Re: Naptha - New DoS

[M ixter <mixter () 2XS CO IL>]

I personally find it a bit questionable to release such an advisory
and give only so little technical information about the vulnerability,
how is anyone supposed to understand and protect about it then?
Sounds to me like "we found the ultimate IP stack bug, be afraid, be
very afraid, but no, we're not going to tell you more about it."

Anyways, I understand the Naptha vulnerability is caused by sending
short packets, or parts of packets, that tell us they have a different
internal / total length, belong to a different offset, and so on....?

With the very few informations, I modified a test tool that uses
semi-"random" packets to find IP stack vulnerabilities, to implement
such things. I limited it to TCP since it looks like the vulnerability
is specific to TCP or has more effect for TCP connections. Also, you
can select a specific port. This tool is just for testing, and only
for Linux. Also, to get the "real" malicious data, you probably have to
recompile your kernel (an appropriate patch is at the end of the source)...

I will personally test it later, without the IP stack patch I just got a
lot of kernel error messages with it, oh yeah, tcpdump didn't seem to parse
some of the packets produced correctly, as shown below:

16:21:22.380013 > [|ip]
16:21:22.383177 > 75.241.52.119.42227 > 10.0.0.6.47024: SR 536870912:536870999(87) win 48451 urg 44971
16:21:24.235060 > [|tcp]
16:21:24.260242 > [|ip]
16:21:24.257134 > 255.76.14.98 > 10.0.0.6: (frag 7204:370@61792)
16:21:24.225623 > 244.62.155.55 > 10.0.0.6: (frag 1715:130@32)
16:21:24.310640 > [|tcp]


Any feedback welcome...

Mixter

-----------------------------------------------------------------
Mixter <mixter () 2xs co il>, Senior Security Engineer, www.2xss.com
    2XS Ltd. - Taking full disclosure security to a new level.
-----------------------------------------------------------------

Attachment: targa3-naptha.c
Description: