[26835] in North American Network Operators' Group
Fwd: stream.c - new FreeBSD exploit?
daemon@ATHENA.MIT.EDU (Allan Carscaddon)
Thu Jan 20 15:04:30 2000
Message-Id: <4.2.2.20000120150120.00b53b30@carscaddon.com>
Date: Thu, 20 Jan 2000 15:01:51 -0500
To: Joe Shaw <jshaw@insync.net>,
"Henry R. Linneweh" <linneweh@concentric.net>
From: Allan Carscaddon <allan@carscaddon.com>
Cc: nanog@merit.edu
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format=flowed
Errors-To: owner-nanog-outgoing@merit.edu
Fresh from BUGTRAQ:
>Approved-By: aleph1@SECURITYFOCUS.COM
>Delivered-To: bugtraq@lists.securityfocus.com
>Delivered-To: bugtraq@securityfocus.com
>Date: Tue, 18 Jan 2000 14:44:38 -0800
>Reply-To: The Tree of Life <ttol@JAMES.KALIFORNIA.COM>
>Sender: Bugtraq List <BUGTRAQ@SECURITYFOCUS.COM>
>From: The Tree of Life <ttol@JAMES.KALIFORNIA.COM>
>Subject: stream.c - new FreeBSD exploit?
>X-To: bugtraq@securityfocus.com
>To: BUGTRAQ@SECURITYFOCUS.COM
>X-Loop-Detect: 1
>
>I've been informed today by an irc admin that a new exploit is circulating
>around. It "sends tcp-established bitstream shit" and makes the "kernel
>fuck up".
>
>It's called stream.c.
>
>The efnet ircadmin told me servers on Exodus (Exodus Communications) were
>being
>hit and they managed to get a hold of the guy. When asked what was going
>on, he just said "stream.c".
>
>When I talked to another person to ask if he had 'acquired' the source, he
>said he wasn't going to give it out. I asked him if he had a patch for it,
>and he replied "the fbsd team is working on it. No patch is available right
>now."
>
>What's the importance of this? Major companies such as Yahoo
>(www.yahoo.com) and others run freebsd.
>
>According to the irc admin, a simple reboot fixes it. "Your box reboots or
>dies." He also stated, when asked if anything noticeable happened, that
>"nothing unusual [happened]".
>
>The only log that he could provide was this one:
>
>---snip---
>
>syslog:Jan 18 12:30:36 x kernel: Kernel panic: Free list empty
>
>---snip---
>
>One thing of note: he also stated this happened on non-freebsd systems,
>which is contrary to what the other person said, who was "under the
>impression it was freebsd specific."
>
>I have the source, which I'm not going to post for 2-3 days (give time for
>fbsd to work on the fix). If it isn't out before the 21st, I'll post it up.
>
>---snip---
>
>void usage(char *progname)
>{
> fprintf(stderr, "Usage: %s <dstaddr> <dstport> <pktsize> <pps>\n",
>progname);
> fprintf(stderr, " dstaddr - the target we are trying to attack.\n");
> fprintf(stderr, " dstport - the port of the target, 0 = random.\n");
> fprintf(stderr, " pktsize - the extra size to use. 0 = normal
>syn.\n");
> exit(1);
>}
>
>---snip---
>
>Thanks for listening to my ramblings, hope everything I said helps.
>
>- ttol
>http://www.alladvantage.com/home.asp?refid=AME389
>Get Paid to Surf. It works actually, cause people get thousands of dollars
>a month from it...it's neet :P My id is AME389 - use it! :)
