[prev in list] [next in list] [prev in thread] [next in thread] 

List:       bugtraq
Subject:    Re: Sendmail, lynx, Netscape, sshd, Linux kernel (twice)
From:       Wietse Venema <wietse () PORCUPINE ! ORG>
Date:       1998-10-31 2:24:09
[Download RAW message or body]

Michal Zalewski:
> 1. Send SYN from port X to victim, dst_port=25 (victim sends SYN/ACK)
> 2. Send RST from port X to victim, dst=port=25 respecting sequence numbers
>    (victim got error on accept() - and enters 5 sec 'refusingconn' mode)
> 3. Wait approx. 2 seconds
> 4. Go to 1.
>
> So, by sending just a few bytes every two seconds, we could completely
> lock sendmail service. There's no reason to post any exploits. RFC +
> any source (teardrop is good) + 'tcpdump -x' + 15 minutes = exploit.

This attack is specific to LINUX. On UNIX systems with a BSD TCP/IP
protocol stack, the accept() call does not return until the three-way
handshake completes.

Please do not blame Sendmail for every problem in the world.

        Wietse

[prev in list] [next in list] [prev in thread] [next in thread]