I'm really confused (as some other people I've talked to are), and I'd be happy if someone can clarify few things. I have been told that I must be on 100Mbit LAN in order to 'exploit' this vulnerability. The result is: slow response time from the victim machine. In some cases (as I have been told), work on console (be it X, or text mode) is slowed down, while in other cases the victim machine can not do any work over the network (it can't be pinged, it can't ping out, etc.). No crashes, no kernel panic. Well, if I am sending 100-150,000 packets in a second to some machine, I wouldn't expect it to be reachable. Anyway... take the old 'oshare.c' source, modify these 2 lines: ip->ihl = rand() % 16; ip->tot_len = rand() % 0xffff; (this has been posted to Bugtraq in January '99, by "DEF CON ZERO WINDOW <defcon0at_private>"; similar modifications have been made to 'oshare.c' by some other people, around the same time, for testing of oshare & NT). Now compile it, and run on local LAN against NT Server 4.0 (tested w/ SP6a) - you'll have an NT Server acting like ZX81 (when it comes to 'speed'of NT Server - not the link). On a 10Mbit LAN. So, is this as big problem as 'stream.c' is? I am not a network engineer, and I am really confused with this. Link is just a 'pipe', and if you fill it, it's expected that you won't be able to ping anyhing (try downloading 500Mb file over local LAN, no matter what the speed of the LAN is, and no bandwidth limitations either) 1. Does 'stream.c' problem exist *only* on 100Mbit LAN (as I've been told by some people), or it is supposed to harm systems 'remotely' (over the net, on speeds up to 2Mbit or so)? 2. Does it affect only FreeBSD or not? 3. Did anybody actually manage to do some harm using exploits posted on Bugtraq? [either slightly/heavily modified, or the 'default' version] The answers to these questions will probably also help to the moderator of certain NT related mailing list who says: > Huge exploits, like stream.c or Trin00, go largely unreported by the > mainstream media, whereas a story about some popular software not > working securely on W2K could make it to CNN Headline News. Media > scale has little to do with The Real World(TM). This may be Although these 'huge exploits' examples are silly, it's worth noting that people do think that 'stream.c' is a huge one. Is it? Thanks. -- Vanja Hrustic SAFER Editor SAFER - free monthly security newsletter Subscriptions at http://safer.siamrelay.com
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:31:44 PDT