Fwd: stream.c - new FreeBSD exploit?
Fresh from BUGTRAQ:
Approved-By: aleph1@SECURITYFOCUS.COM Delivered-To: bugtraq@lists.securityfocus.com Delivered-To: bugtraq@securityfocus.com Date: Tue, 18 Jan 2000 14:44:38 -0800 Reply-To: The Tree of Life <ttol@JAMES.KALIFORNIA.COM> Sender: Bugtraq List <BUGTRAQ@SECURITYFOCUS.COM> From: The Tree of Life <ttol@JAMES.KALIFORNIA.COM> Subject: stream.c - new FreeBSD exploit? X-To: bugtraq@securityfocus.com To: BUGTRAQ@SECURITYFOCUS.COM X-Loop-Detect: 1
I've been informed today by an irc admin that a new exploit is circulating around. It "sends tcp-established bitstream shit" and makes the "kernel fuck up".
It's called stream.c.
The efnet ircadmin told me servers on Exodus (Exodus Communications) were being hit and they managed to get a hold of the guy. When asked what was going on, he just said "stream.c".
When I talked to another person to ask if he had 'acquired' the source, he said he wasn't going to give it out. I asked him if he had a patch for it, and he replied "the fbsd team is working on it. No patch is available right now."
What's the importance of this? Major companies such as Yahoo (www.yahoo.com) and others run freebsd.
According to the irc admin, a simple reboot fixes it. "Your box reboots or dies." He also stated, when asked if anything noticeable happened, that "nothing unusual [happened]".
The only log that he could provide was this one:
---snip---
syslog:Jan 18 12:30:36 x kernel: Kernel panic: Free list empty
---snip---
One thing of note: he also stated this happened on non-freebsd systems, which is contrary to what the other person said, who was "under the impression it was freebsd specific."
I have the source, which I'm not going to post for 2-3 days (give time for fbsd to work on the fix). If it isn't out before the 21st, I'll post it up.
---snip---
void usage(char *progname) { fprintf(stderr, "Usage: %s <dstaddr> <dstport> <pktsize> <pps>\n", progname); fprintf(stderr, " dstaddr - the target we are trying to attack.\n"); fprintf(stderr, " dstport - the port of the target, 0 = random.\n"); fprintf(stderr, " pktsize - the extra size to use. 0 = normal syn.\n"); exit(1); }
---snip---
Thanks for listening to my ramblings, hope everything I said helps.
- ttol http://www.alladvantage.com/home.asp?refid=AME389 Get Paid to Surf. It works actually, cause people get thousands of dollars a month from it...it's neet :P My id is AME389 - use it! :)
On Thu, Jan 20, 2000 at 03:01:51PM -0500, Allan Carscaddon wrote:
Fresh from BUGTRAQ:
Oh jesus christ. Enough already. This packet generation code was written by myself approx 5 months ago, for testing purposes. The only difference between it and other SYN flooders is the code is much cleaner and it is unfortunantly puts out an order of magnitude more packets per second then previously existing code (some of which defined "grungy" especially the crap like synk4 slice and other popular packet kiddie programs). A certain individual who shall remain nameless at this time decided to release it to some packet kids 5 months after the fact. There is absolutily nothing new or interesting about the ack flooding, just pure luck and cooincidence that said individual was playing around with the flags out of stupidity and left it as TH_ACK in the ver that got out. The only thing even slightly interesting is that the code does a much better job of being efficient, within the limitation that any high packet per second program entirely in userland using calls to send() will suck no matter what (doesn't rebuild the entire packet every time only the parts that change... common sense?). For everyone that cares the person who originally posted to bugtraq will not be releasing it, and neither will anyone else, so would everyone put their little packet peckers back in their pants and move on. -- Richard A. Steenbergen <ras@above.net> http://users.quadrunner.com/humble PGP Key ID: 0x60AB0AD1 (E5 35 10 1D DE 7D 8C A7 09 1C 80 8B AF B9 77 BB) AboveNet Communications - AboveSecure Network Security Engineer, Vienna VA "A mind is like a parachute, it works best when open." -- Unknown
On 01/20/00, Richard Steenbergen <ras@above.net> wrote:
For everyone that cares the person who originally posted to bugtraq will not be releasing it, and neither will anyone else, so would everyone put their little packet peckers back in their pants and move on.
If only that were true...I've had a bunch of people offer me copies in the past day or so. But I don't plan to become a distributor of that source code either, so don't ask. ---------========== J.D. Falk <jdfalk@cybernothing.org> =========--------- | "Don't hate the media. Become the media." | | --Jello Biafra of the Dead Kennedys | ----========== http://www.cybernothing.org/jdfalk/home.html ==========----
participants (3)
-
Allan Carscaddon
-
J.D. Falk
-
Richard Steenbergen