Vulnerability Development mailing list archives
FreeBSD listen()
From: 3APA3A () SECURITY NNOV RU (3APA3A)
Date: Wed, 27 Oct 1999 16:50:33 +0400
Hello, Can someone explain, why behavior of listen() backlog parameter in FreeBSD is different from documentation? I'm not expert in FreeBSD and Unix at all, so sorry if this problem is well-known or there is no problem at all. LISTEN(2) says: -=-=-=-=- int listen(int s, int backlog) <skipped> The backlog parameter defines the maximum length the queue of pending connections may grow to. If a connection request arrives with the queue full the client may receive an error with an indication of ECONNREFUSED, or, if the underlying protocol supports retransmission, the request may be ignored so that retries may succeed. <skipped> HISTORY The listen() function call appeared in 4.2BSD. The ability to configure the maximum backlog at run-time, and to use a negative backlog to request the maximum allowable value, was introduced in FreeBSD 2.2. -=-=-=-=- But: for FreeBSD 2.2.* backlog parameter seems doesn't working. At least, if I use listen(sock, 1) and trying to connect() from 3 different connections all 3 connect()s succeed atleast in FreeBSD up to 2.2.6 (later versions are not tested). FreeBSD 3.* is different, but not perfect - extra connect() attempt is always ignored (i.e. timed out) then backlog is exceeded. Connection will never be rejected with ECONNREFUSED as stated in documentation. This fact causes problems. Some application (for example ftp server in passive mode or ftp client in active mode) use listen(data, 1); accept(data,...); close(data); to limit the number of incoming data connections to exactly one. If second connection is not rejected it makes possible attack to inject or intercept data between server and client as described in NAI bulletin http://www.nai.com/nai_labs/asp_set/advisory/ftp-paper.asp and realized in exploit posted to Vuln-dev, see http://www.securityfocus.com/templates/archive.pike?list=82&date=1999-10-15&msg=9628.991015 () SECURITY NNOV RU exploit doesn't work against 3.x BSD ftp client because 3.x seems to have some built-in protection against SYN flood or similar attacks which prevents frequent connect() attempts exploit uses. But this fact doesn't eliminates problem itself. /\_/\ { . . } |\ +--oQQo->{ ^ }<-----+ \ | 3APA3A U 3APA3A } +-------------o66o--+ / |/ http://www.security.nnov.ru
Current thread:
- Re: forged packets?, (continued)
- Re: forged packets? Ryan Permeh (Oct 25)
- Re: forged packets? Ron DuFresne (Oct 26)
- Re: forged packets? ctor (Oct 25)
- ICQ 2000 Elias Levy (Oct 25)
- Re: ICQ 2000 Blue Boar (Oct 25)
- Re: ICQ 2000 Sean Burford (Oct 25)
- Re: ICQ 2000 Brad Griffin (Oct 26)
- Re: ICQ 2000 Blue Boar (Oct 25)
- icq2000 Brad Griffin (Oct 26)
- Re: ICQ 2000 Damm, Mike (Oct 26)
- Re: ICQ 2000 Brad Griffin (Oct 26)
- FreeBSD listen() 3APA3A (Oct 27)
- Re: FreeBSD listen() CyberPsychotic (Oct 27)
- Re: FreeBSD listen() 3APA3A (Oct 29)
- Re: FreeBSD listen() Matthew S. Hallacy (Oct 30)
- Fw: Trojan/Worm on one of your pages and spams ICQ users. BrainMaster (Oct 28)
- Re: FreeBSD listen() David Schwartz (Oct 28)
- Re: FreeBSD listen() 3APA3A (Oct 29)
- Re: FreeBSD listen() David Schwartz (Oct 30)
- Re: FreeBSD listen() 3APA3A (Oct 31)
- Re: forged packets? Ryan Permeh (Oct 25)
- Re: FreeBSD listen() Sebastian (Oct 28)
- Re: FreeBSD listen() 3APA3A (Oct 29)