Date: Mon, 23 Sep 2002 12:40:57 +0300 From: Peter Pentchev <roam@ringlet.net> To: cizbasa@info.uvt.ro Cc: freebsd-bugs@FreeBSD.ORG Subject: Re: *BSD remote kernel-level (TCP/IP stack) vulnerability! - ABFrag.c Message-ID: <20020923094057.GC360@straylight.oblivion.bg> In-Reply-To: <33475.213.154.157.188.1032699114.squirrel@web.info.uvt.ro> References: <33475.213.154.157.188.1032699114.squirrel@web.info.uvt.ro>
next in thread | previous in thread | raw e-mail | index | archive | help
--aVD9QWMuhilNxW9f Content-Type: text/plain; charset=windows-1251 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sun, Sep 22, 2002 at 03:51:54PM +0300, cizbasa@info.uvt.ro wrote: > Hello, >=20 > First of all this is hear-say, but being from a reliable source (imho), > here it is: >=20 > There supposedly is an exploit named ABFrag.c in the wild that affects the > TCP/IP stack on *BSD systems, providing remote root shell to the attacker. There have been various rumours of exploits using fragmented packets for the TCP/IP stacks of various OS's in the past few years. I personally find them very hard to believe: the TCP/IP stack is part of the kernel, and while it may be theoretically possible that the fragmented packets' handling is a bit off-base, it would be *very* hard to write an exploit that would perform a stack smash in the kernel, then pass control to a kernel routine that would start a userland process, bind it to a listening port, then make sure it starts up a shell. Mind you, I am not saying that this would be impossible, just very, very, *very* much improbable :) Even if it were true, it would be very much more harder to write so that it would affect *different* OS's: the differences in the TCP stacks are not that large, but significant for at least this purpose. > The system of someone that I know has been rooted using it (he was pasted > some lines from his /etc/shadow as proof). Well, first of all, I assume you mean /etc/master.passwd, because there is no /etc/shadow in FreeBSD :) Second, are you absolutely sure that your acquaintance's system was not "rooted" using another exploit? Apache+OpenSSL and telnetd come to mind immediately, there were a couple of others in the past few months. G'luck, Peter --=20 Peter Pentchev roam@ringlet.net roam@FreeBSD.org PGP key: http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint FDBA FD79 C26F 3C51 C95E DF9E ED18 B68D 1619 4553 This sentence would be seven words long if it were six words shorter. --aVD9QWMuhilNxW9f Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (FreeBSD) iD8DBQE9juGp7Ri2jRYZRVMRAvWWAJ4jBDkmIhCsczI7izODcMDaG9bIjACgt1VV INL4srv7OcW1ox5rL+70HDo= =aOYW -----END PGP SIGNATURE----- --aVD9QWMuhilNxW9f-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020923094057.GC360>