lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20030201163502.38243.qmail@web21501.mail.yahoo.com>
From: keul_vrce at yahoo.com (amol wanjari)
Subject: Denial of Service Attack in Linux !!!


hi folks , 

Can DoS attacks be taken care of thru cryptographic techniques?  If
they can be (in some cases? or in all cases?), give one example of
your answer. If they cannot be (in some cases? or in all cases?),
attempt a characterization of when/why cryptographic techniques are
not useful.

Linux 2.1.89 to 2.2.3 had a DoS attack based on the foll code in
/usr/src/linux/net/ipv4/ip_fragment.c: (The * lines are essential to
the attack & the ? lines can be ignored if you desire.)


   ...

   // Copy data portions of all fragments (list *qp) into the new buffer (*ptr)

   *  fp = qp->fragments;// start of fragments
   *  count = qp->ihlen; // ip hdr length

   *  while(fp) {

   *   if ((fp->len < 0) || ((count + fp->len) > skb->len)) goto out_invalid;
          //skb: new netw buffer being prepared
   ?    memcpy((ptr + fp->offset), fp->ptr, fp->len);
        // copy from fragment to new buffer

   *    if (count == qp->ihlen) {
   *      skb->dst = dst_clone(fp->skb->dst);
            // add to a 4K cache of routing entries (dst)
            // dst: abbr for destination
   ?      skb->dev = fp->skb->dev;
        }

   *     count += fp->len;
   *     fp = fp->next;
      }

   ?  out_invalid: printk(KERN_ERR,...)

   ...

   extern __inline__
   struct dst_entry * dst_clone(struct dst_entry * dst) {
   *  if (dst)
   *    atomic_inc(&dst->use);
   *  return dst;
   }
  *     count += fp->len;
   *     fp = fp->next;
      }

   ?  out_invalid: printk(KERN_ERR,...)

   ...

   extern __inline__
   struct dst_entry * dst_clone(struct dst_entry * dst) {
   *  if (dst)
   *    atomic_inc(&dst->use);
   *  return dst;
   }

The attacker manufactures fragments with length zero. Explain how the attack
succeeds. What could be the fix? (Hint: add exactly one char in a * line!)


++Keul++



---------------------------------
Do you Yahoo!?
Yahoo! Mail Plus - Powerful. Affordable. Sign up now
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20030201/ce404a52/attachment.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