Jolt2 Vulnerable systems enable a remote attacker to cause a Denial of Service by sending a large number of identical fragmented IP packets.
Exploit Details:
Name: Jolt2.c
CVE Number: CVE-2000-0305
Variants: None
Written by: Joe Church
Operating System: Windows 95/98/NT4/2000, Be/OS 5.0, Cisco 26xx, Cisco 25xx, Cisco 4500, Cisco 36xx, Network Associates Gauntlet, Webshield, Firewall-1 from Checkpoint on Solaris, NT, Nokia firewall, Bay router (Nortel) firewall, Fore
Protocol Description Jolt2 enables remote users across different networks to send IP fragment-driven Denial of Service attacks against multiple operating systems by making the remote (victim’s) machine utilize 100 percent of its Central Processing Unit when it attempts to process the illegal IP packets.
This attack, which uses identical fragmented IP Packets, causes the remote (victim’s) machine to lock up for the duration of the attack. The Central Processing Unit exhausts 100 percent of its processing time trying to process the packets, which causes both the user interface and the network interface to lock up.
How the Exploit WorksBy utilizing Jolt2, an attacker can prevent a machine from performing work by utilizing the CPU of the selected machine. It is important to note that the machine is unusable and the attacker is not able to compromise data on the machine or gain administrative privileges. Jolt2 relies on IP fragmentation, in which IP datagrams are divided into smaller data packets during transit. Because the maximum frame size varies from network to network, fragmentation may be required because every network architecture carries data in groups called frames. Fragmentation occurs when an IP datagram enters a network whose maximum frame size is smaller than the size of the datagram. At this point, the datagrams are split into fragments. The fragmented packets then travel separately to their assigned destination. Then the destination computer re-assembles the fragmented packets and processes them.
In Windows 9x, NT4, or 2000, vulnerabilities exist because of a flaw in the way the system performs IP fragment re-assembly. When malformed IP fragments are directed against a targeted host, the work factor associated with performing IP fragment re-assembly can be driven extremely high by varying the data rate at which the fragments are sent. If fragmented packets are transmitted at a rate of 150 packets per second, the CPU of the target machine is forced to exhaust 100 percent of its resources, causing the machine to halt. Windows does not correctly perform IP fragment re-assembly. The targeted machine is affected as long as the attacker is sending malformed, Jolt2 packets. The target machine returns to normal after the packet storm is completed.
If using the Gauntlet Firewall, the Denial of Service affects Hyper Text Transport Protocol Web traffic. The daemon crashes and dumps a core file, thus preventing the HTTP proxy from checking policy, resulting in new connections failing.
If you are using the Checkpoint Firewall-1, Jolt2 uses the fact that this firewall does not usually look at or log fragmented packets until the packets are re-assembled. With this attack, the Checkpoint Firewall-1 is forced to exhaust 100 percent of its CPU power to attempt to re-assemble the packets. By trying to re-assemble these malformed packets, the firewall denies service to other services and requests.
The data sent is 29 bytes (20 IP + 9 data), which is valid because it is a last fragment (MF=0). However, the total length reported by the IP header is 68 bytes. This malformed packet should fail structural tests if there are any in place.
Acknowledgement of a packet with a reported length larger than the actual received length is a normal occurrence. This happens whenever a packet is truncated during transport. Because the IP Header is 20 bytes, the amount of IP data is 48 bytes due to the packet size of 68 bytes. Because the offset is 65520, and the length of IP data is 48 bytes equaling 65568, this results in a IP packet length overflow because the maximum allowed length is 65535. Note, however, that the data sent (9 bytes) does not cause an overflow. Fragments are flagged as being “last fragments”.
