Date: Mon, 23 Aug 1999 11:21:25 -0400 (EDT) From: yenming@andrew.cmu.edu To: FreeBSD-gnats-submit@freebsd.org Subject: ports/13334: [ports] net/argus-1.7-beta-1e Message-ID: <199908231521.LAA05809@pc42235.ini.cmu.edu>
next in thread | raw e-mail | index | archive | help
>Number: 13334
>Category: ports
>Synopsis: remote scanning can cause argus to dump core and exit.
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: freebsd-ports
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Mon Aug 23 08:30:01 PDT 1999
>Closed-Date:
>Last-Modified:
>Originator: Yen-Ming Chen
>Release: FreeBSD 3.2-STABLE i386
>Organization:
Information Networking Institute, CMU
>Environment:
>Description:
A remote TCP FIN scanning with fragment IP would cause argus to dump core file and exit with
signal 11 (segmentation fault). Which means an intruder can first scan a host running argus to
disable its ability on network monitoring, then continue other kinds of attack in plan.
>How-To-Repeat:
run argus as:
argus -d 30 -w /some/log/file &
run nmap from another machine as:
nmap -vv -sF -f <target_ip>
then watch the system log file (messages)
>Fix:
According to gdb and core file, the problem is in line 179 of cons_ip.c. The original gdb
log file is included, no known patches yet:
This GDB was configured as "i386-unknown-freebsd"...
Core was generated by `argus.debug'.
Program terminated with signal 11, Segmentation fault.
Reading symbols from /usr/lib/libpcap.so.2...done.
Reading symbols from /usr/local/lib/libwrap.so.7...done.
Reading symbols from /usr/lib/libc.so.3...done.
Reading symbols from /usr/libexec/ld-elf.so.1...done.
#0 argus_ip_handler (ep=0x805678a, ip=0x8056798, length=46, tvp=0xbfbfdaac)
at ./cons_ip.c:179
179 obj->ip_cb.status |= FRAGMENTS;
(gdb) bt
#0 argus_ip_handler (ep=0x805678a, ip=0x8056798, length=46, tvp=0xbfbfdaac)
at ./cons_ip.c:179
#1 0x804ce4c in cons_ether_packet (user=0x0, h=0x8056778, p=0x805678a "")
at ./cons_ether.c:114
#2 0x10074108 in pcap_read () from /usr/lib/libpcap.so.2
#3 0x804dbc4 in argus_loop (p=0x8053000,
callback=0x804cdb8 <cons_ether_packet>) at ./argus_util.c:135
#4 0x80495ec in main (argc=5, argv=0xbfbfdb94) at ./argus.c:157
#5 0x804924d in _start ()
(gdb) l
174 }
175 if (ip->ip_off & IP_MF) {
176 if (frag = cons_frag (ep, ip, len, tvp)) {
177 frag->obj = (struct OBJECT *) obj;
178 frag->frag_cb.status |= FRAG_OUT_OF_ORDER;
179 obj->ip_cb.status |= FRAGMENTS;
180 }
181 }
182 } else {
183 if (frag = cons_frag (ep, ip, len, tvp)) {
>Release-Note:
>Audit-Trail:
>Unformatted:
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ports" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199908231521.LAA05809>