This may yet another Unix-only attack. Either I compiled it wrong (I will check when I return to work Monday), or WindowsNT is immune to this attack totally. I didnt see anything strange happening at all (except the hub in my LAB was going nuts). This was tested on a WindowsNT Box running NT 4.0, SP 5, Option Pack 4 with IIS 4. The DoS was coming from a RedHat 6.0 Linux Box. I tried to hit several ports known open ports and what not, but I didnt see a thing. I will also check to see if Win9x or Win2k is immune to this on Monday. If anyone has sucessfully gotten this to kill an NT box, please let me know and what you did to change that. I'd like to hear this Will have more later, but wanted to test this quickly before I go home for the weekend =) -- Kris ************************************* Kristofer Haight NT Network Administrator and EA Admin Thomson Finanical Services kristofer.haightat_private 617-856-1912 ************************************** > -----Original Message----- > From: Bill Fumerola [mailto:billf@CHC-CHIMES.COM] > Sent: Thursday, January 20, 2000 4:16 PM > To: BUGTRAQat_private > Subject: Re: stream.c - new FreeBSD exploit? > > > On Tue, Jan 18, 2000 at 02:44:38PM -0800, The Tree of Life wrote: > > > When I talked to another person to ask if he had 'acquired' > the source, he > > said he wasn't going to give it out. I asked him if he had > a patch for it, > > and he replied "the fbsd team is working on it. No patch > is available right > > now." > > > > What's the importance of this? Major companies such as Yahoo > > (www.yahoo.com) and others run freebsd. > > Major companies have firewalls too, but from what it sounds like, this > attack may crash/freeze/reboot/whatever them as well. > > > According to the irc admin, a simple reboot fixes it. > "Your box reboots or > > dies." He also stated, when asked if anything noticeable > happened, that > > "nothing unusual [happened]". > > > > The only log that he could provide was this one: > > > > ---snip--- > > syslog:Jan 18 12:30:36 x kernel: Kernel panic: Free list empty > > ---snip--- > > [hawk-billf] /sys > find . |xargs grep -ie 'free list empty' > [hawk-billf] /sys > uname -mrs > FreeBSD 4.0-CURRENT i386 > > > One thing of note: he also stated this happened on > non-freebsd systems, > > which is contrary to what the other person said, who was "under the > > impression it was freebsd specific." > > The above is a Linux panic, so it obviously works on > non-FreeBSD machines. > > It's a pity to attach FreeBSD to this exploit, as it > obviously isn't specific > to just the FreeBSD stack. I wish the FUD would just go away > sometimes. > > -- > Bill Fumerola - Network Architect > Computer Horizons Corp - CVM > e-mail: billf@chc-chimes.com / billfat_private > Office: 800-252-2421 x128 / Cell: 248-761-7272 > > > > ps. I'm not speaking for CHC or for FreeBSD... >
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:29:55 PDT