Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Bugtraq> 1999_1

Bugtraq archives for 1st quarter (Jan-Mar) 1999: Re: Win98 Crash?

Re: Win98 Crash?

dorqus maximus (dorqusFREEK.COM)
Mon, 25 Jan 1999 14:31:54 -0500

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Linux Mailing Lists: "Re: SSH 1.x and 2.x Daemon"
Previous message: Jim Bourne: "Re: SSH 1.x and 2.x Daemon"
In reply to: DEF CON ZERO WINDOW: "Win98 crash?"
Next in thread: Bruno Coelho: "Re: Win98 Crash?"

DEF CON ZERO WINDOW wrote...
>  But, because value is wrong, this "oshare packet" can't be transmitted
> to the outside of the network. This is here well, and it is here badly,
> too. But, even whose machine will be able to be killed in the same
> segment.

This oshare.c code may have crashed our Checkpoint Firewall-1, version 3.0b,
Build Number: 3083. (Sun Sparc, Solaris 2.5.1)

After running it I lost internet connectivity and saw
the following on the console of our firewall server:

FW-1: packet size too big (131060) from 0x01010101, ip_p=17
FW-1: packet size too big (131060) from 0x01010101, ip_p=17
FW-1: packet size too big (131060) from 0x01010101, ip_p=17
FW-1: packet size too big (131060) from 0x01010101, ip_p=17
FW-1: packet size too big (131060) from 0x01010101, ip_p=17
FW-1: packet size too big (131060) from 0x01010101, ip_p=17
FW-1: packet size too big (131060) from 0x01010101, ip_p=17
FW-1: packet size too big (131060) from 0x01010101, ip_p=17
FW-1: packet size too big (131060) from 0x01010101, ip_p=17
FW-1: packet size too big (131060) from 0x01010101, ip_p=17
FW-1: packet size too big (131060) from 0x01010101, ip_p=17

The machine could not be soft booted and need to be hard booted
(power cycled)

I will not (or cannot) try and duplicate this, since I can't afford
to crash our firewall again :)

To give a brief network sketch:

Linux Box (running oshare) -> Router -- Frame Relay -> Router
 -> Firewall-1 machine -> Dest Win98 box

I cannot confirm that this program crashed our firewall, but I would say
it's a safe bet.

I'm no C programmer, but I think this part here is the guilty part:
(Line 65 or so)

        ip->frag_off    = htons( 16383 );
	ip->ttl         = 0xff;
        ip->protocol    = IPPROTO_UDP;
        ip->saddr       = htonl( inet_addr( "1.1.1.1" ) );
        ip->daddr       = dst_addr;
        ip->check       = in_cksum( ( u_short *)ip, 44 );

YMMV, of course.

Dorqus

Next message: Linux Mailing Lists: "Re: SSH 1.x and 2.x Daemon"
Previous message: Jim Bourne: "Re: SSH 1.x and 2.x Daemon"
In reply to: DEF CON ZERO WINDOW: "Win98 crash?"
Next in thread: Bruno Coelho: "Re: Win98 Crash?"