovered by Joel Boutros of the
>    Enterprise Security Services team of Cambridge Technology Partners.
>    Guido van Rooij of FreeBSD, Inc., provided an analysis of the
>    vulnerability and information regarding its scope and extent.
>    ______________________________________________________________________
>
>    This document is available from:
>    http://www.cert.org/advisories/CA-98-13-tcp-denial-of-service.html.
>    ______________________________________________________________________
>
> CERT/CC Contact Information
>
>    Email: cert@cert.org
>           Phone: +1 412-268-7090 (24-hour hotline)
>           Fax: +1 412-268-6989
>           Postal address:
>           CERT Coordination Center
>           Software Engineering Institute
>           Carnegie Mellon University
>           Pittsburgh PA 15213-3890
>           U.S.A.
>
>    CERT personnel answer the hotline 08:00-20:00 EST(GMT-5) / EDT(GMT-4)
>    Monday through Friday; they are on call for emergencies during other
>    hours, on U.S. holidays, and on weekends.
>
> Using encryption
>
>    We strongly urge you to encrypt sensitive information sent by email.
>    Our public PGP key is available from http://www.cert.org/CERT_PGP.key.
>    If you prefer to use DES, please call the CERT hotline for more
>    information.
>
> Getting security information
>
>    CERT publications and other security information are available from
>    our web site http://www.cert.org/.
>
>    To be added to our mailing list for advisories and bulletins, send
>    email to cert-advisory-request@cert.org and include SUBSCRIBE
>    your-email-address in the subject of your message.
>
>    Copyright 1998 Carnegie Mellon University.
>    Conditions for use, disclaimers, and sponsorship information can be
>    found in http://www.cert.org/legal_stuff.html.
>
>    * CERT is registered in the U.S. Patent and Trademark Office
>    ______________________________________________________________________
>
>    NO WARRANTY
>    Any material furnished by Carnegie Mellon University and the Software
>    Engineering Institute is furnished on an "as is" basis. Carnegie
>    Mellon University makes no warranties of any kind, either expressed or
>    implied as to any matter including, but not limited to, warranty of
>    fitness for a particular purpose or merchantability, exclusivity or
>    results obtained from use of the material. Carnegie Mellon University
>    does not make any warranty of any kind with respect to freedom from
>    patent, trademark, or copyright infringement.
>      _________________________________________________________________
>
>    Revision History
>
> -----BEGIN PGP SIGNATURE-----
> Version: 2.6.2
>
> iQCVAwUBNn64knVP+x0t4w7BAQHd/wQAv+1cQif/KNdFZ1ObARzlJJUd9T0Za5WM
> GjZwrlYR3CIm+eByVbGGizCYTXzuiTjQdenKxfDXAXXwqZRIvFbpjU3qWY6kCicf
> BhTbvzOOIT/ROhr9fWRwPqqPMKUyUYaJCbeWYWeV6PFJ6fYhWrBihiE+yml4n1Xp
> k2lHvwHl9lE=
> =9kEz
> -----END PGP SIGNATURE-----
>

home help back first fref pref prev next nref lref last post