Stream.c needs more clarification

From: Vanja Hrustic (vanjaat_private)
Date: Tue Jan 25 2000 - 07:25:40 PST

Next message: Steve VanDevender: "Re: S/Key & OPIE Database Vulnerability"

Previous message: Jesper M. Johansson: "Re: SAS behavior in Windows NT - RE: Windows 2000 Run As..."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I'm really confused (as some other people I've talked to are), and I'd
be happy if someone can clarify few things.

I have been told that I must be on 100Mbit LAN in order to 'exploit'
this vulnerability. The result is: slow response time from the victim
machine. In some cases (as I have been told), work on console (be it X,
or text mode) is slowed down, while in other cases the victim machine
can not do any work over the network (it can't be pinged, it can't ping
out, etc.). No crashes, no kernel panic.

Well, if I am sending 100-150,000 packets in a second to some machine, I
wouldn't expect it to be reachable.

Anyway... take the old 'oshare.c' source, modify these 2 lines:

ip->ihl = rand() % 16;
ip->tot_len = rand() % 0xffff;

(this has been posted to Bugtraq in January '99, by "DEF CON ZERO WINDOW
<defcon0at_private>"; similar modifications have been made to 'oshare.c'
by some other people, around the same time, for testing of oshare & NT).

Now compile it, and run on local LAN against NT Server 4.0 (tested w/
SP6a) - you'll have an NT Server acting like ZX81 (when it comes to
'speed'of NT Server - not the link). On a 10Mbit LAN. So, is this as
big problem as 'stream.c' is?

I am not a network engineer, and I am really confused with this. Link is
just a 'pipe', and if you fill it, it's expected that you won't be able
to
ping anyhing (try downloading 500Mb file over local LAN, no matter what
the speed of the LAN is, and no bandwidth limitations either)

1. Does 'stream.c' problem exist *only* on 100Mbit LAN (as I've been
told by some people), or it is supposed to harm systems 'remotely' (over
the net, on speeds up to 2Mbit or so)?

2. Does it affect only FreeBSD or not?

3. Did anybody actually manage to do some harm using exploits posted on
Bugtraq? [either slightly/heavily modified, or the 'default' version]

The answers to these questions will probably also help to the moderator
of certain NT related mailing list who says:

> Huge exploits, like stream.c or Trin00, go largely unreported by the
> mainstream media, whereas a story about some popular software not
> working securely on W2K could make it to CNN Headline News. Media
> scale has little to do with The Real World(TM). This may be

Although these 'huge exploits' examples are silly, it's worth noting
that people do think that 'stream.c' is a huge one.

Is it?

Thanks.

--

Vanja Hrustic
SAFER Editor

SAFER - free monthly security newsletter
Subscriptions at http://safer.siamrelay.com

Next message: Steve VanDevender: "Re: S/Key & OPIE Database Vulnerability"
Previous message: Jesper M. Johansson: "Re: SAS behavior in Windows NT - RE: Windows 2000 Run As..."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:31:44 PDT