Re: Sendmail, lynx, Netscape, sshd, Linux kernel (twice)

From: Wietse Venema (wietseat_private)
Date: Fri Oct 30 1998 - 18:24:09 PST

Next message: Ryan Russell: "Re: Printer Sharing and M1CR0S0FT Windows98"

Previous message: Ejovi Nuwere: "Re: Firewall-1 Security Advisory"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Michal Zalewski:
> 1. Send SYN from port X to victim, dst_port=25 (victim sends SYN/ACK)
> 2. Send RST from port X to victim, dst=port=25 respecting sequence numbers
>    (victim got error on accept() - and enters 5 sec 'refusingconn' mode)
> 3. Wait approx. 2 seconds
> 4. Go to 1.
>
> So, by sending just a few bytes every two seconds, we could completely
> lock sendmail service. There's no reason to post any exploits. RFC +
> any source (teardrop is good) + 'tcpdump -x' + 15 minutes = exploit.

This attack is specific to LINUX. On UNIX systems with a BSD TCP/IP
protocol stack, the accept() call does not return until the three-way
handshake completes.

Please do not blame Sendmail for every problem in the world.

        Wietse

Next message: Ryan Russell: "Re: Printer Sharing and M1CR0S0FT Windows98"
Previous message: Ejovi Nuwere: "Re: Firewall-1 Security Advisory"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:21:33 PDT