nestea.c DoS


Vulnerable:
APC PowerNet SNMP module (v3.0.0, firmware revision 82.9.D MWD)
3Com's HiPer ARCs 4.1.11
More vulnerable systems following code.

// nestea.c by humble of rhino9 4/16/98
// This exploits the "off by one ip header" bug in the linux ip frag code.
// Crashes linux 2.0.* and 2.1.*  and some windows boxes
// this code is a total rip of teardrop - it's messy
// hi sygma

#include 
#include 
#include 
#include 
#include 
#include 
#include 
#include 
#include 
#include 
#include 

[snip...]

    fprintf(stderr, "Nestea by humble\nCode ripped from teardrop by route / daemon9\n");
    fprintf(stderr, "Death on flaxen wings (yet again):\n");
    addr.s_addr = src_ip;
    fprintf(stderr, "From: %15s.%5d\n", inet_ntoa(addr), src_prt);
    addr.s_addr = dst_ip;
    fprintf(stderr, "  To: %15s.%5d\n", inet_ntoa(addr), dst_prt);
    fprintf(stderr, " Amt: %5d\n", count);
    fprintf(stderr, "[ ");

[snip...]

=-=

From andrewh@WPI.EDU Sat Apr 25 00:29:51 1998
From: Andrew 
To: BUGTRAQ@NETSPACE.ORG
Date: Tue, 21 Apr 1998 22:50:55 -0400
Subject: "Off By One IP Header" Exploit Against PalmOS 2.0.4

I was really bored the other day and decided to see if my PalmPilot was
susceptible to the widely distributed 'nestea' exploit.  After cradling my
PalmPilot Pro, and establishing a PPP connection with an MTU of 1500, I
tried a nestea of one packet against the Pilot's IP.  After about 2 to 3
seconds, the Pilot popped up an error window like:
                          ______________________
                         |                      |
                         |                      |
                         |                      |
                         | ____________________ |
                         ||    Fatal Error     ||
                         ||~~~~~~~~~~~~~~~~~~~~||
                         || Fatal Exception    ||
                         ||       _____        ||
                         ||      (Reset)       ||
                         ||       ~~~~~        ||
                          ~~~~~~~~~~~~~~~~~~~~~~

I suffered no data loss, but it's kind of annoying to have to re-boot your
pilot.  I've tried to contact 3Com, but I've received no response from
them as to where to report PalmOS bugs.  Questions I'd like to pose to the
reader:

1) When dialing up with the normal Palm PPP stack (not PPP-over-cradle),
will the attack still work (ie, will it negotiate a high enough MTU to
allow the crash packet through).
2) Does it also affect PalmOS 3.x (and other 2.x, for that matter)?
3) Does anyone know where to report these bugs to 3Com?

Bye,

-=[ Andrew Hobgood ]|[ Kha0S@EFNet

=-=

From: Ivan Moore 
To: BUGTRAQ@NETSPACE.ORG
Date: Fri, 1 May 1998 11:57:03 -0600
Subject: nestea does other things

I have found a weird thing that I am still trying to test to make sure that it's
actually doing that.  But, I was testing out the netstea2 on a ip range and ended up
dropping a 3COM router.  (no keep in mind this thing prolly hasn't had any updates in
a long time)...but I was just wondering if anyone else has seen this?

=-=

From: Gereon Ruetten 
To: BUGTRAQ@NETSPACE.ORG
Date: Fri, 1 May 1998 20:27:15 +0200
Subject: Re: nestea does other things

Same effect on a Magnum 5000 Ethernet-Switch
(http://www.garrettcom.com/m5000.html) with
actual firmware.

Gereon Ruetten


From: Vesselin Mladenov (root@NETBG.COM)
To: BUGTRAQ@netspace.org
Date: Mon, 26 Oct 1998 18:51:09 +0000
Subject: USR Netserver 8/16 vulnarable to nestea attack

Three days ago I found out that USR Netserver 8/16 V.34, running version
2.0.14 OS is vulnerable to nestea DoS attack (for more info lookup in
http://www.rootshell.com).
I alarmed 3COM by sending them e-mail about the problem and exact behaviour
of the NAS I was playing with.