Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Denial of Service Attacks INFO

From: matt () ott opcom ca (Matthew Harding)
Date: Thu, 23 May 1996 10:55:10 -0400

Fred Cohen wrote:



UDP Bomb - By sending a UDP packet with incorrect information in the
header, some Sun-OS 4.1.3 Unix boxes will panic and then reboot.


Anyone willing to say _what_ this magic incorrect information is?  I'd
much rather not have to take the time to grab the patch, uncompile both
it and the file(s) it replaces, and try to figure it out from there.


For example:

        from-IP=127.0.0.1
        to-IP=target
        Packet type: UDP
        from UDP port 7 (echo)
        to UDP port 7 (echo)



On a similar note, a more practical example is this
condition will occur if any NFS request (mount, getattr, etc.
etc.) has the source IP field set to 127.0.0.1. This can
happen in certain circumstances - I believe there is a patch
for HP/UX 9.x under certain platforms that prevents this
specific condition from occurring. (Any HP that mounts a
SunOS 4.1.x server could cause it to crash merely by mounting
it!).

If anyone is feeling frisky, start playing with a SunOS box
and try injecting spurious IP packets onto the wire... since
SunOS doesn't have the nifty DLPI interface that Solaris has,
it is probably susceptible to many, many similar attacks
using the standard IP stack.

On a related note, does everyone know of the /dev/openprom
problem under SunOS??? Any unprivileged user can crash the
system using /dev/openprom... the difference between this and
the above problem is that there is no patch for this one :-).
(Email for details if you would like to know more).

Cheers,
Matthew (matt () ott opcom ca)
Previous By Date Next
Previous By Thread Next

Current thread: