DOS vulnerability tcpflow
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| tcpflow (Ubuntu) |
Confirmed
|
Undecided
|
Unassigned | ||
Bug Description
Binary package hint: tcpflow
Ubuntu 7.10
tcpflow version: 0.21-11
In case the same source IP and source port and destination IP and destination port is reused during one capture (pcap file), tcpflow put all these TCP sessions in a single file even if they belong to different TCP sessions. With the next initial sequence number in the nth TCP session (n>1) a random offset in the file is created. An attacker might generate n sessions using the same source IP, source port and destination IP and destination port and cause random offsets. One file created by tcpflow can get a size until 2GB. If an attacker performs this TPC session generation with various port numbers the disk can be easily filled or the application that is using the output of tcpflow can run into trouble. Like in the ZIP bomb attack only a few packets are needed to perform this attack.
Proof of concept
tcpdump -i lo -s0 -w test.pcap
i=1235
while [ 1 ]; do
j=0
while [ $j -lt 5 ]; do
cat req.txt | socat - tcp:localhost:
sleep 1
let j=$j+1
done
let i=$i+1
done
Hit CTRL+c after a while and launch tcptrace on test.pcap
| Changed in tcpflow: | |
| status: | New → Confirmed |
