[13483] in bugtraq
Re: stream.c - new FreeBSD exploit?
daemon@ATHENA.MIT.EDU (Darren Reed)
Fri Jan 21 19:47:42 2000
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-Id: <200001211446.BAA14549@cairo.anu.edu.au>
Date: Sat, 22 Jan 2000 01:46:41 +1100
Reply-To: Darren Reed <avalon@COOMBS.ANU.EDU.AU>
From: Darren Reed <avalon@COOMBS.ANU.EDU.AU>
X-To: ttol@JAMES.KALIFORNIA.COM
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <Pine.LNX.4.21.0001181358360.11107-100000@james.kalifornia.com>
from "The Tree of Life" at Jan 18, 2000 02:44:38 PM
In some mail from The Tree of Life, sie said:
>
> I've been informed today by an irc admin that a new exploit is circulating
> around. It "sends tcp-established bitstream shit" and makes the "kernel
> fuck up".
>
> It's called stream.c.
>
> The efnet ircadmin told me servers on Exodus (Exodus Communications) were being
> hit and they managed to get a hold of the guy. When asked what was going
> on, he just said "stream.c".
>
> When I talked to another person to ask if he had 'acquired' the source, he
> said he wasn't going to give it out. I asked him if he had a patch for it,
> and he replied "the fbsd team is working on it. No patch is available right
> now."
>
> What's the importance of this? Major companies such as Yahoo
> (www.yahoo.com) and others run freebsd.
>
> According to the irc admin, a simple reboot fixes it. "Your box reboots or
> dies." He also stated, when asked if anything noticeable happened, that
> "nothing unusual [happened]".
>
> The only log that he could provide was this one:
>
> ---snip---
>
> syslog:Jan 18 12:30:36 x kernel: Kernel panic: Free list empty
>
> ---snip---
>
> One thing of note: he also stated this happened on non-freebsd systems,
> which is contrary to what the other person said, who was "under the
> impression it was freebsd specific."
>
> I have the source, which I'm not going to post for 2-3 days (give time for
> fbsd to work on the fix). If it isn't out before the 21st, I'll post it up.
>
> ---snip---
The above kernel message is from Linux 2.2, *NOT* FreeBSD.
The behaviour and impact would appear to vary from OS to OS and maybe
platform too. It does not appear to cause Solaris7/NetBSD to panic
(in a hurry anyway).
Darren
