Bugtraq mailing list archives

Re: Sendmail, lynx, Netscape, sshd, Linux kernel (twice)

From: wietse () PORCUPINE ORG (Wietse Venema)
Date: Sat, 31 Oct 1998 21:24:09 +1900


Michal Zalewski:

1. Send SYN from port X to victim, dst_port=25 (victim sends SYN/ACK)
2. Send RST from port X to victim, dst=port=25 respecting sequence numbers
   (victim got error on accept() - and enters 5 sec 'refusingconn' mode)
3. Wait approx. 2 seconds
4. Go to 1.

So, by sending just a few bytes every two seconds, we could completely
lock sendmail service. There's no reason to post any exploits. RFC +
any source (teardrop is good) + 'tcpdump -x' + 15 minutes = exploit.


This attack is specific to LINUX. On UNIX systems with a BSD TCP/IP
protocol stack, the accept() call does not return until the three-way
handshake completes.

Please do not blame Sendmail for every problem in the world.

        Wietse

Current thread:

Re: Sendmail, lynx, Netscape, sshd, Linux kernel (twice) Wietse Venema (Oct 30)
- Re: Sendmail, lynx, Netscape, sshd, Linux kernel (twice) Alan Cox (Nov 03)
- <Possible follow-ups>
- Re: Sendmail, lynx, Netscape, sshd, Linux kernel (twice) Pavel Kankovsky (Nov 02)
- Re: Sendmail, lynx, Netscape, sshd, Linux kernel (twice) Wietse Venema (Nov 09)