6579656 2001-06-02 13:45 -0700  /30 rader/ XR Agent <prp_sc@antionline.org>
Sänt av: joel@lysator.liu.se
Importerad: 2001-06-04  18:36  av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <17247>
Ärende: fpf module and packet fragmentation:local/remote DoS.
------------------------------------------------------------
From: "XR Agent" <prp_sc@antionline.org>
To: bugtraq@securityfocus.com
Message-ID: <200106022045.NAA30296@mail8.bigmailbox.com>

Fpf kernel module by |CyRaX| [cyrax@pkcrew.org] (www.pkcrew.org)
alters linux tcp/ip stack to emulate other OS'es against nmap/queso
fingerprints using parser by FuSyS that reads nmap-os-fingerprints
for os emulation choice.

However, attempts to send fragmented packets to local or remote
machine with nmap (-sS -f, -sN -f, -sX -f, -sF -f, -sA -f) or hping
(hping -f) using host with loaded fpf.o lead to kernel panic ("Aiee,
killing interrupt handle. Kernel panic: Attempted to kill the idle
task ! In interrupt handler - not syncing.") if run from console or
force immediate reboot if the packet sending tool is run from an
xterm. When fpf.o - running machine recieves nmap / hping fragmented
packets from remote hosts system freezes.

Security through obscurity was never a pefect solution, but in the
current case there is also a hefty price to pay: complete inability
of tcp/ip stack of "obscured" machine to deal with packet
fragmentation.

Tested on Slackware 7.1 kernel 2.2.16 (i386).

Regards,

      _clf3_                               (PrP_Sc@antionline.org)
     
      Veneficio, ergo sum.



   



------------------------------------------------------------
Email account furnished courtesy of AntiOnline - http://www.AntiOnline.com
AntiOnline - The Internet's Information Security Super Center!
(6579656) /XR Agent <prp_sc@antionline.org>/(Ombruten)