2002-10-19 19:12:39

by date

[permalink] [raw]
Subject: Fragmentation DoS?

To whom this may concern:

It seems that when I run fragrouter-1.7 with a combination of
-F3, -F4, -F5, and -T7 options, my linux kernel 2.4.18 will
crash. I've tested this with fragrouter's 1.6 and 1.5, but have
not yet been able to crash my kernel. To crash my 2.4.18 remotely
with fragrouter 1.7 it usually takes about 15-20 tries. Maybe there
is some sort of race condition occuring? I have also tried to
crash my linux 2.2.x series kernals but have failed.

Here are the sources I have been testing with:
http://www.anzen.com/archive/research/fragrouter-1.7.tar.gz
http://www.anzen.com/archive/research/fragrouter-1.6.tar.gz

Here is the kernel oops message that I grabbed from messages:

general protection fault: 0000
CPU: 0
EIP: 0010:[<c0141099>] Not tainted
EFLAGS: 00010246
eax: 00000000 ebx: ffffffff ecx: 00000018 edx: c0141080
esi: c12c3e30 edi: ffffffff ebp: ffffffff esp: cfc95db0
ds: 0018 es: 0018 ss: 0018
Process sshd (pid: 59, stackpage=cfc95000)
Stack: 00000000 c0feb020 c01284ca ffffffff c12c3e30 00000001 00000001
000000f0
c0feb000 c139c1a0 00000080 00000000 00000008 c12c3e30 00000246
c12c3e38
000000f0 c01285f9 c12c3e30 000000f0 c0178612 00000000 00000000
00000008
Call Trace: [<c01284ca>] [<c01285f9>] [<c0178612>] [<c0131a84>]
[<c0131b46>]
[<c0131d88>] [<c0132428>] [<c01231fd>] [<c0123298>] [<c0151aa0>]
[<c01238a5>]
[<c0123c03>] [<c012403c>] [<c0123f40>] [<c012fd56>] [<c012fca9>]
[<c01087eb>]

Code: f3 ab c7 43 48 00 00 00 00 8d 53 48 8d 43 4c 89 42 04 89 42

Thanks for your time

- nobu


2002-10-19 21:01:48

by Matti Aarnio

[permalink] [raw]
Subject: Re: Fragmentation DoS?

On Sun, Oct 20, 2002 at 04:18:12AM +0900, date wrote:
...
> Here is the kernel oops message that I grabbed from messages:

This oops report is valid for your system, but provides no usefull
data, as actual memory layouts in different systems do vary. See:

http://www.tux.org/lkml/#s4-3

Then post again.

> general protection fault: 0000
> CPU: 0
> EIP: 0010:[<c0141099>] Not tainted
> EFLAGS: 00010246
> eax: 00000000 ebx: ffffffff ecx: 00000018 edx: c0141080
> esi: c12c3e30 edi: ffffffff ebp: ffffffff esp: cfc95db0
> ds: 0018 es: 0018 ss: 0018
> Process sshd (pid: 59, stackpage=cfc95000)
> Stack: 00000000 c0feb020 c01284ca ffffffff c12c3e30 00000001 00000001
> 000000f0
> c0feb000 c139c1a0 00000080 00000000 00000008 c12c3e30 00000246
> c12c3e38
> 000000f0 c01285f9 c12c3e30 000000f0 c0178612 00000000 00000000
> 00000008
> Call Trace: [<c01284ca>] [<c01285f9>] [<c0178612>] [<c0131a84>]
> [<c0131b46>]
> [<c0131d88>] [<c0132428>] [<c01231fd>] [<c0123298>] [<c0151aa0>]
> [<c01238a5>]
> [<c0123c03>] [<c012403c>] [<c0123f40>] [<c012fd56>] [<c012fca9>]
> [<c01087eb>]
>
> Code: f3 ab c7 43 48 00 00 00 00 8d 53 48 8d 43 4c 89 42 04 89 42
>
> Thanks for your time
>
> - nobu
> -
> To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
> the body of a message to [email protected]
> More majordomo info at http://vger.kernel.org/majordomo-info.html
> Please read the FAQ at http://www.tux.org/lkml/

2002-10-25 15:35:54

by Juri Haberland

[permalink] [raw]
Subject: Re: Fragmentation DoS?

In article <[email protected]> you wrote:
> To whom this may concern:
>
> It seems that when I run fragrouter-1.7 with a combination of
> -F3, -F4, -F5, and -T7 options, my linux kernel 2.4.18 will
> crash. I've tested this with fragrouter's 1.6 and 1.5, but have
> not yet been able to crash my kernel. To crash my 2.4.18 remotely
> with fragrouter 1.7 it usually takes about 15-20 tries. Maybe there
> is some sort of race condition occuring? I have also tried to
> crash my linux 2.2.x series kernals but have failed.
>
> Here are the sources I have been testing with:
> http://www.anzen.com/archive/research/fragrouter-1.7.tar.gz
> http://www.anzen.com/archive/research/fragrouter-1.6.tar.gz

You did read http://online.securityfocus.com/archive/1/296407 , did you?

Fragrouter-1.7 is a trojan!

Regards,
Juri

--
Juri Haberland <[email protected]>

2002-10-25 16:31:52

by Mike Dresser

[permalink] [raw]
Subject: Re: Fragmentation DoS?

On Fri, 25 Oct 2002, Juri Haberland wrote:

> You did read http://online.securityfocus.com/archive/1/296407 , did you?
>
> Fragrouter-1.7 is a trojan!

Furthermore, if you look at
http://marc.theaimsgroup.com/?l=cisco-nsp&m=103515530331228&w=2, you'll
see this person cut/pasted and changed a few words.

And the second link on the securityfocus page is that very lkml post :)

Mike

2002-10-25 16:41:35

by Mike Dresser

[permalink] [raw]
Subject: Re: Fragmentation DoS?

On Fri, 25 Oct 2002, Juri Haberland wrote:

> Arghl, I didn't look at the date (I had quite a bit of backlog with
> respect to lkml...)
>
> How embarrassing.
>
> Sorry for the noise,
> Juri

I wouldn't consider this noise at all, I don't remember anyone
commenting on it. It's a good reminder to not believe everything that's
said on the internet :)

Now we're getting into noise :)

Mike

2002-10-25 16:37:35

by Juri Haberland

[permalink] [raw]
Subject: Re: Fragmentation DoS?

Mike Dresser wrote:

> Furthermore, if you look at
> http://marc.theaimsgroup.com/?l=cisco-nsp&m=103515530331228&w=2, you'll
> see this person cut/pasted and changed a few words.
>
> And the second link on the securityfocus page is that very lkml post :)


Arghl, I didn't look at the date (I had quite a bit of backlog with
respect to lkml...)

How embarrassing.

Sorry for the noise,
Juri

--
If each of us have one object, and we exchange them,
then each of us still has one object.
If each of us have one idea, and we exchange them,
then each of us now has two ideas.