The following is how the packets look traveling across a network from the attacker to the victim:
06:58:06.276478 attacker > 192.168.7.10: (frag 1109:9@65520)06:58:06.279297 attacker > 192.168.7.10: (frag 1109:9@65520)06:58:06.279625 attacker > 192.168.7.10: (frag 1109:9@65520)06:58:06.279939 attacker > 192.168.7.10: (frag 1109:9@65520)06:58:06.280251 attacker > 192.168.7.10: (frag 1109:9@65520)06:58:06.280563 attacker > 192.168.7.10: (frag 1109:9@65520)06:58:06.280876 attacker > 192.168.7.10: (frag 1109:9@65520)06:58:06.281189 attacker > 192.168.7.10: (frag 1109:9@65520)06:58:06.281501 attacker > 192.168.7.10: (frag 1109:9@65520)06:58:06.281814 attacker > 192.168.7.10: (frag 1109:9@65520)06:58:06.282134 attacker > 192.168.7.10: (frag 1109:9@65520)06:58:06.282448 attacker > 192.168.7.10: (frag 1109:9@65520)06:58:06.282752 attacker > 192.168.7.10: (frag 1109:9@65520)06:58:06.282942 attacker > 192.168.7.10: (frag 1109:9@65520)
How to Use ItThe exploit jolt2.c can be located at
http://www.antiserver.it/Denial-Of-Service/, and it can be downloaded in its source code form (also its mods). After the exploit is downloaded, the exploit must still be compiled on the operating system of choice, which must be a UNIX flavor, such as Redhat Linux, Mandrake Linux, or Slackware Linux. To compile the exploit, simply use the make command at a command prompt with the name of the exploit, excluding the “.c” at the end of the file name. For Example: # make jolt2
If the file compiles cleanly without any errors, you will have an executable file named Jolt2. To find out the syntax of the command along with the switches it uses, simply use the –h switch, and the syntax of the Jolt2 displays on the screen. When you use the –h option the syntax is:
./jolt2 <src address> -p <port number> <destination address> Even before you launch the attack, you must make sure that the victim’s machine is susceptible against this sort of attack, and because we know that many Microsoft Windows machines are susceptible by conducting research on the web, we can scan the network first using nmap from www.insecure.org to find Windows machines located on the network. Nmap is a utility tool used to map networks and also scan hosts by telling the attacker what ports or hosts are alive. Nmap can also give an estimated guess on what type of operating system the machine is currently running.
After we have located a machine that matches our required results
(192.168.7.10 / Windows NT 4.0) we can use the attack, for example:
#./jolt2 192.168.5.1 -p 80 192.168.7.10 The above command launches the attack from the attacker’s machine with a spoofed IP address of 192.168.5.1 against IP address 192.168.7.10 (the victim’s Windows NT machine) on port 80 (HTTP). The Windows NT (victim’s Machine) CPU resources reach 100 percent and cause the system to lock-up. There is not a set number of packets sent, they are just sent as fast as the attacking machine can send them. Now at this point, there are several options the attacker can do. For instance, if the attacker had a sniffer on the network, so he was able to observe communications between two hosts on the network, and he wanted to take over the conversation, he could use Jolt2 to tie up one machine while he takes over the conversation and assumes the identity of the other machine. This type of attack is called session hijacking. To complete this task, the attacker must be able to properly guess the sequence number of the host for which he is taking over the conversation.
The Jolt2 exploit can also be used to make a targeted host on a network exhaust 100 percent of its CPU, which causes the machine to lockup. The user of the targeted machine may become frustrated and restart the targeted machine by turning the machine off at the power source. The attacker on the same network could use the L0phtcrack password sniffer to capture the login screen name and the password of the targeted Windows NT Client Machine as it logs onto the domain and authenticates through the Primary Domain Controller. L0phtcrack then cracks the password and now the attacker owns the machine. Also, if the user has been placed in a global group and is trusted in other domains, then the attacker now has access to other domains.
This attack can also be used to bypass Intrusion Detection Systems that may reside on the network. Tiny fragments attacks, such as Jolt2.c, are designed to fool IDS systems by creating packets that are too small and do not contain the source and destination port numbers. Because IDS systems are looking for port numbers to make filtering decisions, they could allow the tiny fragments through and do not alert the system of them.
Signature of the AttackThe following is the signature of the attack:
06:58:06.276478 attacker > 192.168.7.10: (frag 1109:9@65520)
06:58:06.279297 attacker > 192.168.7.10: (frag 1109:9@65520)
06:58:06.279625 attacker > 192.168.7.10: (frag 1109:9@65520)
06:58:06.279939 attacker > 192.168.7.10: (frag 1109:9@65520)
06:58:06.280251 attacker > 192.168.7.10: (frag 1109:9@65520) The data sent is 29 bytes (20 IP + 9 data), which is valid because it is a last fragment (MF=0). However, the total length reported by the IP header is 68 bytes. As stated earlier, this malformed packet should fail structural tests, if there are any in place.
If a victim is attempting to block this attack, there are a couple signatures that detect this attack. In the packets you can see that the source and destination port numbers of the hosts are missing. You could design filters that would drop IP fragmented tiny packets that do not include TCP source and destination port numbers. You can see from the packets that the fragment ID number remains the same throughout the attack. The fragment ID number of 1109 could be used in a rule set to block fragments with the ID number of 1109.
