SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Security)  >   FingerPrintF___er Vendors:   CyRaX and FuSyS
FingerPrintF___er (fpf) Kernel Module for Emulating OS Fingerprints Allows Remote Users to Crash the Host
SecurityTracker Alert ID:  1001675
SecurityTracker URL:  http://securitytracker.com/id/1001675
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Jun 4 2001
Impact:   Denial of service via network
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  

Description:   A vulnerability was reported in the FingerPrintF___er (fpf) loadable kernel module, a tool designed to make the Linux TCP/IP protocol stack appear like another operating system when scanned. The security issue lets remote users crash the host.

If a remote user attempts to send fragmented packets to a host by using nmap (-sS -f, -sN -f, -sX -f, -sF -f, -sA -f) or hping (hping -f) (or other tools that can generate fragments), the host (with the fpf.o module loaded) will ultimately crash. The host will reportedly go into kernel panic if the scanning tool is run from the console and force areboot if the scanning tool is run from an xterm. The host will reportedly freeze if the scanning tool is run from a remote server.

Impact:   A remote user can send fragmented packets to a host protected by fpf to cause the protected host to crash.
Solution:   The vendor released a fixed version. See the Vendor URL for the download.
Vendor URL:  www.pkcrew.org (Links to External Site)
Cause:   Exception handling error
Underlying OS:  Linux (Any)
Underlying OS Comments:  Tested on Slackware 7.1 kernel 2.2.16 (i386)

Message History:   None.


 Source Message Contents

Subject:  fpf module and packet fragmentation:local/remote DoS.


Fpf kernel module by |CyRaX| [cyrax@pkcrew.org] (www.pkcrew.org) alters linux tcp/ip stack to emulate other OS'es against nmap/queso
 fingerprints using parser by FuSyS that reads nmap-os-fingerprints 
for os emulation choice.

However, attempts to send fragmented packets to local or remote machine with nmap (-sS -f, -sN -f, -sX -f, -sF -f, -sA -f) or hping
 (hping -f) using host with loaded fpf.o lead to kernel panic ("Aiee, killing interrupt handle. Kernel panic: Attempted to kill the
 idle task ! In interrupt handler - not syncing.") if run from console or force immediate reboot if the packet sending tool is run
 from an xterm. When fpf.o - running machine recieves nmap / hping fragmented packets from remote hosts system freezes.

Security through obscurity was never a pefect solution, but in the current case there is also a hefty price to pay: complete inability
 of tcp/ip stack of "obscured" machine to deal with packet fragmentation.

Tested on Slackware 7.1 kernel 2.2.16 (i386).

Regards,

      _clf3_                               (PrP_Sc@antionline.org)
     
      Veneficio, ergo sum.



   



------------------------------------------------------------
Email account furnished courtesy of AntiOnline - http://www.AntiOnline.com
AntiOnline - The Internet's Information Security Super Center!


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC