Security News -  Security Reviews -   Exploits -  Tools -  UNIX Focus -  Windows Focus
SecuriTeam™  Beyond Security®  SecuriTeam™ Home  Ask the Team  Mailing Lists  Advertising Info  Blogs SecuriTeam™ in Your Inbox   E-mail this CVE-2006-4518 to a friend New vulnerability? New tool? Tell us	CVE-2006-4518 Qbik WinGate Compressed Name Pointer DoS     Credit: The information has been provided by iDefense. The original article can be found at: http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=444 Website Security Scan Code Vulnerability Test Network Assessment Tool Detect hidden vulnerabilities Exhaustive automated testing Real-time, continuous security Get guidance from professionals of internal or 3rd party code. scanning for your entire network    CVE-2006-4518 Details Check for CVE-2006-4518 Vulnerability Assessment and Management. Automated Pen Testing for 50 to 50,000 nodes beyondsecurity.com/vulnerability-scanner Vulnerable Systems:  * Qbik Wingate version 6.1  * Earlier versions are suspected as well. Sending a DNS request which contains a compressed name pointer which references itself, will cause the vulnerable code to enter an infinite loop which will consume all CPU cycles. The following packet illustrates the DNS data that would be included in a packet triggering this vulnerability: \x00\x00 - Transaction ID \x00\x00 - Flags \x00\x01 - Questions \x00\x00 - Answer RRs \x00\x00 - Authority RRs \x00\x00 - Additional RRs \xc0\x0c - Query Name - Looping pointer \x00\x00 - Query Type \x00\x01 - Query Class The DNS protocol allows for the compression of domain names in order to reduce message sizes. This is accomplished by replacing an entire domain name or a list of labels at the end of a domain name with a pointer to a prior occurrence of the same name. The use of a pointer is indicated within the Query Name field when the first two bits equal 1 (e.g. 0x0c). The next byte is then interpreted as a pointer. In the packet detailed above, the pointer itself is at the 12th byte within the DNS data portion of the packet, thereby creating a looping pointer. The DNS compression scheme is discussed in detail in RFC 1035. Successful exploitation of this vulnerability could prevent the WinGate proxy from functioning and thereby deny legitimate users access to network based resources. This vulnerability can be triggered by any user that is able to send packets to the WinGate proxy. A single UDP packet is all that is required and authentication credentials are not needed. Vendor responce: "Qbik acknowledges this to be a bug in WinGate version 6.1.4 and prior." Qbik addressed this vulnerability within version 6.2. CVE Information: CVE-2006-4518 Disclosure Timeline:  * 08/17/2006 - Initial vendor notification  * 10/17/2006 - Initial vendor response  * 10/17/2006 - Second vendor notification  * 11/26/2006 - Coordinated public disclosure  Comments on CVE-2006-4518:  Add new comment:  Subject:  Name/Nick/Email:          Chars Left:	All Sections Security News Unix focus Exploits Tools Windows focus Security Reviews
	Security News - Security Reviews - Exploits - Tools - UNIX Focus - Windows Focus

Copyright © 1998-2010 Beyond Security® All rights reserved.
Terms of Use Site Privacy Statement.
SecuriTeam™ is a trademark of Beyond Security®