SUMMARY
6tunnel is a simple tunneling program for applications that don't speak IPv6.
It's most used as an IRC proxy for clients without IPv6 support.
A serious vulnerability in this program allow any user to crash 6tunnel
locally and in some cases remotely.

SYSTEM / VERSIONS AFFECTED
Older versions.
6tunnel 0.06
6tunnel 0.07
Version 0.07 should be included in the latest version of freeBSD ports and
netBSD.
It's even included by default in PLD ( http://www.pld.org.pl/ )
Version 0.08 has a wrong fix.

IMMUNE VERSIONS
6tunnel 0.09

DETAILED DESCRIPTION
The socket opened when the client connects to 6tunnel is not correctly
closed at the end of connection: in some cases, when the connection is
closed by server (i.e. on IRC with a quit command, the IRC server close the
connection) the socket will be closed after a short timeout.
But if it's closed after a client disconnection, the socket remains in
state CLOSE (as you can see with netstat) till 6tunnel will be killed or
stopped.
So flooding 6tunnel with connections/disconnections there are a lot of
sockets not closed and after a variable number of connections (depending on
OS,system,etc) 6tunnel will crash.
Clients that were already connected before the crash won't be disconnected
but it's not possible to make new connections.
In order to crash 6tunnel remotely we must only be able to establish a
connection.

OTHER INFORMATIONS:
I reported this bug one week ago. After few hours the official maintainer
<wojtekkairc.pl> released a new version (6tunnel-0.08). This version was
broken so I reported it with a working fix and after few days the corrected
version (6tunnel-0.09) was released. This new version fixes even some
memory leaks.
You can find it here: ftp://213.146.38.146/pub/wojtekka/6tunnel-0.09.tar.gz

A simple IPv4/IPv6 connection flooder to demonstrate the DoS is attached.

Excuse me for my poor English.
Regards.

--
awayzzz <awayzzzdigibel.org>

• text/plain attachment: 6tunneldos.c

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]