Bugtraq mailing list archives
Re: Linux IP fragment overlap bug
From: vadim () TVERSU RU (Vadim Kolontsov)
Date: Fri, 14 Nov 1997 19:01:45 +0300
Hi, On Thu, Nov 13, 1997 at 10:06:15PM -0800, G P R wrote:
Oh, by the way, NT/95 appear to have the bug also. Try sending 10 - 15 of these fragment combos to an NT/95 machine.
This bug doesn't fixed by Service Pack #3, but it seems like SP3 + "simply-tcp" patch fixes this bug (thanks for Serge Solopov, serj () portal ru). It's funny - 'simply-tcp' was intended to fix another bug (see below). Best regards, V. --------------------------- cut here ---------------------------- DOCUMENT:Q154460 TITLE:Denial of Service Attack Against WinNT Simple TCP/IP Services PRODUCT:Microsoft Windows NT PROD/VER:4.0 OPER/SYS:WINDOWS KEYWORD:kbbug4.00 kbfile kbfix4.00 kbnetwork NTSrvWkst nttcp -------------------------------------------------------------------------- The information in this article applies to: - Microsoft Windows NT Workstation version 4.0 - Microsoft Windows NT Server version 4.0 -------------------------------------------------------------------------- SYMPTOMS ======== As your computer is being attacked there may be a jump in bandwidth utilization on a subnet containing Windows NT computers and performance may suffer. A network analyzer shows a large amount of UDP traffic, typically from port 19 (chargen). CAUSE ===== A malicious attack may be mounted against Windows NT computers with the Simple TCP/IP Services installed. The attack consists of a flood of UDP datagrams sent to the subnet broadcast address with the destination port set to 19 and a spoofed source IP address. The Windows NT computers running Simple TCP/IP services respond to each broadcast, creating a flood of UDP datagrams. RESOLUTION ========== Windows NT TCP/IP, Windows Sockets, and Simple TCP/IP services have been modified to be more attack resistant. Windows Sockets now supports a new socket option, SO_BROADCAST, that can be set to allow the recvfrom() call to pass broadcast datagrams to the application. The default for this option is OFF. Previous implementations passed broadcasts datagrams to any Windows Sockets application that issued a recvfrom() call. Additionally, the chargen service and other Simple TCP/IP services have been modified to drop any datagrams that have the source port equal to the destination port to prevent "looping" attacks. To resolve this problem, obtain the hotfix below, or wait for the next service pack. This hotfix has been posted to the following Internet location: ftp://ftp.microsoft.com/bussys/winnt/winnt-public/fixes/usa/nt40/ hotfixes-postSP3/simptcp-fix STATUS ====== Microsoft has confirmed this to be a problem in Windows NT version 4.0. A supported fix is now available, but has not been fully regression-tested and should be applied only to systems experiencing this specific problem. Unless you are severely impacted by this specific problem, Microsoft recommends that you wait for the next Service Pack that contains this fix. Contact Microsoft Technical Support for more information. Additional query words: 4.00 prodnt chargen attack ============================================================================ THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.
Current thread:
- IE4.0 patch, (continued)
- IE4.0 patch Richard Trott (Nov 13)
- X Security problem (?) Carlo Wood (Nov 13)
- Re: X Security problem (?) Matthias Buelow (Nov 14)
- Re: X Security problem (?) Scott Moseman (Nov 14)
- digital unix 4.0 hole John McDonald (Nov 14)
- What to do when you forget your cisco LD password... Dustin Sallings (Nov 13)
- Re: What to do when you forget your cisco LD password... John Bashinski (Nov 14)
- Re: Safe /tmp cleanup Erik Troan (Nov 13)
- Linux IP fragment overlap bug G P R (Nov 13)
- Re: Linux IP fragment overlap bug Alan Cox (Nov 14)
- Re: Linux IP fragment overlap bug Vadim Kolontsov (Nov 14)
- Re: Linux IP fragment overlap bug David LeBlanc (Nov 14)
- Re: Linux IP fragment overlap bug Morbid Dead Guy (Nov 16)
- Windows 95 IP Fragmentation Bug Fix? Aleph One (Nov 17)
- The Linux patch. G P R (Nov 14)
- The overlapping fragment bug Alan Cox (Nov 14)
- Re: The overlapping fragment bug Philippe Strauss (Nov 14)
- Re: The overlapping fragment bug G P R (Nov 15)
- Pentium processor invalid instruction erratum Aleph One (Nov 14)
- Software backgrounder Aleph One (Nov 14)
- BSDI patch for Pentium workaround has problems Charles M. Hannum (Nov 14)