Re: Remote DoS Attack in Eeye Iris 1.01 and SpyNet CaptureNet v3.12 Vulnerability

[Jonathan Rickman <jonathan () XCORPS NET>]

Attack Platform: PII 366 / 64mb RAM / Xircom CEM 56-100 /  X-over Cable

Victims

Crashed:
AMD K6 300mhz / 64mb RAM / Xircom CEM 56-100 / approx 45 seconds
P200mmx / 96mb / 3C905B-TX / 3 minutes 33 seconds

Survived:
PIII 500mhz / 256mb RAM / Some kind of Intel card? (built in)
PII 400mhz / 64mb RAM / 3C905B-TX


> From what I've seen with my own eyes, this appears to be directly related
to processing power (or lack thereof). It should also be mentioned that
the attack platform was at 98% or higher CPU usage during all 4 attacks.
The machines that survived were under attack for at least 10 minutes. None
of the victim hosts were running anything during the attacks. I have a
feeling that the last machine would have crashed had anything else been
running on it.

So...to quote Marc Maiffret

> "While we do not discount the fact that Iris might crash when flooded
> with thousands of packets, we think it will be rare for any modern system
> (I.E. Our recommended hardware configuration, 400mhz, 128megs of ram, or
> better) to be vulnerable to this "bug."

I have to agree...

---------------------
Jonathan Rickman
X-Corps Security
http://www.xcorps.net


On Thu, 31 Aug 2000, Elias Levy wrote:

> If anyone can reproduce the crash of Iris please let us know. Being able
> to force a sniffer application from using most of its CPU by flooding
> the network is an endemic problem of that type of application, although
> in this case the problem seems like it can easily be mitigate by configuring
> the app not to display packets graphically which is what is consuming most
> of the CPU.
>
> The real possible vulnerability is the heap overflow that may make Iris to
> crash. If anyone can verify this claim we'd like to hear from them.
> --
> Elias Levy
> SecurityFocus.com
> http://www.securityfocus.com/
> Si vis pacem, para bellum