[7809] in bugtraq
Re: FreeBSD's RST validation
daemon@ATHENA.MIT.EDU (Tristan Horn)
Mon Aug 31 11:16:08 1998
Date: Sun, 30 Aug 1998 22:30:34 -0700
Reply-To: Tristan Horn <tristan+-eyjgmd@ETHEREAL.NET>
From: Tristan Horn <tristan+-eyjgmd@ETHEREAL.NET>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <Pine.BSF.3.96.980830181000.5237Q-100000@silver.teardrop.org>;
from James Snow on Sun, Aug 30, 1998 at 06:22:26PM -0700
On Sun, Aug 30, 1998 at 06:22:26PM -0700, James Snow wrote:
> Be aware that this individual used this attack on my machine late last
> night, disconnecting all of my users without warning, and certainly
> without asking for permission.
As before, I apologize for disconnecting those three random IRC sessions,
though I don't think that's relevant to this forum.
> He also did not, to my knowledge, report this to the FreeBSD team before
> posting this here.
Yeah, I only Bcc'd security-officer@freebsd.org. Sorry, prior experience
led me to believe that it would take a day or so before the message would
be approved...
Probably not entirely FreeBSD-specific, anyway.
On Sun, Aug 30, 1998 at 07:09:46PM -0700, Diane Bruce wrote:
> I hate people who mime their email for the plain text part.
OK, I won't sign this one.
> Port 6666 is quite commonly used for autoconnect, as well as 31337...
> Not really very much that can be done from userland really...
I'm told that 5555 is something of a standard these days too.
If you can effectively keep /both/ ports unknown, i.e. bind to a random
port for outbound server connections and get your uplink to set up a
special port (firewalled from portscanners), you'd be in good shape.
However, I doubt most people would be willing to go to such trouble, and
I think it takes enough additional brainpower to keep it from being
exploited much before the patch is released anyway.
The offending code seems to be around /usr/src/sys/netinet/tcp_input.c:809
for sockets in SYN_SENT state, and :1138 for sockets in most of the other
states. (Looking at 2.2.6-RELEASE: $Id: tcp_input.c,v 1.54.2.7...)
On a similar topic, has anyone explored the possibility of injecting
routes or doing other evil things with the endlses information that ciscos
provide in sh ip bgp nei? Most route-views type places seem to allow it.
Tris
