Re: solaris DoS (fwd)

[eparker () MINDSEC COM (Erik Parker)]

Mindsec just got time to test this.. However it doesn't compile
on a Solaris 2.6 machine. In Addition, I have a fully patched Enterprise
250 I tested this on, running 2.6 (the same machine we tried to compile
this on), and the nmap problem doesn't seem to exist either. Perhaps
I will test this on a newly installed Ultra 10.

I was also check this (and a few other problems) against the Solaris 8
machine we are testing. We have Solaris 8 running an ultra 10.. Just
for OS testing, but we will also try some of the past exploits and
problems against it.

SunOS sunflare 5.6 Generic_105181-16 sun4u sparc SUNW,Ultra-4

All proper libraries installed, about 6 pages of errors.. Here
is a snippet:

soltera.c:31: parse error before `tcp_seq'
soltera.c:31: warning: data definition has no type or storage class
soltera.c:34: parse error before `unsigned'
soltera.c:35: parse error before `unsigned'
soltera.c:41: parse error before `u_int8_t'soltera.c:31: parse error
soltera.c:41: warning: no semicolon at end of struct or union
soltera.c:49: warning: data definition has no type or storage class
soltera.c:295: dereferencing pointer to incomplete type
soltera.c:295: sizeof applied to an incomplete type
soltera.c:295: warning: passing arg 5 of `sendto' from incompatible
pointer type

On Fri, 24 Sep 1999, Mixter wrote:

> hi,
> a few days ago, a DoS against solaris was pointed out.
> i wrote a sample exploit which might need more testing.
> it basically creates a server, exercises fingerprinting on
> it, and kills it. it should crash any solaris 2.6 and maybe
> others. a friend told me that my exploit was able to bring his
> solaris 2.6 box to a kernel panic. maybe someone with root on
> a solaris box can try this one locally and tell me if it always works
>
> Mixter
>
> ---------- Forwarded message ----------
> Date: Wed, 22 Sep 1999 11:56:40 -0700
> From: David Brumley <dbrumley () GOJU STANFORD EDU>
> To: BUGTRAQ () securityfocus com
> Subject: solaris DoS
> Resent-Date: Thu, 23 Sep 1999 13:46:23 -0700
> Resent-From: mixter () telebot com
> Resent-To: mixter () newyorkoffice com
>
> Hi,
> A while ago I noticed nmap V 2.08 with OS fingerprinting (the -O option)
> could cause solaris kernel panic.  The trick is this:
>
> Select an active port to do an OS fingerprint.  Kill the server after
> doing a fingerprint.  Solaris will kernel panic.  It doesn't matter what
> server you choose or whether or not it's on a priviledged port.  However,
> it must be TCP.
>
> The attack is troublesome because of the time differential between the
> fingerprint and the kernel panic.  You probably won't think twice about
> the scan when the server dies and causes panic.
>
> Tested on Solaris 2.6 using a simple listen/accept server, as well as
> with sendmail 8.9.3.
>
> I worked with Sun a while ago on this problem, and they have released
> patch 105529-07 (for sparc) and 105530 (for x86).  According to the patch
> readme, the problem is with a recursive mutex_enter on the TCP streams
> driver.
>
> If you use nmap to scan your own network, use the -sT option to do vanilla
> connect()'s so you don't kill your own servers :)
>
> cheers,
> david
>
> #+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#
> David Brumley - Stanford Computer Security - dbrumley () Stanford EDU
> Phone: +1-650-723-2445    WWW: http://www.stanford.edu/~dbrumley
> Fax:   +1-650-725-9121    PGP: finger dbrumley-pgp () sunset Stanford EDU
> #+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#
> c:\winnt> secure_nt.exe
>   Securing NT.  Insert Linux boot disk to continue......
>           "I have opinions, my employer does not."

Erik Parker
eparker () mindsec com