Vulnerability Development mailing list archives
Re: solaris DoS (fwd)
From: eparker () MINDSEC COM (Erik Parker)
Date: Mon, 4 Oct 1999 22:22:40 -0600
Mindsec just got time to test this.. However it doesn't compile on a Solaris 2.6 machine. In Addition, I have a fully patched Enterprise 250 I tested this on, running 2.6 (the same machine we tried to compile this on), and the nmap problem doesn't seem to exist either. Perhaps I will test this on a newly installed Ultra 10. I was also check this (and a few other problems) against the Solaris 8 machine we are testing. We have Solaris 8 running an ultra 10.. Just for OS testing, but we will also try some of the past exploits and problems against it. SunOS sunflare 5.6 Generic_105181-16 sun4u sparc SUNW,Ultra-4 All proper libraries installed, about 6 pages of errors.. Here is a snippet: soltera.c:31: parse error before `tcp_seq' soltera.c:31: warning: data definition has no type or storage class soltera.c:34: parse error before `unsigned' soltera.c:35: parse error before `unsigned' soltera.c:41: parse error before `u_int8_t'soltera.c:31: parse error soltera.c:41: warning: no semicolon at end of struct or union soltera.c:49: warning: data definition has no type or storage class soltera.c:295: dereferencing pointer to incomplete type soltera.c:295: sizeof applied to an incomplete type soltera.c:295: warning: passing arg 5 of `sendto' from incompatible pointer type On Fri, 24 Sep 1999, Mixter wrote:
hi, a few days ago, a DoS against solaris was pointed out. i wrote a sample exploit which might need more testing. it basically creates a server, exercises fingerprinting on it, and kills it. it should crash any solaris 2.6 and maybe others. a friend told me that my exploit was able to bring his solaris 2.6 box to a kernel panic. maybe someone with root on a solaris box can try this one locally and tell me if it always works Mixter ---------- Forwarded message ---------- Date: Wed, 22 Sep 1999 11:56:40 -0700 From: David Brumley <dbrumley () GOJU STANFORD EDU> To: BUGTRAQ () securityfocus com Subject: solaris DoS Resent-Date: Thu, 23 Sep 1999 13:46:23 -0700 Resent-From: mixter () telebot com Resent-To: mixter () newyorkoffice com Hi, A while ago I noticed nmap V 2.08 with OS fingerprinting (the -O option) could cause solaris kernel panic. The trick is this: Select an active port to do an OS fingerprint. Kill the server after doing a fingerprint. Solaris will kernel panic. It doesn't matter what server you choose or whether or not it's on a priviledged port. However, it must be TCP. The attack is troublesome because of the time differential between the fingerprint and the kernel panic. You probably won't think twice about the scan when the server dies and causes panic. Tested on Solaris 2.6 using a simple listen/accept server, as well as with sendmail 8.9.3. I worked with Sun a while ago on this problem, and they have released patch 105529-07 (for sparc) and 105530 (for x86). According to the patch readme, the problem is with a recursive mutex_enter on the TCP streams driver. If you use nmap to scan your own network, use the -sT option to do vanilla connect()'s so you don't kill your own servers :) cheers, david #+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+# David Brumley - Stanford Computer Security - dbrumley () Stanford EDU Phone: +1-650-723-2445 WWW: http://www.stanford.edu/~dbrumley Fax: +1-650-725-9121 PGP: finger dbrumley-pgp () sunset Stanford EDU #+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+# c:\winnt> secure_nt.exe Securing NT. Insert Linux boot disk to continue...... "I have opinions, my employer does not."
Erik Parker eparker () mindsec com
Current thread:
- Re: solaris DoS (fwd) Erik Parker (Oct 04)
- Re: solaris DoS (fwd) Mixter (Oct 05)
- Re: solaris DoS (fwd) Drazen Kacar (Oct 05)
- Re: solaris DoS (fwd) Erik Parker (Oct 06)
- Re: solaris DoS (fwd) Drazen Kacar (Oct 07)
- Re: solaris DoS (fwd) Arindum Mukerji (Oct 07)
- Re: solaris DoS (fwd) Erik Parker (Oct 07)
- Re: solaris DoS (fwd) Drazen Kacar (Oct 05)
- Window manager - implementation bug/feature ??? Mithun Bhattacharya (Oct 06)
- Re: Window manager - implementation bug/feature ??? Chris Wilson (Oct 07)
- Re: Window manager - implementation bug/feature ??? Erik Parker (Oct 07)
- Re: Window manager - implementation bug/feature ??? Michael Jennings (Oct 07)
- Re: solaris DoS (fwd) Mixter (Oct 05)