Serious potential TCP-IP FLAW(was Re: kernel panics at google)

Blu3Viper david en killerlabs.com
Sab Ene 22 07:22:57 CST 2000


On Fri, 21 Jan 2000, Matt wrote:
> This is very frightening.
> 
> This bug seems to exploit a flaw in the tcp-ip protocol.
> I have been informed of a potential security breech which was posted on
> bugtrack yesterday. FreeBSD is buzzing about how big a deal this appears
> to be. This message apparently has not made it here. This concerns me,
> because it either means we are not keeping up, or we are not being
> informed of what may be serious issues. Another note is that the message
> below was sent to the FreeBSD guys, only to discover that at least some of
> the snippets are from Linux Kernel code and can not be found in the
> FreeBSD Kernel Code. For further info, the FreeBSD-security list has a
> HUGE discussion going on about this. 
> 
> I hope that this is informative enough to allow the real coders(of which I
> am only trying to be) somthing to work with.

Actually, we have been keeping up and are aware of it and ramifications.  It
is not frightening or a really new form of attack.  It is your typical
spoofing flooder that uses ACK messages.  There is no exploiting of a flaw
of the TCP/IP protocol.

FreeBSD developers seem to have a different view than the one you're
presenting.  The ones I've spoken with certainly aren't buzzing about it
being a big deal.  Note the message posted to bugtraq several hours ago
today in response to the "wild claims" about stream.c.

> ---------- Forwarded message ----------
> Date: Tue, 18 Jan 2000 14:44:38 -0800
> From: The Tree of Life <ttol en JAMES.KALIFORNIA.COM>
> To: BUGTRAQ en SECURITYFOCUS.COM
> Subject: stream.c - new FreeBSD exploit?

Unfortunately this user is one of mine.  I am a bit embarrassed.

> I've been informed today by an irc admin that a new exploit is circulating
> around.  It "sends tcp-established bitstream shit" and makes the "kernel
> fuck up".

Bitstream stuff.  Cool.  I want some.

> It's called stream.c.

Which has actually been around for many months and hinted at quietly.  'tis
not new.

> The efnet ircadmin told me servers on Exodus (Exodus Communications) were
> being hit and they managed to get a hold of the guy.  When asked what was
> going on, he just said "stream.c".
> 
> When I talked to another person to ask if he had 'acquired' the source, he
> said he wasn't going to give it out.  I asked him if he had a patch for
> it, and he replied "the fbsd team is working on it.  No patch is available
> right now."

It's more of a stateful firewall issue than a patch unless there is a bug in
the connection queue code.

> What's the importance of this?  Major companies such as Yahoo
> (www.yahoo.com) and others run freebsd.

stream.c is not freebsd specific.  The attack can hit every TCP/IP
implementation.
 
> According to the irc admin, a simple reboot fixes it.  "Your box reboots
> or dies."  He also stated, when asked if anything noticeable happened,
> that "nothing unusual [happened]".

A reboot won't fix anything unless you're rebooting a crashed machine.  The
queue will immediately fill up again if the attack is continuing.  If the
attack stops, the ACK packets are already on their way into the bit bucket. 
For ttol, the ACK packets don't match an existing connection so an ICMP may
be sent and the packet is dropped.

> I have the source, which I'm not going to post for 2-3 days (give time for
> fbsd to work on the fix).  If it isn't out before the 21st, I'll post it
> up.

It's out.  Despite the extreme reluctance of packet kiddies to giving up
their warez, the right people are finally getting a copy of it.

> - ttol
> http://www.alladvantage.com/home.asp?refid=AME389
> Get Paid to Surf.  It works actually, cause people get thousands of
> dollars a month from it...it's neet :P  My id is AME389 - use it! :)

I don't like supporting spam.

-d


-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo en vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/



Más información sobre la lista de distribución Ayuda