[NEWS] IPRoute Fragmentation Denial of Service Vulnerability

From: support@securiteam.com
Date: 12/12/01

From: support@securiteam.com
To: list@securiteam.com
Date: Wed, 12 Dec 2001 16:29:44 +0100 (CET)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  IPRoute Fragmentation Denial of Service Vulnerability


 <http://www.trunkmonkey.com/homenetwork/iproute/> IPRoute contains a
vulnerability that would allow a remote attacker to launch a DoS attack
against the product, thus blocking all access to and from the protected


Affected software:
 * IPRoute version 1.18
 * IPRoute version 0.974
 * IPRoute version 0.973

IPRoute, by David F. Mischler, is PC-based router software for networks
running the Internet Protocol (IP). It can act as a dial on demand or
dedicated router between a LAN and a PPP, SLIP, Ethernet, wireless IP, or
cable modem link and allow transparent access from a LAN to the Internet
using a single IP address through Network Address Translation (NAT).
IPRoute can also act as a PPP server for dialup connections or route
between LANs.

The implementation of the router in IPRoute does not correctly handle tiny
fragmented packets, which split up the TCP header. If a series of tiny
fragmented packets were received by IPRoute, it would cause IPRoute to
fail. IPRoute could be put back into normal service by restarting the
interface, but all connections during the attack would drop. It is not
necessary for the attacker to establish a session through IPRoute in order
to exploit this vulnerability. ZapNET! firewalls are based on IPRoute and
may also be vulnerable.

The specific sequence of data packets involved with this vulnerability
cannot be generated as part of a legitimate connection.

Vulnerability reproduction:
Simply run "nmap -sS -f ip-address". IPRoute will be unable to send or
receive via the interface affected until it is manually restarted.


The information has been provided by <mailto:maetrics@realwarp.net> Chris


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com


The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.