Return-Path: owner-bugtraq@SECURITYFOCUS.COM MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 8bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4133.2400 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Message-ID: <00b901c0bd90$cb5c0680$71002d0a@dk.defcomsec.com> Date: Thu, 5 Apr 2001 07:25:14 +0200 Reply-To: =?iso-8859-1?Q?Peter_Gr=FCndl?= Sender: Bugtraq List From: =?iso-8859-1?Q?Peter_Gr=FCndl?= Subject: def-2001-18: Watchguard Firebox II Kernel DoS To: BUGTRAQ@SECURITYFOCUS.COM ====================================================================== Defcom Labs Advisory def-2001-18 Watchguard Firebox II Kernel DoS Authors: Andreas Sandor Peter Grdl Release Date: 2001-04-05 ====================================================================== ------------------------=[Brief Description]=------------------------- This vulnerability makes it possible to force the Firebox into a condition where it stops responding to packets of a certain protocol after it has been sent large bursts of packets for that protocol. ------------------------=[Affected Systems]=-------------------------- Watchguard FireboxII Versions * All versions prior to 4.6 ----------------------=[Detailed Description]=------------------------ The Linux-based kernel in the Watchguard Firebox has problems handling certain types of malformed packets. If the firewall is subjected to a burst of around 10.000 of these packets, it will cause a kernel fault and either crash or reboot. Both TCP and ICMP are affected by this and the burstrate needed to achieve a kernel fault was about one megabit in our testlab, which isn't that uncommon these days. If the firewall manages to log the attack, the log file might look something like this: kernel: Unable to handle kernel paging request at virtual address c4000000 kernel: current->tss.cr3 = 03557000, %cr3 = 03557000 kernel: *pde = 00000000 kernel: Oops: 0000 kernel: CPU: 0 kernel: EIP: 0010:[<00186379>] kernel: EFLAGS: 00010206 kernel: eax: 8c807bd9 ebx: 636f7270 ecx: 07f65441 edx: ffffffff kernel: esi: 04000000 edi: 02ca8818 ebp: 02ca882c esp: 03be7f08 kernel: ds: 0018 es: 0018 fs: 002b gs: 002b ss: 0018 kernel: Process ifconfig (pid: 153, process nr: 6, stackpage=03be7000) kernel: Stack: 00000013 03049b98 00153ad4 02ca8840 ffffffff 00000000 09002d0a 02ca8818 kernel: 0000002e 03be7f80 00000013 02ca8848 0013f845 00000002 0013f9b9 03be7f88 kernel: 001a3e54 00000000 02ca8848 0019ca48 0019ca48 002af018 00000000 00000000 kernel: Call Trace: [<00153ad4>] [<0013f845>] [<0013f9b9>] [<001389d0>] [<001181f3>] [<0010a62f>] kernel: Code: 8b 1e 11 d8 8b 5e 04 11 d8 8b 5e 08 11 d8 8b 5e 0c 11 d8 8b kernel: Aiee, killing interrupt handler But most of the time the firewall just crashes without any indication of foul play in the log file. Even if the firewall crashes, some network related tasks will still function. ---------------------------=[Workaround]=----------------------------- Obtaining version 4.6 requires membership of LiveSecurity http://www.watchguard.com/support Information about LiveSecurity can be obtained from the vendor http://www.watchguard.com -------------------------=[Vendor Response]=-------------------------- The Vendor was contacted February 23rd, 2001 and an update was released on March 24th, 2001. ====================================================================== This release was brought to you by Defcom Labs labs@defcom.com www.defcom.com ======================================================================