Re: tesrdrop attack

[tqbf () secnet com]

> Can someone explain to me how teardrop attack works.

It's a pointer arithmatic problem triggered by the receipt of overlapping
IP fragments. Essentially, on vulnerable kernels, if you send two
fragments of an IP packet that overlap, and the second fragment does not
contain enough data to align properly, the system will compute a "length"
variable that is less than zero, and then pass it directly to memcpy() as
a count of bytes to copy from the fragment. The "count" argument to
memcpy() is unsigned, meaning that the number "-1" is actually a very
large positive number, and the resulting copy operation causes the system
to crash.

-----------------------------------------------------------------------------
Thomas H. Ptacek                                        Secure Networks, Inc.
-----------------------------------------------------------------------------
http://www.enteract.com/~tqbf                           "mmm... sacrilicious"