Re: stream.c - new FreeBSD exploit?

[Kristofer.Haight () TFN COM (Haight, Kristofer)]

This may yet another Unix-only attack.

Either I compiled it wrong (I will check when I return to work Monday), or
WindowsNT is immune to this attack totally. I didnt see anything strange
happening at all (except the hub in my LAB was going nuts). This was tested
on a WindowsNT Box running NT 4.0, SP 5, Option Pack 4 with IIS 4. The DoS
was coming from a RedHat 6.0 Linux Box. I tried to hit several ports known
open ports and what not, but I didnt see a thing.

I will also check to see if Win9x or Win2k is immune to this on Monday.

If anyone has sucessfully gotten this to kill an NT box, please let me know
and what you did to change that. I'd like to hear this

Will have more later, but wanted to test this quickly before I go home for
the weekend =)

-- Kris

*************************************
Kristofer Haight
NT Network Administrator and EA Admin
Thomson Finanical Services
kristofer.haight () tfn com
617-856-1912
**************************************

> -----Original Message-----
> From: Bill Fumerola [mailto:billf () CHC-CHIMES COM]
> Sent: Thursday, January 20, 2000 4:16 PM
> To: BUGTRAQ () SECURITYFOCUS COM
> Subject: Re: stream.c - new FreeBSD exploit?
>
>
> On Tue, Jan 18, 2000 at 02:44:38PM -0800, The Tree of Life wrote:
>
> > When I talked to another person to ask if he had 'acquired'
> the source, he
> > said he wasn't going to give it out.  I asked him if he had
> a patch for it,
> > and he replied "the fbsd team is working on it.  No patch
> is available right
> > now."
> >
> > What's the importance of this?  Major companies such as Yahoo
> > (www.yahoo.com) and others run freebsd.
>
> Major companies have firewalls too, but from what it sounds like, this
> attack may crash/freeze/reboot/whatever them as well.
>
> > According to the irc admin, a simple reboot fixes it.
> "Your box reboots or
> > dies."  He also stated, when asked if anything noticeable
> happened, that
> > "nothing unusual [happened]".
> >
> > The only log that he could provide was this one:
> >
> > ---snip---
> > syslog:Jan 18 12:30:36 x kernel: Kernel panic: Free list empty
> > ---snip---
>
> [hawk-billf] /sys > find . |xargs grep -ie 'free list empty'
> [hawk-billf] /sys > uname -mrs
> FreeBSD 4.0-CURRENT i386
>
> > One thing of note:  he also stated this happened on
> non-freebsd systems,
> > which is contrary to what the other person said, who was "under the
> > impression it was freebsd specific."
>
> The above is a Linux panic, so it obviously works on
> non-FreeBSD machines.
>
> It's a pity to attach FreeBSD to this exploit, as it
> obviously isn't specific
> to just the FreeBSD stack. I wish the FUD would just go away
> sometimes.
>
> --
> Bill Fumerola - Network Architect
> Computer Horizons Corp - CVM
> e-mail: billf () chc-chimes com / billf () FreeBSD org
> Office: 800-252-2421 x128 / Cell: 248-761-7272
>
>
>
> ps. I'm not speaking for CHC or for FreeBSD...