Bug 107140 - CAN-2003-0795 Remote DoS in zebra
Summary: CAN-2003-0795 Remote DoS in zebra
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Linux
Classification: Retired
Component: zebra
Version: 9
Hardware: i686
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Jay Fenlason
QA Contact: David Lawrence
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2003-10-15 12:03 UTC by jonny robertson
Modified: 2014-08-31 23:25 UTC (History)
2 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2003-11-13 08:32:26 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2003:307 0 normal SHIPPED_LIVE : Updated zebra packages fix security vulnerabilities 2003-11-13 05:00:00 UTC

Description jonny robertson 2003-10-15 12:03:41 UTC 
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.5b) Gecko/20030831

Description of problem:
A remote DoS condition exists in zebra when layer 3 access is possible to the
telnet management port (2601/tcp).

By sending a telnet option delimiter with no actual option data, zebra will make
a bad memory call and SIGSEV.

Have tested/confirmed against all zebra versions from 0.90a to 0.93b.


Version-Release number of selected component (if applicable):
zebra-0.93b-1

How reproducible:
Always

Steps to Reproduce:
1. Run zebra on a machine.  
2. From another machine run: printf '\xff\xf0\xff\xf0\xff\xf0' | nc <zebra-host>
2601
3. zebra dies.
    

Actual Results:  Routing daemon goes boom :(


Expected Results:  Zebra should handle this condition.

Additional info:

Program received signal SIGSEGV, Segmentation fault.
0x08051db8 in vty_telnet_option (vty=0x80855b0, buf=0x0, nbytes=452) at vty.c:1141
1141            char *buffer = (char *)vty->sb_buffer->head->data;
(gdb) bt
#0  0x08051db8 in vty_telnet_option (vty=0x80855b0, buf=0x0, nbytes=452) at
vty.c:1141
#1  0x08051fb5 in vty_read (thread=0xbfffe7ac) at vty.c:1289
#2  0x08058ab0 in thread_call (thread=0xbfffea30) at thread.c:627
#3  0x0804b4e0 in main (argc=0, argv=0xbfffea30) at main.c:310
#4  0x420156a4 in __libc_start_main () from /lib/tls/libc.so.6
Comment 1 Mark J. Cox 2003-10-20 09:01:37 UTC 
I've assigned CAN-2003-0795 to track this issue
Comment 2 Mark J. Cox 2003-10-30 10:33:12 UTC 
Errata is in progress with a patch to correct this issue, will be
RHSA-2003:307
Comment 3 Mark J. Cox 2003-11-13 08:32:26 UTC 
An errata has been issued which should help the problem described in this bug report. 
This report is therefore being closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files, please follow the link below. You may reopen 
this bug report if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2003-307.html
Comment 4 Jonas Frey 2003-11-14 21:10:18 UTC 
This bug doesnt only affect port 2601 (zebra itself) but rather all
ports zebra listens on (2605/bgpd for example), too.
Comment 5 Gunther 2003-11-15 00:54:43 UTC 
adding the option "-A 127.0.0.1" to your daemon's startscripts will 
prevent connections from the outside.
Comment 6 Thomas Lotterer 2003-11-20 20:12:50 UTC 
Please note that -A option is largely broken on Zebra v0.93b, see 
zebra.patch on http://cvs.openpkg.org/chngview?cn=11017
Note You need to log in before you can comment on or make changes to this bug.