Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Bugtraq> 1998_4

Bugtraq archives for 4th quarter (Oct-Dec) 1998: Re: Sendmail, lynx, Netscape, sshd, Linux kernel (twice)

Re: Sendmail, lynx, Netscape, sshd, Linux kernel (twice)

Wietse Venema (wietsePORCUPINE.ORG)
Sat, 31 Oct 1998 21:24:09 +1900

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Tatu Ylonen: "No vulnerability known in SSH-1.2.26"
Previous message: joshua grubman: "Re: ssh-1.2.26 patch"
In reply to: Michal Zalewski: "Sendmail, lynx, Netscape, sshd, Linux kernel (twice)"
Next in thread: Alan Cox: "Re: Sendmail, lynx, Netscape, sshd, Linux kernel (twice)"

Michal Zalewski:
> 1. Send SYN from port X to victim, dst_port=25 (victim sends SYN/ACK)
> 2. Send RST from port X to victim, dst=port=25 respecting sequence numbers
>    (victim got error on accept() - and enters 5 sec 'refusingconn' mode)
> 3. Wait approx. 2 seconds
> 4. Go to 1.
>
> So, by sending just a few bytes every two seconds, we could completely
> lock sendmail service. There's no reason to post any exploits. RFC +
> any source (teardrop is good) + 'tcpdump -x' + 15 minutes = exploit.

This attack is specific to LINUX. On UNIX systems with a BSD TCP/IP
protocol stack, the accept() call does not return until the three-way
handshake completes.

Please do not blame Sendmail for every problem in the world.

        Wietse

Next message: Tatu Ylonen: "No vulnerability known in SSH-1.2.26"
Previous message: joshua grubman: "Re: ssh-1.2.26 patch"
In reply to: Michal Zalewski: "Sendmail, lynx, Netscape, sshd, Linux kernel (twice)"
Next in thread: Alan Cox: "Re: Sendmail, lynx, Netscape, sshd, Linux kernel (twice)"