Michal Zalewski: > 1. Send SYN from port X to victim, dst_port=25 (victim sends SYN/ACK) > 2. Send RST from port X to victim, dst=port=25 respecting sequence numbers > (victim got error on accept() - and enters 5 sec 'refusingconn' mode) > 3. Wait approx. 2 seconds > 4. Go to 1. > > So, by sending just a few bytes every two seconds, we could completely > lock sendmail service. There's no reason to post any exploits. RFC + > any source (teardrop is good) + 'tcpdump -x' + 15 minutes = exploit. This attack is specific to LINUX. On UNIX systems with a BSD TCP/IP protocol stack, the accept() call does not return until the three-way handshake completes. Please do not blame Sendmail for every problem in the world. Wietse
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:21:33 PDT