OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Chris Gragsone (maetricsrealwarp.net)
Date: Wed Dec 05 2001 - 11:04:51 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    IPRoute Fragmentation Denial of Service Vulnerability
    by Chris Gragsone and The TechnoDragon
    Foot Clan

    Date: December 2, 2001
    Advisory ID: Foot-20011202
    Impact of vulnerability: Denial of Service
    Exploitable: Remotely
    Maximum Risk: Moderate

    Affected Software:
    IPRoute v1.18
    IPRoute v0.974
    IPRoute v0.973

    Vulnerability Description:

    IPRoute, by David F. Mischler, is PC-based router software for networks
    running the Internet Protocol (IP). It can act as a dial on demand or
    dedicated router between a LAN and a PPP, SLIP, ethernet, wireless IP or
    cablemodem link and allow transparent access from a LAN to the Internet
    using a single IP address through Network Address Translation (NAT).
    IPRoute can also act as a PPP server for dialup connections or route
    between LANs.

    The implementation of the router in IPRoute does not correctly handle
    tiny fragmented packets, which split up the tcp header. If a series of
    tiny fragmented packets were recieved by IPRoute, it would cause IPRoute
    to fail. IPRoute could be put back into normal service by restarting the
    interface, but all connections during the attack would drop. It is not
    necessary for the attacker to establish a session through IPRoute in
    order to exploit this vulnerability.
    ZapNET! firewalls are based on IPRoute and may also be vulnerable.

    The specific sequence of data packets involved with this vulnerability
    cannot be generated as part of a legitimate connection.

    Vulnerability Reproduction:
    Simply "nmap -sS -f ip-address". IPRoute will be unable to send or
    receive via the interface affected until it is manually restarted.

    References:
    http://www.trunkmonkey.com/homenetwork/iproute/
    http://www.sans.org/infosecFAQ/threats/frag_attacks.htm

    Contact:
    http://footclan.realwarp.net Chris Gragsone (maetricsrealwarp.net)
    The TechnoDrgon (tdragonmailandnews.com)

    Disclaimer:
    The contents of this advisory are copyright (c)2001 Foot Clan and may be
    distributed freely provided that no fee is charged for this distribution
    and proper credit is given.