Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Denial of service attack against tcpdump

From: scut () NB IN-BERLIN DE (Sebastian)
Date: Wed, 3 May 2000 21:51:05 +0200

On Tue, May 02, 2000 at 07:46:33PM -0400, bretonh () PARANOIA PGCI CA wrote:


Greetings.


Hi.


There is a way to disable tcpdump running on a remote host.  By sending a
carefully crafted UDP packet on the network which tcpdump monitors, it is
possible, under certain circonstances, to make tcpdump fall into an infinite
loop.



[...]



If this jump offset is set to its own location and if a program trying to
decompress the domain name does not have any type of counter or strategy to
avoid infinite loops, then the program will jump to the same offset in the
packet over and over again.


Known issue for about one year now. There are several other methods to take
tcpdump down, two others with domain names (zlip*.c) and one with IP header
length fiddling. A detailed description + exploits were posted already on
bugtraq, though at that time tcpdump had no maintainer and there was no
fix issued. Also Etherreal and other sniffers are affected by this.


Cheers,
Hugo Breton
bretonh () pgci ca


ciao,
scut / teso

--
- scut () nb in-berlin de - http://nb.in-berlin.de/scut/ --- you don't need a --
-- lot of people to be great, you need a few great to be the best ------------
http://3261000594/scut/pgp - 5453 AC95 1E02 FDA7 50D2 A42D 427E 6DEF 745A 8E07
-- data in VK/USA Mayfly experienced, awaiting transfer location, hi echelon -
Previous By Date Next
Previous By Thread Next

Current thread: