Re: kernel panic [linux 2.2.19-7] on UDP scan CP4.1-SP5

From: Blue Boar (BlueBoar@thievco.com)
Date: 11/14/01


Date: Wed, 14 Nov 2001 11:07:59 -0800
From: Blue Boar <BlueBoar@thievco.com>
Subject: Re: kernel panic [linux 2.2.19-7] on UDP scan CP4.1-SP5
To: Yanek Korff <yanek@cigital.com>
Message-id: <3BF2C10F.4257B4BB@thievco.com>


> Would not the OS itself crash without the FW kernel module loaded whena UDP
> scan was initiated? When the machine is running without the FW active, it
> stays up fine.

Sounds like you answered your own question. :) All the evidence suggests
that the fault is in the firewall code. If a KLM dies, it's perfectly
capable of taking the kernel with it. At least when I've done it on
Solaris.. I assume Linux is the same.

> I've tried the -T Paranoid switch; the system crashes with the VERY FIRST
> UDP packet, regardless of which port it's sent to. I subsequently
> re-enabled icmp, as a "before last" implied rule... And I see this:
> Initiating UDP Scan against (64.80.176.11)
> 12:43:34.168842 nmap_source.58153 > fw_under_test.973: udp 0
> 12:43:34.274503 fw_under_test > nmap_source: icmp: 64.80.176.11 udp port 973
> unreachable
>
> And that's the last packet I get from the machine.

Meaning it crashes? Seems strange, you'd think Checkpoint would have
tried a UDP packet before they shipped...

Can anyone else confirm the results?

> If I run nslookup on nmap_source, set my server to fw_under_test, and
> attempt to resolve something (even though fw_under_test is not running a
> nameserver), the fw_under_test does not crash. It merely replies with udp
> port unreachable and stays up.

Must be something in particular with the conetns of the packet NMAP sends.

                                                BB



Relevant Pages

  • Re: jumbograms (& em) & nfs a no go
    ... >> Implies the sending host is not honoring the MTU restriction when ... In more modern UNIX systems, it's a kernel thread, ... Is this maybe UDP? ... make sure that the packet goes through the UDP fragmentation ...
    (freebsd-current)
  • kernel 2.6.18-92.1.6 produces errors when using nfs and nis
    ... kernel 2.6.18-53.1.21.el5, with no change to any conf files when I switch ... The problem is that when the nfs service starts I get the following error ... 100000 2 tcp 111 portmapper ... 100000 2 udp 111 portmapper ...
    (Linux-Kernel)
  • Re: Send-Q on UDP socket growing steadily - why?
    ... Send-Q on a moderately active UDP socket keeps growing steadily until it reaches ~128K at which point socket writes start failing. ... The application in question is standard ntpd from Fedora 7, kernel is the latest available for the distro, that is ... "I don't know how to send these packets" mode forever. ...
    (Linux-Kernel)
  • Identifying Kernel 2.4.x based Linux machines using UDP
    ... Identifying Kernel 2.4.x based Linux machines using UDP ... Linux Kernel 2.4.x has a bug with the UDP implementation which allows ... Combined with another fingerprinting method using ICMP this time ...
    (Bugtraq)
  • Re: Send-Q on UDP socket growing steadily - why?
    ... Send-Q on a moderately active UDP socket keeps growing steadily until it ... The application in question is standard ntpd from Fedora 7, kernel is ... and drops packets. ...
    (Linux-Kernel)