Raul Siles

Sebek UDP packet length field bug

On May 2005, while I was inspecting in-depth the Honeynet Sebek LKM, a good rootkit Smiley, I figured out that the UDP header length field of the network packets generated by this tool had an invalid value.

The UDP length field is the length of the UDP header and the UDP data in bytes. The minimum value for this field is 8 bytes (sending a UDP datagram with 0 bytes of data is OK).

The figure below shows UDP packets generated by a Sebek Linux client version 3.0.2, running over a Red Hat 9.0 honeypot system. The 10.10.10.2 IP address belongs to the honeypot while the 10.10.10.1 is the IP address of the network gateway.
As can be seen in the figure, when the "Data" portion of an UDP Sebek generated packet is selected in the ethereal packet disector window (the one in the middle), the packet contents window (the one on the bottom) only highlights the UDP data payload minus 8 bytes. In this case, the last bytes didn't get selected: 

2f 6c 6d 68 6f 73 74 73

The reason for this is that the UDP header length field has an incorrect value because it only includes the UDP data payload length, instead of the UDP data payload length plus the UDP header length. If the first UDP packet showed above is inspected, it can be seen that the following are the different length values associated to it:

  • Frame bytes captured: 116
  • IP total length: 102 (116 - Ethernet header (14))
  • IP header length: 20
  • UDP total length: 74 (WRONG: 102-20 = 82)
  • UDP header length: 8
  • UDP data: 66 (calculated by ethereal: 74-8 = 66) (WRONG: 82-8 = 74)

This bug is located in the "sebek.c" file, within the "gen_pkt()" function. The UDP packet length value is calculated using the following formula: 

udph->len     = htons(paysize);
However, based on the official definition of the UDP header length field, the correct formula should be: 
udph->len     = htons(paysize + sizeof(struct udphdr));
A Linux patch was created for the Sebek Linux client version 3.0.3, called "sebek_udplength.patch".
Once applied, the UDP packets generated by Sebek have the UDP length to the right value.

The affected versions were the Linux client version 3.0.3 and below (including the 2.X.Y branch).
A new bug, number 282, was created in the project Bugzilla server.