what you don't know can hurt you

HexView Security Advisory 2004-06-30.2

HexView Security Advisory 2004-06-30.2
Posted Jun 30, 2004
Authored by HexView | Site netfilter.org

Sending crafted packets to a 2.6 series kernel with netfilter rules matching TCP options (using the --tcp-option match) may result in a Denial of Service.

tags | advisory, denial of service, kernel, tcp
advisories | CVE-2004-0626
MD5 | d833a45007f5ec8ad7ba3214e112fa2b

HexView Security Advisory 2004-06-30.2

Change Mirror Download
Date: Wed, 30 Jun 2004 12:57:17 +0200
From: Adam Osuchowski <adwol@polsl.gliwice.pl>
To: bugtraq@securityfocus.com
Subject: Remote DoS vulnerability in Linux kernel 2.6.x

1. Overview
-----------

There is a remotely exploitable bug in all Linux kernel 2.6 series due to
using incorrect variable type. Vulnerability is connected to netfilter
subsystem and may cause DoS. It's disclosed only when using iptables with
rules matching TCP options (i.e. --tcp-option). There is no difference
what action is taking up by matching rule.

Vulnerability was detected on i386 architecture. The other ones weren't tested
but it seems to be vulnerable too.

2. Details
----------

Problem lies in tcp_find_option() function (net/ipv4/netfilter/ip_tables.c).
There is local array `opt' defined as:

char opt[60 - sizeof(struct tcphdr)];

which contains TCP options extracted from packet. Function mentioned above
searches for specified option in this array.

Options in TCP packet, with some exceptions, are organized in the following
way:

Octet no. Length Field
-----------------------------
0 1 Opcode
1 1 Length of all option (N + 2)
2 N Params


The function iterates over options in array:

for (i = 0; i < optlen; ) {
if (opt[i] == option) return !invert;
if (opt[i] < 2) i++;
else i += opt[i+1]?:1;
}

moving counter by the option length.

But, in case the `length' value is greater than 127, the value of this octet
in `opt' is implicitly casted to char, which results in negative number and
the loop counter moving back. In some cases it is possible, that counter
cycles throught the contents of this array infinitely.

3. Impact
---------

After sending one suitably prepared TCP packet to victim host, kernel goes
into infinite loop consuming all CPU resources, rendering the box
unresponsable. Of course, there is no need to have a shell access to attacked
host.

4. Exploitation
---------------

Example of packet-of-death:

0x0000: 4500 0030 1234 4000 ff06 e83f c0a8 0001
0x0010: c0a8 0002 0400 1000 0000 0064 0000 0064
0x0020: 7000 0fa0 dc6a 0000 0204 05b4 0101 04fd

5. Fix
------

There is only need to change type of `opt' array from signed char to unsigned
(or, better to u_int8_t) as it was defined in 2.4 kernel or prior to version
1.16 of net/ipv4/netfilter/ip_tables.c file.

--- net/ipv4/netfilter/ip_tables.c.orig 2004-04-04 05:36:47.000000000 +0200
+++ net/ipv4/netfilter/ip_tables.c 2004-06-24 21:24:26.000000000 +0200
@@ -1461,7 +1461,7 @@
int *hotdrop)
{
/* tcp.doff is only 4 bits, ie. max 15 * 4 bytes */
- char opt[60 - sizeof(struct tcphdr)];
+ u_int8_t opt[60 - sizeof(struct tcphdr)];
unsigned int i;

duprintf("tcp_match: finding option\n");

6. Credits
----------

Vulnerability was discovered, identified and fixed by Adam Osuchowski
and Tomasz Dubinski.

--
## Adam Osuchowski adwol@polsl.gliwice.pl, adwol@silesia.linux.org.pl
## Silesian University of Technology, Computer Centre Gliwice, Poland

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

March 2020

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    2 Files
  • 2
    Mar 2nd
    18 Files
  • 3
    Mar 3rd
    15 Files
  • 4
    Mar 4th
    12 Files
  • 5
    Mar 5th
    19 Files
  • 6
    Mar 6th
    8 Files
  • 7
    Mar 7th
    1 Files
  • 8
    Mar 8th
    1 Files
  • 9
    Mar 9th
    11 Files
  • 10
    Mar 10th
    15 Files
  • 11
    Mar 11th
    9 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    13 Files
  • 14
    Mar 14th
    10 Files
  • 15
    Mar 15th
    13 Files
  • 16
    Mar 16th
    27 Files
  • 17
    Mar 17th
    15 Files
  • 18
    Mar 18th
    23 Files
  • 19
    Mar 19th
    25 Files
  • 20
    Mar 20th
    10 Files
  • 21
    Mar 21st
    6 Files
  • 22
    Mar 22nd
    1 Files
  • 23
    Mar 23rd
    22 Files
  • 24
    Mar 24th
    15 Files
  • 25
    Mar 25th
    22 Files
  • 26
    Mar 26th
    20 Files
  • 27
    Mar 27th
    15 Files
  • 28
    Mar 28th
    10 Files
  • 29
    Mar 29th
    1 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2016 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close