Bug 107140 - CAN-2003-0795 Remote DoS in zebra
CAN-2003-0795 Remote DoS in zebra
Product: Red Hat Linux
Classification: Retired
Component: zebra (Show other bugs)
i686 Linux
medium Severity medium
: ---
: ---
Assigned To: Jay Fenlason
David Lawrence
: Security
Depends On:
  Show dependency treegraph
Reported: 2003-10-15 08:03 EDT by jonny robertson
Modified: 2014-08-31 19:25 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2003-11-13 03:32:26 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2003:307 normal SHIPPED_LIVE : Updated zebra packages fix security vulnerabilities 2003-11-13 00:00:00 EST

  None (edit)
Description jonny robertson 2003-10-15 08:03:41 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.5b) Gecko/20030831

Description of problem:
A remote DoS condition exists in zebra when layer 3 access is possible to the
telnet management port (2601/tcp).

By sending a telnet option delimiter with no actual option data, zebra will make
a bad memory call and SIGSEV.

Have tested/confirmed against all zebra versions from 0.90a to 0.93b.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. Run zebra on a machine.  
2. From another machine run: printf '\xff\xf0\xff\xf0\xff\xf0' | nc <zebra-host>
3. zebra dies.

Actual Results:  Routing daemon goes boom :(

Expected Results:  Zebra should handle this condition.

Additional info:

Program received signal SIGSEGV, Segmentation fault.
0x08051db8 in vty_telnet_option (vty=0x80855b0, buf=0x0, nbytes=452) at vty.c:1141
1141            char *buffer = (char *)vty->sb_buffer->head->data;
(gdb) bt
#0  0x08051db8 in vty_telnet_option (vty=0x80855b0, buf=0x0, nbytes=452) at
#1  0x08051fb5 in vty_read (thread=0xbfffe7ac) at vty.c:1289
#2  0x08058ab0 in thread_call (thread=0xbfffea30) at thread.c:627
#3  0x0804b4e0 in main (argc=0, argv=0xbfffea30) at main.c:310
#4  0x420156a4 in __libc_start_main () from /lib/tls/libc.so.6
Comment 1 Mark J. Cox 2003-10-20 05:01:37 EDT
I've assigned CAN-2003-0795 to track this issue
Comment 2 Mark J. Cox 2003-10-30 05:33:12 EST
Errata is in progress with a patch to correct this issue, will be
Comment 3 Mark J. Cox 2003-11-13 03:32:26 EST
An errata has been issued which should help the problem described in this bug report. 
This report is therefore being closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files, please follow the link below. You may reopen 
this bug report if the solution does not work for you.

Comment 4 Jonas Frey 2003-11-14 16:10:18 EST
This bug doesnt only affect port 2601 (zebra itself) but rather all
ports zebra listens on (2605/bgpd for example), too.
Comment 5 Gunther 2003-11-14 19:54:43 EST
adding the option "-A" to your daemon's startscripts will 
prevent connections from the outside.
Comment 6 Thomas Lotterer 2003-11-20 15:12:50 EST
Please note that -A option is largely broken on Zebra v0.93b, see 
zebra.patch on http://cvs.openpkg.org/chngview?cn=11017

Note You need to log in before you can comment on or make changes to this bug.