solaris DoS (fwd)

["Liliana E. Velasquez Alegre Solha" <nina () cais rnp br>]

---------- Forwarded message ----------
Date: Wed, 22 Sep 1999 11:56:40 -0700
From: David Brumley <dbrumley () GOJU STANFORD EDU>
To: BUGTRAQ () SECURITYFOCUS COM
Subject: solaris DoS

Hi,
A while ago I noticed nmap V 2.08 with OS fingerprinting (the -O option)
could cause solaris kernel panic.  The trick is this:

Select an active port to do an OS fingerprint.  Kill the server after
doing a fingerprint.  Solaris will kernel panic.  It doesn't matter what
server you choose or whether or not it's on a priviledged port.  However,
it must be TCP.

The attack is troublesome because of the time differential between the
fingerprint and the kernel panic.  You probably won't think twice about
the scan when the server dies and causes panic.

Tested on Solaris 2.6 using a simple listen/accept server, as well as
with sendmail 8.9.3.

I worked with Sun a while ago on this problem, and they have released
patch 105529-07 (for sparc) and 105530 (for x86).  According to the patch
readme, the problem is with a recursive mutex_enter on the TCP streams
driver.

If you use nmap to scan your own network, use the -sT option to do vanilla
connect()'s so you don't kill your own servers :)

cheers,
david

#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#
David Brumley - Stanford Computer Security - dbrumley () Stanford EDU
Phone: +1-650-723-2445    WWW: http://www.stanford.edu/~dbrumley
Fax:   +1-650-725-9121    PGP: finger dbrumley-pgp () sunset Stanford EDU
#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#
c:\winnt> secure_nt.exe
  Securing NT.  Insert Linux boot disk to continue......
            "I have opinions, my employer does not."