RE: remote kernel exploits?

[Yonatan () xpert com (Yonatan Bokovza)]

> -----Original Message-----
> From: andy_mn () hushmail com [mailto:andy_mn () hushmail com]
> Sent: Sunday, September 08, 2002 14:44
> To: full-disclosure () lists netsys com
> Cc: vuln-dev () securityfocus com; incidents () securityfocus com
> Subject: remote kernel exploits?
>
>
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hey
>
> I've been hearing about this for the past year, but always shrugged
> it off as fun-and-games at best or FUD at worst. A few days 
> ago, though,
> I posed the question to a friend who has been a very reliable source
> in the past concerning exploit rumors and security gossip (among
> many other things, he was able to give me two week's warning about
> the Apache chunked encoding hole). He said in no uncertain terms
> that although he has no substantial information concerning the flaws,
> the Linux kernel, FreeBSD/OpenBSD kernel, and possibly other kernels
> contain remote vulnerabilities that were discovered independently by
> both a Bindview employee and/or an individual using the nickname ~el8.
>
> The bugs are said to have something to do with integer manipulation in
> the kernels' TCP/IP stacks. That's all he was able to offer 
> me, but was
> very forward in saying that he has full confidence based on
> conversations with others that these bugs do indeed exist.
>
> Now, there's always the chance I'll be wrong, but unless 
> someone wishes
> to comment on the technical plausibility of these vulnerabilities, I
> have several second-rate reasons as to why I believe these rumours
> are most likely just figments of the imagination:
>
> - - I have not seen any incident reports on Incidents, or any other
> mailing list for that matter.
>
> - - You'd think several high profile sites would've been 
> attacked already
> with such devastating exploits, but I've seen no reports of this. In
> fact, if the kids really did have such an exploit, you'd think they'd
> tag their h4ndl3z all over high profile sites. But according 
> to Alldas,
> high profile defacements have been virtually nonexistent in the last
> year or so.
>
> - - Given the skill required to craft such an exploit, I'd think it
> would be way out of the grasp of the kids. Since no researcher has
> come forth with such a vulnerability, it's logical to conclude that
> this does not exist.
>
>
> Anyway, I'm very interested in hearing what others have to offer
> concerning these rumors. Even if it's for reassurance ;>

It might be the case that this is the problem:
http://www.openbsd.org/errata.html#scarg
I know that a similar problem was fixed in FreeBSD a little
later, but I can't find the correct pointer.
Since this is a problem in the kernel, it might be remotely
exploitable.

Regards,
Yonatan.