Home page logo

bugtraq logo Bugtraq mailing list archives

Re: fpf module and packet fragmentation:local/remote DoS.
From: Joachim Blaabjerg <styx () mailbox as>
Date: Sun, 10 Jan 1999 15:03:44 +0100

"XR Agent" <prp_sc () antionline org> wrote:

Fpf kernel module by |CyRaX| [cyrax () pkcrew org] (www.pkcrew.org) alters
linux tcp/ip stack to emulate other OS'es against nmap/queso fingerprints
using parser by FuSyS that reads nmap-os-fingerprints 
for os emulation choice.

However, attempts to send fragmented packets to local or remote machine
with nmap (-sS -f, -sN -f, -sX -f, -sF -f, -sA -f) or hping (hping -f)
using host with loaded fpf.o lead to kernel panic ("Aiee, killing interrupt
handle. Kernel panic: Attempted to kill the idle task ! In interrupt
handler - not syncing.") if run from console or force immediate reboot if
the packet sending tool is run from an xterm. When fpf.o - running machine
recieves nmap / hping fragmented packets from remote hosts system freezes.

Security through obscurity was never a pefect solution, but in the
current case there is also a hefty price to pay: complete inability of
tcp/ip stack of "obscured" machine to deal with packet fragmentation.

Tested on Slackware 7.1 kernel 2.2.16 (i386).


      _clf3_                               (PrP_Sc () antionline org)
      Veneficio, ergo sum.


Email account furnished courtesy of AntiOnline -
AntiOnline - The Internet's Information Security Super Center!

Have you reported this to |CyRaX| himself? I bet you haven't. I reported
this a few months ago, and it has been fixed. I don't know if the version
available at pkcrew.org is updated, but you should at least have notified
|CyRaX| something like a week before you posted this to bugtraq.


Joachim Blaabjerg
styx () mailbox as 

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]