OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: Denial of service attack against tcpdump
From: Sebastian (scutNB.IN-BERLIN.DE)
Date: Wed May 03 2000 - 14:51:05 CDT

On Tue, May 02, 2000 at 07:46:33PM -0400, bretonhPARANOIA.PGCI.CA wrote:

> Greetings.

Hi.

> There is a way to disable tcpdump running on a remote host. By sending a
> carefully crafted UDP packet on the network which tcpdump monitors, it is
> possible, under certain circonstances, to make tcpdump fall into an infinite
> loop.

> [...]

> If this jump offset is set to its own location and if a program trying to
> decompress the domain name does not have any type of counter or strategy to
> avoid infinite loops, then the program will jump to the same offset in the
> packet over and over again.

Known issue for about one year now. There are several other methods to take
tcpdump down, two others with domain names (zlip*.c) and one with IP header
length fiddling. A detailed description + exploits were posted already on
bugtraq, though at that time tcpdump had no maintainer and there was no
fix issued. Also Etherreal and other sniffers are affected by this.

> Cheers,
> Hugo Breton
> bretonhpgci.ca

ciao,
scut / teso 

--
- scutnb.in-berlin.de - http://nb.in-berlin.de/scut/ --- you don't need a --
-- lot of people to be great, you need a few great to be the best ------------
http://3261000594/scut/pgp - 5453 AC95 1E02 FDA7 50D2 A42D 427E 6DEF 745A 8E07
-- data in VK/USA Mayfly experienced, awaiting transfer location, hi echelon -