Remote DoS in 6tunnel

From: awayzzz (awayzzz@digibel.org)
Date: 10/23/01 

Message-Id: <5.1.0.14.0.20011023131956.02210c00@pop.katamail.com>
Date: Tue, 23 Oct 2001 17:48:08 +0200
To: bugtraq@securityfocus.com
From: awayzzz <awayzzz@digibel.org>
Subject: Remote DoS in 6tunnel

SUMMARY
6tunnel is a simple tunneling program for applications that don't speak IPv6.
It's most used as an IRC proxy for clients without IPv6 support.
A serious vulnerability in this program allow any user to crash 6tunnel
locally and in some cases remotely.

SYSTEM / VERSIONS AFFECTED
Older versions.
6tunnel 0.06
6tunnel 0.07
Version 0.07 should be included in the latest version of freeBSD ports and
netBSD.
It's even included by default in PLD ( http://www.pld.org.pl/ )
Version 0.08 has a wrong fix.

IMMUNE VERSIONS
6tunnel 0.09

DETAILED DESCRIPTION
The socket opened when the client connects to 6tunnel is not correctly
closed at the end of connection: in some cases, when the connection is
closed by server (i.e. on IRC with a quit command, the IRC server close the
connection) the socket will be closed after a short timeout.
But if it's closed after a client disconnection, the socket remains in
state CLOSE (as you can see with netstat) till 6tunnel will be killed or
stopped.
So flooding 6tunnel with connections/disconnections there are a lot of
sockets not closed and after a variable number of connections (depending on
OS,system,etc) 6tunnel will crash.
Clients that were already connected before the crash won't be disconnected
but it's not possible to make new connections.
In order to crash 6tunnel remotely we must only be able to establish a
connection.

OTHER INFORMATIONS:
I reported this bug one week ago. After few hours the official maintainer
<wojtekka@irc.pl> released a new version (6tunnel-0.08). This version was
broken so I reported it with a working fix and after few days the corrected
version (6tunnel-0.09) was released. This new version fixes even some
memory leaks.
You can find it here: ftp://213.146.38.146/pub/wojtekka/6tunnel-0.09.tar.gz

A simple IPv4/IPv6 connection flooder to demonstrate the DoS is attached.

Excuse me for my poor English.
Regards. 

--
awayzzz <awayzzz@digibel.org>

Relevant Pages

  • Re: TS is slow, but not always
    ... I have recently had issues with remote connections to a 2003 TS sort of like ... You might also ask the ISP for the remote location to monitor the connection ... > CLients: Windows2000, Windows XP ...
    (microsoft.public.win2000.termserv.apps)
  • "remote desktop disconnected." error on Term Services
    ... remotely to our network through Terminal Services, ... "the client could not establish a connection to the remote ... The clients were intermittently getting a black screen with "remote ...
    (microsoft.public.win2000.termserv.clients)
  • Re: Cannot Ping Remote office VPN clients
    ... I have the remote clients configured with DNS pointing to the LAN ... throwing more upstream bandwidth at the connection? ...
    (microsoft.public.windows.server.sbs)
  • Re: PCanywhere and ISA 2000
    ... PC Home can be the Remote end but W2000 cannot be a RWW Client. ... > you suggesting installing PCanywhere on the server? ... With Win2k clients it seems to me my options are get ... >> provides a secure connection using SSL for the web connection and does ...
    (microsoft.public.windows.server.sbs)
  • Re: Connecting a remote workstation to a domain
    ... If you have more than a couple of remote workstations connecting to the SBS ... server via VPN, you really need to consider a Terminal Server in the main ... "Log in using a dial up connection" checkbox, ... roaming profile then synchronizes with the server over the VPN); ...
    (microsoft.public.windows.server.sbs)
Quantcast