[9226] in bugtraq
Re: Win98 Crash?
daemon@ATHENA.MIT.EDU (dorqus maximus)
Tue Jan 26 13:17:30 1999
Date: Mon, 25 Jan 1999 14:31:54 -0500
Reply-To: dorqus maximus <dorqus@FREEK.COM>
From: dorqus maximus <dorqus@FREEK.COM>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <36AC117330C.1E16DEFCON0@210.157.158.133>; from DEF CON ZERO
WINDOW on Mon, Jan 25, 1999 at 03:38:43PM +0900
DEF CON ZERO WINDOW wrote...
> But, because value is wrong, this "oshare packet" can't be transmitted
> to the outside of the network. This is here well, and it is here badly,
> too. But, even whose machine will be able to be killed in the same
> segment.
This oshare.c code may have crashed our Checkpoint Firewall-1, version 3.0b,
Build Number: 3083. (Sun Sparc, Solaris 2.5.1)
After running it I lost internet connectivity and saw
the following on the console of our firewall server:
FW-1: packet size too big (131060) from 0x01010101, ip_p=17
FW-1: packet size too big (131060) from 0x01010101, ip_p=17
FW-1: packet size too big (131060) from 0x01010101, ip_p=17
FW-1: packet size too big (131060) from 0x01010101, ip_p=17
FW-1: packet size too big (131060) from 0x01010101, ip_p=17
FW-1: packet size too big (131060) from 0x01010101, ip_p=17
FW-1: packet size too big (131060) from 0x01010101, ip_p=17
FW-1: packet size too big (131060) from 0x01010101, ip_p=17
FW-1: packet size too big (131060) from 0x01010101, ip_p=17
FW-1: packet size too big (131060) from 0x01010101, ip_p=17
FW-1: packet size too big (131060) from 0x01010101, ip_p=17
The machine could not be soft booted and need to be hard booted
(power cycled)
I will not (or cannot) try and duplicate this, since I can't afford
to crash our firewall again :)
To give a brief network sketch:
Linux Box (running oshare) -> Router -- Frame Relay -> Router
-> Firewall-1 machine -> Dest Win98 box
I cannot confirm that this program crashed our firewall, but I would say
it's a safe bet.
I'm no C programmer, but I think this part here is the guilty part:
(Line 65 or so)
ip->frag_off = htons( 16383 );
ip->ttl = 0xff;
ip->protocol = IPPROTO_UDP;
ip->saddr = htonl( inet_addr( "1.1.1.1" ) );
ip->daddr = dst_addr;
ip->check = in_cksum( ( u_short *)ip, 44 );
YMMV, of course.
Dorqus
