Fresh from BUGTRAQ:
Approved-By: aleph1@SECURITYFOCUS.COM Delivered-To: bugtraq@lists.securityfocus.com Delivered-To: bugtraq@securityfocus.com Date: Tue, 18 Jan 2000 14:44:38 -0800 Reply-To: The Tree of Life <ttol@JAMES.KALIFORNIA.COM> Sender: Bugtraq List <BUGTRAQ@SECURITYFOCUS.COM> From: The Tree of Life <ttol@JAMES.KALIFORNIA.COM> Subject: stream.c - new FreeBSD exploit? X-To: bugtraq@securityfocus.com To: BUGTRAQ@SECURITYFOCUS.COM X-Loop-Detect: 1
I've been informed today by an irc admin that a new exploit is circulating around. It "sends tcp-established bitstream shit" and makes the "kernel fuck up".
It's called stream.c.
The efnet ircadmin told me servers on Exodus (Exodus Communications) were being hit and they managed to get a hold of the guy. When asked what was going on, he just said "stream.c".
When I talked to another person to ask if he had 'acquired' the source, he said he wasn't going to give it out. I asked him if he had a patch for it, and he replied "the fbsd team is working on it. No patch is available right now."
What's the importance of this? Major companies such as Yahoo (www.yahoo.com) and others run freebsd.
According to the irc admin, a simple reboot fixes it. "Your box reboots or dies." He also stated, when asked if anything noticeable happened, that "nothing unusual [happened]".
The only log that he could provide was this one:
---snip---
syslog:Jan 18 12:30:36 x kernel: Kernel panic: Free list empty
---snip---
One thing of note: he also stated this happened on non-freebsd systems, which is contrary to what the other person said, who was "under the impression it was freebsd specific."
I have the source, which I'm not going to post for 2-3 days (give time for fbsd to work on the fix). If it isn't out before the 21st, I'll post it up.
---snip---
void usage(char *progname) { fprintf(stderr, "Usage: %s <dstaddr> <dstport> <pktsize> <pps>\n", progname); fprintf(stderr, " dstaddr - the target we are trying to attack.\n"); fprintf(stderr, " dstport - the port of the target, 0 = random.\n"); fprintf(stderr, " pktsize - the extra size to use. 0 = normal syn.\n"); exit(1); }
---snip---
Thanks for listening to my ramblings, hope everything I said helps.
- ttol http://www.alladvantage.com/home.asp?refid=AME389 Get Paid to Surf. It works actually, cause people get thousands of dollars a month from it...it's neet :P My id is AME389 - use it! :)