Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
From: Peter Gründl (peter.grundlDEFCOM.COM)
Date: Thu Apr 05 2001 - 00:25:14 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

                      Defcom Labs Advisory def-2001-18

                      Watchguard Firebox II Kernel DoS

    Authors: Andreas Sandor <andreas.sandordefcom.com>
             Peter Gründl <peter.grundldefcom.com>
    Release Date: 2001-04-05
    ------------------------=[Brief Description]=-------------------------
    This vulnerability makes it possible to force the Firebox into a
    condition where it stops responding to packets of a certain protocol
    after it has been sent large bursts of packets for that protocol.

    ------------------------=[Affected Systems]=--------------------------
    Watchguard FireboxII
     * All versions prior to 4.6

    ----------------------=[Detailed Description]=------------------------
    The Linux-based kernel in the Watchguard Firebox has problems handling
    certain types of malformed packets. If the firewall is subjected to a
    burst of around 10.000 of these packets, it will cause a kernel fault
    and either crash or reboot.

    Both TCP and ICMP are affected by this and the burstrate needed to
    achieve a kernel fault was about one megabit in our testlab, which
    isn't that uncommon these days.

    If the firewall manages to log the attack, the log file might look
    something like this:

    kernel: Unable to handle kernel paging request at virtual address c4000000
    kernel: current->tss.cr3 = 03557000, %cr3 = 03557000
    kernel: *pde = 00000000
    kernel: Oops: 0000
    kernel: CPU: 0
    kernel: EIP: 0010:[<00186379>]
    kernel: EFLAGS: 00010206
    kernel: eax: 8c807bd9 ebx: 636f7270 ecx: 07f65441 edx: ffffffff
    kernel: esi: 04000000 edi: 02ca8818 ebp: 02ca882c esp: 03be7f08
    kernel: ds: 0018 es: 0018 fs: 002b gs: 002b ss: 0018
    kernel: Process ifconfig (pid: 153, process nr: 6, stackpage=03be7000)
    kernel: Stack: 00000013 03049b98 00153ad4 02ca8840 ffffffff 00000000
    09002d0a 02ca8818
    kernel: 0000002e 03be7f80 00000013 02ca8848 0013f845 00000002
    0013f9b9 03be7f88
    kernel: 001a3e54 00000000 02ca8848 0019ca48 0019ca48 002af018
    00000000 00000000
    kernel: Call Trace: [<00153ad4>] [<0013f845>] [<0013f9b9>] [<001389d0>]
    [<001181f3>] [<0010a62f>]
    kernel: Code: 8b 1e 11 d8 8b 5e 04 11 d8 8b 5e 08 11 d8 8b 5e 0c 11 d8 8b
    kernel: Aiee, killing interrupt handler

    But most of the time the firewall just crashes without any indication
    of foul play in the log file. Even if the firewall crashes, some
    network related tasks will still function.

    Obtaining version 4.6 requires membership of LiveSecurity

    Information about LiveSecurity can be obtained from the vendor

    -------------------------=[Vendor Response]=--------------------------
    The Vendor was contacted February 23rd, 2001 and an update was
    released on March 24th, 2001.

                This release was brought to you by Defcom Labs

                  labsdefcom.com www.defcom.com