Package: p0f
Version: 3.06b-2
Severity: grave
Tags: security
Sending "malformed" (or legacy format(!!?)) packets to p0f's socket results in
a crash of the service:
[+] Closed 1 file descriptor.
[+] Loaded 314 signatures from '/etc/p0f/p0f.fp'.
[+] Intercepting traffic on default interface 'eth0'.
[+] Custom filtering rule enabled: dst port 25 [+VLAN]
[+] Listening on API socket '/var/run/dc-p0f.socket' (max 20 clients).
[+] Privileges dropped: uid 112, gid 114, root '/var/spool/qpsmtpd'.
[+] Entered main event loop.
[-] SYSTEM ERROR : read() on API socket fails despite POLLIN.
Location : live_event_loop(), p0f.c:916
OS message : Connection reset by peer
This issue is discussed, from another angle, on the milter mailing list here:
http://comments.gmane.org/gmane.mail.sendmail.milter.greylist/3184
This bug is not about getting milter (or any other p0f client) to work, but
rather about the fact that it is so trivial to launch a DoS attack against p0f.
Any attacker with access to p0f's socket has the ability to crash the service.
p0f should rather accept the bogus input and behave properly (issue an error,
disconnect, etc). ? Testing suggests that this issue is likely resolved in
later versions of the upstream package.