How to Protect Against It On stateful packet-filtering firewalls, the packet fails integrity tests. The reported length (68) is much larger than the received length (29). However, a broken router may decide to send 68 bytes when forwarding it (adding 39 bytes of random padding). This incarnation of the attack is also illegal because it wraps the IP packet size limit. The IP data length reported is 48, and the offset is 65520. If the firewall has any sort of fragment reassembly, it shouldn’t forward a single packet because there are no valid fragments preceding the attack sequence. If the firewall maps fragments to open connections, it should detect that there is no open connection for this particular packet, thereby discarding it.
On Proxy firewalls, a proxy function never passes this attack pattern to the protected network (assuming that there is no packet filtering functionality applied to the firewall). If the proxy firewall is running on a vulnerable OS, and it doesn’t have its own network layer code (relying on the MS stack), the attacks cause a DOS attack against the firewall itself, effectively crashing the entire connection.
On any other type of firewall, if the firewall does fragment reassembly in an incorrect way (maybe by trusting vulnerable MS stacks to do it), it is vulnerable to the attack, regardless of which type of firewall it is.
All manufacturers have produced patches for their products. Manufacturers have also suggested solutions outside of the patches.
In the case of Gauntlet, it is recommended to deny any connection to port 8999 on the firewall. For Checkpoint, it is recommended that console logging be disabled. Microsoft suggests installation of the patch. All other Routers should filter the fragmented IP packets, if possible.
In the case of network Intrusion Detection Systems, make sure they are up to date with the newest patches available. For sensitive machines, you should use a host-based IDS, and harden all systems by closing all unused service ports!
In the Windows environment, Microsoft has released several patches for its effected operating systems.
Checkpoint:
http://www.checkpoint.com/techsupport/alerts/ipfrag_dos.html As taken from Check Point’s web site, “Check Point is in the process of building new kernel binaries that will modify the mechanism by which fragment events are written to the host system console, as well as providing configurable options as to how often to log. In addition and independent of the console message writing, with the new binaries FireWall-1 administrators will be able use the Check Point log file method for reporting fragmentation events. These binaries will be released shortly in Service Pack 2 of FireWall-1 version 4.1, for 4.1 users, and as a Service Pack 6 Hot Fix for FireWall-1 version 4.0 users.”
As an interim workaround, customers can disable the console logging, thereby mitigating this issue by using the following command line on their FireWall-1 module(s):
$FWDIR/bin/fw ctl debug -buf This takes effect immediately. This command can be added to the $FWDIR/bin/fw/fwstart command to be enabled when the firewall software is restarted. It should be noted that although this command disables fragmentation console output messages, and standard log messages, (for example, Long, Short, control messages, and so forth.) they continue to operate in their traditional way. You can find out more at:
Network Associates: Gauntlet Firewall
http://www.tis.com/support/cyberadvisory.html Additional Information
Additional information can be found at the following sites:
http://www.antionline.com http://www.sans.orgBubonic Bubonic.c is a DOS exploit that can be run against Windows 2000 machines and certain versions of Linux (worked against an Ultra5 running Redhat Zoot). It works by randomly sending TCP packets with random settings with the goal of increasing the load of the machine, so that it eventually crashes.
Exploit Details:
Name: Bubonic
Variants: Many different types of Denial of Service exploits exist under different names.
Operating System: Windows 98, Windows 2000
Protocols/Services: IP & TCP
Written up by: Andy Siske
Protocol Description: Bubonic utilizes the TCP/IP protocol stack to effect its Denial of Service. The Internet Protocol (IP) is the standard means by which data is transferred (through encapsulation) over the Internet. IP is a connectionless, datagram-oriented service that does not concern itself with reliability. The IP header (which operates at the Network Layer of the OSI model) contains several components to ensure it is delivered to the appropriate host.
Transmission Control Protocol (TCP) on the other hand, is a connection-oriented protocol that uses a series of sequence and acknowledgement numbers and flow control to ensure data is reliably delivered to its destination. TCP operates at the Transport layer of the OSI model. The TCP header contains the source and destination ports as well as the sequence and acknowledgement numbers. Because TCP does not contain the source and destination IP address, TCP must be encapsulated within the IP datagram to properly arrive at its destination. This IP datagram is then further encapsulated within an Ethernet frame (if it’s an Ethernet network), which operates at the Data Link Layer of the OSI model. All this is then transmitted into a series of bits that are sent across the physical media (the Physical Layer of the OSI model).
When the destination host receives the data, the opposite then takes place. First, the MAC address is read from the Ethernet frame, and the NIC card checks to see if it is the intended destination. If so, the data is then passed up the OSI stack to the Network Layer where the IP header is read. Contained within this IP header is specific code that designates what type of data is encapsulated within; in this case, TCP data. This process is then repeated until the data arrives at the designated application.
