IPRoute Fragmentation Denial of Service Vulnerability by Chris Gragsone and The TechnoDragon Foot Clan Date: December 2, 2001 Advisory ID: Foot-20011202 Impact of vulnerability: Denial of Service Exploitable: Remotely Maximum Risk: Moderate Affected Software: IPRoute v1.18 IPRoute v0.974 IPRoute v0.973 Vulnerability Description: IPRoute, by David F. Mischler, is PC-based router software for networks running the Internet Protocol (IP). It can act as a dial on demand or dedicated router between a LAN and a PPP, SLIP, ethernet, wireless IP or cablemodem link and allow transparent access from a LAN to the Internet using a single IP address through Network Address Translation (NAT). IPRoute can also act as a PPP server for dialup connections or route between LANs. The implementation of the router in IPRoute does not correctly handle tiny fragmented packets, which split up the tcp header. If a series of tiny fragmented packets were recieved by IPRoute, it would cause IPRoute to fail. IPRoute could be put back into normal service by restarting the interface, but all connections during the attack would drop. It is not necessary for the attacker to establish a session through IPRoute in order to exploit this vulnerability. ZapNET! firewalls are based on IPRoute and may also be vulnerable. The specific sequence of data packets involved with this vulnerability cannot be generated as part of a legitimate connection. Vulnerability Reproduction: Simply "nmap -sS -f ip-address". IPRoute will be unable to send or receive via the interface affected until it is manually restarted. References: http://www.trunkmonkey.com/homenetwork/iproute/ http://www.sans.org/infosecFAQ/threats/frag_attacks.htm Contact: http://footclan.realwarp.net Chris Gragsone (maetrics@realwarp.net) The TechnoDrgon (tdragon@mailandnews.com) Disclaimer: The contents of this advisory are copyright (c)2001 Foot Clan and may be distributed freely provided that no fee is charged for this distribution and proper credit is given.
