CVE-1999-0104

Step 1: Fragmentation: The attacker crafts an IP packet and fragments it into multiple smaller packets. These fragments are designed to overlap or have incorrect offset values.

Step 2: Malformed Offsets: The attacker sets the fragment offset fields in the IP header of the fragmented packets to values that, when combined, cause the reassembly process to fail.

Step 3: Packet Delivery: The fragmented packets are sent to the target system, typically over a network connection.

Step 4: Reassembly Attempt: The target system's IP stack attempts to reassemble the fragmented packets based on the IP header information (ID, offset, and more fragments flag).

Step 5: Exploitation: Due to the malformed offsets, the reassembly process fails, leading to memory corruption, resource exhaustion, or a system crash.

The vulnerability stems from the way certain operating systems handle fragmented IP packets. The Teardrop attack exploits flaws in the reassembly logic, specifically when handling overlapping or malformed fragments. The root cause is often a lack of proper input validation or insufficient boundary checks when processing the offset and length fields within the IP fragments. This can lead to a buffer overflow or other memory corruption issues within the kernel's IP reassembly code, ultimately causing the system to crash or become unresponsive. The attack relies on sending a series of fragmented IP packets with overlapping or conflicting fragment offsets, tricking the target system into misinterpreting the packet data and attempting to allocate excessive memory or access invalid memory locations.