|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: FW: CERT Summary CS-98.02
- To: NTBUGTRAQ
LISTSERV.NTBUGTRAQ.COM - Subject: Re: FW: CERT Summary CS-98.02
- From: Robert Woodcock <rcwOZ.NET>
- Date: Thu, 5 Mar 1998 18:16:30 -0800
- Comments: To: "John D. Hardin" <jhardinwolfenet.com>
- In-Reply-To: <199803051747.MAA01649mail02.rapidsite.net>
- Reply-To: Robert Woodcock <rcwOZ.NET>
- Sender: Windows NT BugTraq Mailing List <NTBUGTRAQLISTSERV.NTBUGTRAQ.COM>
On Thu, 5 Mar 1998, John D. Hardin wrote:
> Our publicly-accessible NT boxes are protected by a Linux firewall with
> ALWAYS-DEFRAGMENT set to true.
>
> This leads to two questions, the first not entirely NT-related:
>
> 1) Does Linux validate reassembled packets? (meaning, would the attack
> datagrams be reassembled, checked and then discarded by the Linux firewall?)
Yes, it does basic checks for known issues, f.e. here's
/usr/src/linux-2.0.33/net/ipv4/ip_fragment.c, line 346:
if(len>65535)
{
printk("Oversized IP packet from %s.\n", in_ntoa(qp->iph->saddr));
ip_statistics.IpReasmFails++;
ip_free(qp);
return NULL;
}
Same file, line 378:
if (fp->len < 0 || count+fp->len > skb->len)
{
NETDEBUG(printk("Invalid fragment list: Fragment over size.\n"));
ip_free(qp);
kfree_skb(skb,FREE_WRITE);
ip_statistics.IpReasmFails++;
return NULL;
}
If you don't know C, those calls to ip_free() and kfree_skb() release the
memory for the packet, discarding it.
> 2) Does the exploit *require* that the attack datagrams be reassembled *on the
> NT box being attacked*?
Yes.
Of course then the Linux machine becomes a central point of failure.
Luckily those Linux guys get patches out relatively quickly.
I'm starting to think that this world needs a netcrashme.
--
Robert Woodcock - rcwoz.net
All I want is a warm bed and a kind word and unlimited power.
-- Ashleigh Brilliant
- Prev by Date: Re: FW: CERT Summary CS-98.02
- Next by Date: Re: FW: CERT Summary CS-98.02
- Prev by thread: Re: FW: CERT Summary CS-98.02
- Next by thread: Re: FW: CERT Summary CS-98.02
- Index(es):