Bugtraq mailing list archives
Re: Sendmail, lynx, Netscape, sshd, Linux kernel (twice)
From: wietse () PORCUPINE ORG (Wietse Venema)
Date: Sat, 31 Oct 1998 21:24:09 +1900
Michal Zalewski:
1. Send SYN from port X to victim, dst_port=25 (victim sends SYN/ACK) 2. Send RST from port X to victim, dst=port=25 respecting sequence numbers (victim got error on accept() - and enters 5 sec 'refusingconn' mode) 3. Wait approx. 2 seconds 4. Go to 1. So, by sending just a few bytes every two seconds, we could completely lock sendmail service. There's no reason to post any exploits. RFC + any source (teardrop is good) + 'tcpdump -x' + 15 minutes = exploit.
This attack is specific to LINUX. On UNIX systems with a BSD TCP/IP protocol stack, the accept() call does not return until the three-way handshake completes. Please do not blame Sendmail for every problem in the world. Wietse
Current thread:
- Re: Sendmail, lynx, Netscape, sshd, Linux kernel (twice) Wietse Venema (Oct 30)
- Re: Sendmail, lynx, Netscape, sshd, Linux kernel (twice) Alan Cox (Nov 03)
- <Possible follow-ups>
- Re: Sendmail, lynx, Netscape, sshd, Linux kernel (twice) Pavel Kankovsky (Nov 02)
- Re: Sendmail, lynx, Netscape, sshd, Linux kernel (twice) Wietse Venema (Nov 09)