The exact specifications for the IP as well as the TCP can be found at
http://www.rfc-editor.org. RFC0791 deals with IP, while RFC0761 deals with TCP.
Description of Variants All Denial of Service attacks have the purposeful action to significantly degrade the quality or the availability of services a system offers. With respect to the abuse of the TCP/IP stack, there have been quite a large number of Denial of Service tools in existence for a number of years. Most other Denial of Service tools currently in existence tend to exploit the SYN, SYN/ACK, and ACK connection phases of TCP, which is known as the three-way handshake. Others implement such tactics as sending malformed fragmented packets in an attempt to crash the victim’s Operating System, while others merely attempt to overwhelm a target system by sending a tremendous amount of data. Regardless of the technique, all these exploits take advantage of inherent weaknesses with the TCP/IP protocol stack specification.
How the Exploit Works Bubonic is a relatively simple Denial of Service tool that also gives the attacker the ability to spoof his IP address with the hopes of completely concealing his identity (or taking on someone else’s identity).
A search of the Internet revealed several web sites that had the bubonic source code available for anyone to download. Most web sites had very little or no documentation or explanation of it. The following information was located within the source code:
CODE
"Bubonic.c lame DoS against Windows 2000 machinesand certain versions of Linux (worked against an Ultra5running Redhat Zoot. Should compile under anything.Randomly sends TCP packets with random settings, etc.Brings the load up causing the box to crash witherror code:
STOP 0x00000041 (0x00001000,0x00001279,0x000042A,0x00000001)MUST_SUCCEED_POOL_EMPTY"
After the code is downloaded, it must be compiled. The command used to compile the program is:
#make bubonicThis was done from the root directory where bubonic was downloaded. Next, the command ./bubonic was run, which displayed the built-in help:
Bubonic – sil@antioffline.comUsage: ./bubonic <dst> <src> <size> <number>
Ports are set to send and receive on port 179
should allow for xtra
Dst: Destination Address
Src: Source Address
Size: Size of packet which should be no larger than 1024 header info through routesNum: packets
For this experiment, there were four targeted machines. The first was a Windows 2000 machine with all current service packs installed as of December 28, 2000. The second was a Windows 2000 machine with no updates at all. The third was a Windows 98 machine with all current updates as of December 28, 2000, and the fourth was a Windows Millennium machine with all current updates as of December 28, 2000.
The bubonic Denial of Service tool was then executed against the first machine using this command:
# ./bubonic 192.168.1.50 10.1.1.10 100 100 There were no observable immediate effects against the updated Windows 2000 machine. The hub, however, indicated so many collisions on the LAN that the red collision light was a steady red. After several minutes, the targeted machine revealed sporadic freeze ups that lasted 3 to 4 seconds at a time. The bubonic attack continued for fifteen minutes with no other adverse effects.
The results were identical against the second machine (Windows 2000 with no updates).
The third machine (Windows 98) immediately froze up and was completely unusable. Even rebooting the machine (which required a hard reboot) resulted in the machine immediately freezing as soon as it reconnected to the network. The only way to avoid the ramifications of the bubonic Denial of Service was to physically disconnect it from the network or find a way to stop the network attack.
The Windows Millennium machine exhibited no adverse effects whatsoever.
The author of bubonic describes how the exploit works, “Randomly sends TCP packets with random settings, etc.” Network captures were done utilizing TCPDump, Snort, and Ethereal. Observation of the packets of data reveals the following:
Snort capture (one sample packet):
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
=+=+
01/06-20:37:51.972206 10.1.1.10 -> 192.168.1.50 TCP TTL:255
TOS:0xC9 ID:49832 Frag
Offset: 0x1B9E Frag Size: 0x14 50 00 EF C0 87 8E 61 15 6B 57
C6 4E 00 27 00 00
P.....a.kW.N.'.. 3D FB 00 00
=...=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
=+=+=+=+
Ethereal Capture (one sample packet):
Frame 1 (54 on wire, 54 captured)Arrival Time: Jan 6, 2001 20:37:51.9721Time delta from previous packet: 0.000000 secondsFrame Number: 1 Packet Length: 54 bytesCapture Length: 54 bytes
Ethernet II Destination: 00:20:78:cd:c2:de (00:20:78:cd:c2:de)Source: 00:00:c0:6f:d7:77 (00:00:c0:6f:d7:77)Type: IP (0x0800)
Internet Protocol Version: 4 Header length: 20 bytesDifferentiated Services Field: 0xc9 (DSCP 0x32: Unknown
DSCP; ECN: 0x01)1100 10.. = Differentiated Services Codepoint: Unknown
(0x32) .... ..0. = ECN-Capable Transport (ECT): 0.... ...1 = ECN-CE: 1
Total Length: 40
Identification: 0xc1a8
Flags: 0x00
.0.. = Don't fragment: Not set
..0. = More fragments: Not set
Fragment offset: 56560
Time to live: 255
Protocol: TCP (0x06)
Header checksum: 0x90da (correct)
Source: 10.1.1.10 (10.1.1.10)
Destination: 192.168.1.50 (192.168.1.50)
Data (20 bytes)
0 5000 efc0 868e 6115 d2d9 0949 0054 0000 P.....a....I.T.. 10 9451 0000 .Q..
