From owner-freebsd-bugs Mon Sep 23 2:40:52 2002 Delivered-To: freebsd-bugs@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9642C37B401 for ; Mon, 23 Sep 2002 02:40:50 -0700 (PDT) Received: from south.nanolink.com (south.nanolink.com [217.75.134.10]) by mx1.FreeBSD.org (Postfix) with SMTP id 3A82443E42 for ; Mon, 23 Sep 2002 02:40:49 -0700 (PDT) (envelope-from roam@ringlet.net) Received: (qmail 82704 invoked by uid 85); 23 Sep 2002 09:49:57 -0000 Received: from sbnd.online.bg (HELO straylight.ringlet.net) (217.75.129.196) by south.nanolink.com with SMTP; 23 Sep 2002 09:49:55 -0000 Received: (qmail 88987 invoked by uid 1000); 23 Sep 2002 09:40:57 -0000 Date: Mon, 23 Sep 2002 12:40:57 +0300 From: Peter Pentchev To: cizbasa@info.uvt.ro Cc: freebsd-bugs@FreeBSD.ORG Subject: Re: *BSD remote kernel-level (TCP/IP stack) vulnerability! - ABFrag.c Message-ID: <20020923094057.GC360@straylight.oblivion.bg> Mail-Followup-To: cizbasa@info.uvt.ro, freebsd-bugs@FreeBSD.ORG References: <33475.213.154.157.188.1032699114.squirrel@web.info.uvt.ro> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="aVD9QWMuhilNxW9f" Content-Disposition: inline In-Reply-To: <33475.213.154.157.188.1032699114.squirrel@web.info.uvt.ro> User-Agent: Mutt/1.5.1i X-Virus-Scanned: by Nik's Monitoring Daemon (AMaViS perl-11d ) Sender: owner-freebsd-bugs@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --aVD9QWMuhilNxW9f Content-Type: text/plain; charset=windows-1251 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sun, Sep 22, 2002 at 03:51:54PM +0300, cizbasa@info.uvt.ro wrote: > Hello, >=20 > First of all this is hear-say, but being from a reliable source (imho), > here it is: >=20 > There supposedly is an exploit named ABFrag.c in the wild that affects the > TCP/IP stack on *BSD systems, providing remote root shell to the attacker. There have been various rumours of exploits using fragmented packets for the TCP/IP stacks of various OS's in the past few years. I personally find them very hard to believe: the TCP/IP stack is part of the kernel, and while it may be theoretically possible that the fragmented packets' handling is a bit off-base, it would be *very* hard to write an exploit that would perform a stack smash in the kernel, then pass control to a kernel routine that would start a userland process, bind it to a listening port, then make sure it starts up a shell. Mind you, I am not saying that this would be impossible, just very, very, *very* much improbable :) Even if it were true, it would be very much more harder to write so that it would affect *different* OS's: the differences in the TCP stacks are not that large, but significant for at least this purpose. > The system of someone that I know has been rooted using it (he was pasted > some lines from his /etc/shadow as proof). Well, first of all, I assume you mean /etc/master.passwd, because there is no /etc/shadow in FreeBSD :) Second, are you absolutely sure that your acquaintance's system was not "rooted" using another exploit? Apache+OpenSSL and telnetd come to mind immediately, there were a couple of others in the past few months. G'luck, Peter --=20 Peter Pentchev roam@ringlet.net roam@FreeBSD.org PGP key: http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint FDBA FD79 C26F 3C51 C95E DF9E ED18 B68D 1619 4553 This sentence would be seven words long if it were six words shorter. --aVD9QWMuhilNxW9f Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (FreeBSD) iD8DBQE9juGp7Ri2jRYZRVMRAvWWAJ4jBDkmIhCsczI7izODcMDaG9bIjACgt1VV INL4srv7OcW1ox5rL+70HDo= =aOYW -----END PGP SIGNATURE----- --aVD9QWMuhilNxW9f-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message