[8356] in bugtraq
Re: Sendmail, lynx, Netscape, sshd, Linux kernel (twice)
daemon@ATHENA.MIT.EDU (Wietse Venema)
Tue Nov 3 12:43:40 1998
Date: Sat, 31 Oct 1998 21:24:09 +1900
Reply-To: Wietse Venema <wietse@PORCUPINE.ORG>
From: Wietse Venema <wietse@PORCUPINE.ORG>
X-To: lcamtuf@IDS.PL
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <Pine.LNX.4.00.9809060047320.1137-100000@lcamtuf.ids.pl> from
Michal Zalewski at "Sep 6, 98 00:53:24 am"
Michal Zalewski:
> 1. Send SYN from port X to victim, dst_port=25 (victim sends SYN/ACK)
> 2. Send RST from port X to victim, dst=port=25 respecting sequence numbers
> (victim got error on accept() - and enters 5 sec 'refusingconn' mode)
> 3. Wait approx. 2 seconds
> 4. Go to 1.
>
> So, by sending just a few bytes every two seconds, we could completely
> lock sendmail service. There's no reason to post any exploits. RFC +
> any source (teardrop is good) + 'tcpdump -x' + 15 minutes = exploit.
This attack is specific to LINUX. On UNIX systems with a BSD TCP/IP
protocol stack, the accept() call does not return until the three-way
handshake completes.
Please do not blame Sendmail for every problem in the world.
Wietse
