[27381] in bugtraq
nylon 0.2 (0.3?) DoS
daemon@ATHENA.MIT.EDU (3APA3A)
Thu Oct 10 14:51:09 2002
Date: Thu, 10 Oct 2002 17:58:55 +0400
From: 3APA3A <3APA3A@SECURITY.NNOV.RU>
Reply-To: 3APA3A <3APA3A@SECURITY.NNOV.RU>
Message-ID: <169-1020171880.20021010175855@SECURITY.NNOV.RU>
To: bugtraq@securityfocus.com
Resent-From: 3APA3A <3APA3A@SECURITY.NNOV.RU>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Dear bugtraq@,
I found this bug in nylon 0.2, but according to CVS logs it was already
fixed in nylon project Tue Jun 25 00:27:07 2002 UTC (3 months, 2 weeks
ago), http://mesh.eecs.umich.edu/cvsweb/nylon/ So, just update to newer
version.
Details:
#if defined(SENDN) || defined(RECVN)
ssize_t
#if defined(RECVN)
recvn
#elif defined(SENDN)
sendn
#endif
(int s, void *buf, size_t len, int flags)
{
unsigned bytes = 0, bytes_left = len;
while (bytes_left > 0) {
if ( (bytes =
#if defined(RECVN)
recv
#elif defined(SENDN)
send
#endif
(s, buf+(len-bytes_left), bytes_left, flags)) != -1 )
bytes_left -= bytes;
else
return -1;
}
return len;
}
#endif /* defined(SENDN) || defined(RECVN) */
This function fails to check if recv() returns 0. The problem is if
remote side closes connection during recv(). In this case all recv()
calls for socket always return 0. Program enters into endless loop with
100% CPU usage. There is no any kind of timeout. Exploit is trivial.
nylon is in ports collection for FreeBSD and probably other systems.
References:
[1] Nylon 0.2 DoS source code (Unix/Windows)
http://www.security.nnov.ru/files/3nylont.c
[2] Different Proxy-related software
http://www.security.nnov.ru/soft
/ZARAZA
http://www.security.nnov.ru
