Bugtraq mailing list archives

Re: Win98 Crash?

From: bcoelho () MODULO COM BR (Bruno Coelho)
Date: Tue, 26 Jan 1999 17:56:26 -0300


OK, I tried to send the atack directly to the FW-1 Box. Nothing happens.
Since it's blocking ANY packets going to itself, I tried to reach an outside
box (through FW-1). Nothing happens to the FW-1...

Bruno Coelho

-----Original Message-----
From: Bugtraq List [mailto:BUGTRAQ () netspace org]On Behalf Of dorqus
maximus
Sent: Monday, January 25, 1999 4:32 PM
To: BUGTRAQ () netspace org
Subject: Re: Win98 Crash?


DEF CON ZERO WINDOW wrote...

 But, because value is wrong, this "oshare packet" can't be transmitted
to the outside of the network. This is here well, and it is here badly,
too. But, even whose machine will be able to be killed in the same
segment.


This oshare.c code may have crashed our Checkpoint Firewall-1,
version 3.0b,
Build Number: 3083. (Sun Sparc, Solaris 2.5.1)

After running it I lost internet connectivity and saw
the following on the console of our firewall server:

FW-1: packet size too big (131060) from 0x01010101, ip_p=17
FW-1: packet size too big (131060) from 0x01010101, ip_p=17
FW-1: packet size too big (131060) from 0x01010101, ip_p=17
FW-1: packet size too big (131060) from 0x01010101, ip_p=17
FW-1: packet size too big (131060) from 0x01010101, ip_p=17
FW-1: packet size too big (131060) from 0x01010101, ip_p=17
FW-1: packet size too big (131060) from 0x01010101, ip_p=17
FW-1: packet size too big (131060) from 0x01010101, ip_p=17
FW-1: packet size too big (131060) from 0x01010101, ip_p=17
FW-1: packet size too big (131060) from 0x01010101, ip_p=17
FW-1: packet size too big (131060) from 0x01010101, ip_p=17

The machine could not be soft booted and need to be hard booted
(power cycled)

I will not (or cannot) try and duplicate this, since I can't afford
to crash our firewall again :)

To give a brief network sketch:

Linux Box (running oshare) -> Router -- Frame Relay -> Router
 -> Firewall-1 machine -> Dest Win98 box

I cannot confirm that this program crashed our firewall, but I would say
it's a safe bet.

I'm no C programmer, but I think this part here is the guilty part:
(Line 65 or so)

        ip->frag_off    = htons( 16383 );
      ip->ttl         = 0xff;
        ip->protocol    = IPPROTO_UDP;
        ip->saddr       = htonl( inet_addr( "1.1.1.1" ) );
        ip->daddr       = dst_addr;
        ip->check       = in_cksum( ( u_short *)ip, 44 );

YMMV, of course.

Dorqus

Current thread:

IE4 Persistent Connection Bug Joel Moses (Jan 22)
- Re: IE4 Persistent Connection Bug Drazen Kacar (Jan 24)
  - Re: IE4 Persistent Connection Bug Justin Dolske (Jan 25)
  - IIS - reproduction... Pete Juvinall (Jan 25)
- Win98 crash? DEF CON ZERO WINDOW (Jan 24)
  - Re: Win98 Crash? dorqus maximus (Jan 25)
    - Re: Win98 Crash? Bruno Coelho (Jan 26)
    - Software Inertia Nate Lawson (Jan 26)
    - Re: Win98 Crash? Vanja Hrustic (Jan 26)
    - Re: Win98 Crash? route () RESENTMENT INFONEXUS COM (Jan 26)
  - Re: Win98 crash? Robbert Muller (Jan 27)