> -----Original Message----- > From: Olaf Kirch [mailto:okirat_private] > Sent: Wednesday, November 14, 2001 11:40 AM > To: Yanek Korff > Cc: 'ed.rolisonat_private'; vuln-devat_private > Subject: Re: kernel panic [linux 2.2.19-7] on UDP scan CP4.1-SP5 > > > On Wed, Nov 14, 2001 at 11:27:48AM -0500, Yanek Korff wrote: > > Unfortunately, I don't think this is the case. If a table > were being filled > > up, I'd expect the FW to stay up for some period of time > before eventually > > crashing. Here are some relevant facts: > > > > 1. Linux FW crashes -immediately- before it has the > opportunity to log a udp > > packet with tcpdump > > 2. Scans complete successfully against NT 4.0 and Solaris-x86 > > There was a problem (kernel lockup) with certain types of UDP > packets a few months ago (it could be though that happened > only for locally generated packets). All vendors released fixes > for these. Could be the scan checks for this vul. Check your > vendor's security page for details. Would not the OS itself crash without the FW kernel module loaded whena UDP scan was initiated? When the machine is running without the FW active, it stays up fine. I am running the latest updated kernel (source RPM) from RedHat in the 2.2.x kernel sequence. I've tried the -T Paranoid switch; the system crashes with the VERY FIRST UDP packet, regardless of which port it's sent to. I subsequently re-enabled icmp, as a "before last" implied rule... And I see this: Initiating UDP Scan against (64.80.176.11) 12:43:34.168842 nmap_source.58153 > fw_under_test.973: udp 0 12:43:34.274503 fw_under_test > nmap_source: icmp: 64.80.176.11 udp port 973 unreachable And that's the last packet I get from the machine. If I run nslookup on nmap_source, set my server to fw_under_test, and attempt to resolve something (even though fw_under_test is not running a nameserver), the fw_under_test does not crash. It merely replies with udp port unreachable and stays up. Ideas? -Yanek.
This archive was generated by hypermail 2b30 : Wed Nov 14 2001 - 12:53:28 PST