As can be observed from this Ethereal capture, bubonic transmits an IP datagram that contains 20 bytes of random data. The IP datagram indicates that it contains TCP data (0x06), but in fact, there is no TCP data within the datagram. Obviously, this type of datagram is not following standard TCP/IP transmission standards, therefore, how each System handles this incoming datagram is dependant upon how that Operating System implements its TCP/IP stack. Further complicating this is the fact that bubonic sends out an extremely large quantity of datagrams (without regard for collisions). From this limited experiment, it appears that the Windows 98 Operating System is vulnerable to this exploit and Windows 2000 is only slightly affected. Windows Millennium was not affected at all.
A side effect of this exploit is that, although machines not targeted are unaffected, bubonic sends out such a large number of datagrams without regard to collisions that other machines residing on the affected network suffer decreased network performance as a result of the extremely high collision rate.
How to Use It The bubonic program can be downloaded from several sources, including:
http://www.antioffline.com/bubonic.c.
The source code must be compiled and run with the correct syntax as previously described.
Signature of the Attack Certainly with this type of attack, the victim machine wants to find a way to block it as well as detect it. With this consideration in mind, an analysis of the network traffic must be done, so that certain peculiarities can be located. It has been found over time that when someone programs an exploit, certain values within the programming code will be defined either as an absolute or changing variable that increments/decrements by a fixed amount. With bubonic, the source IP address is a fixed value that is defined by the user when the exploit is initially run. Unfortunately, because of this fact, the victim cannot search for a known hostile IP address because the attacker can change this.
From an analysis of attacks that were run in a controlled environment, several possible signatures appear to surface. First, there is a fixed Time to Live (TTL) value of 255. Second, the Type of Service (TOS) field has a consistent value of 0xC9. Third, there are always exactly 20 bytes of data carried within the IP datagram. Lastly, the fragment ID value has consistent increments by a value of 256. Based on the above information, a sniffer can be used to effectively detect this type of attack as well as program a firewall to block such an attack.
With any type of attack, it is imperative that the network data be analyzed for any type of pattern that can be programmed into the router, sniffer, or firewall, so the network may be properly protected.
How to Protect Against It One of the best ways to secure a network against any type of outside attack is to utilize a Network Address Translating router/firewall while using reserved, non-routable IP address schemes for the internal network. This type of network architecture makes it extremely difficult for an outsider to directly attack one of the inside hosts. Because this attack is run using a static source address, the firewall could be programmed to automatically shutdown any further incoming connections from the hostile IP address. Certainly, whichever operating system is being utilized, the newest patches and upgrades should be installed. Furthermore, vulnerable operating systems to this specific type of attack should not be utilized on any external systems that may be acting as a web server, ftp server, and so forth. In this limited experiment, Windows 98 was the most vulnerable OS, and it would be rare indeed for this operating system to be used on an external server. Certainly, if a host machine is not absolutely required to be on the network, there should be no connectivity whatsoever. The first step in any good security plan always should be physical security.
After host-based considerations have been implemented, network-based solutions must also be considered. Even if every host on the network is impervious to bubonic, it is entirely possible that (as is the case with most Denial of Service attacks) all network resources may be consumed by the Denial of Service attack. Therefore, it is imperative to have a defensive strategy in place at the network entry point to the Internet, which is usually a router. The judicious use of the router’s access control list may be enough to block such hostile traffic. Of course a good application gateway Firewall should also be used in conjunction with the router. Finally, a high-quality IDS should be implemented as well. By utilizing a good combination of router/firewall/ids, the three will work in concert to shun a perceived hostile connection, such as bubonic.
Source Code/Pseudo Code The source code for bubonic can be found at
http://www.antioffline.com/bubonic.c.
). Let's go:
