From owner-freebsd-security Thu Nov 20 11:00:46 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id LAA26793 for security-outgoing; Thu, 20 Nov 1997 11:00:46 -0800 (PST) (envelope-from owner-freebsd-security) Received: from bb-prg.eunet.cz (bb-prg.eunet.cz [193.85.1.10]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id LAA26788 for ; Thu, 20 Nov 1997 11:00:42 -0800 (PST) (envelope-from Martin.Machacek@eunet.cz) Received: from kamna.eunet.cz (kamna.eunet.cz [193.85.255.30]) by bb-prg.eunet.cz (8.8.6.EUnet/EUnet-CZ) with SMTP id UAA28913 for ; Thu, 20 Nov 1997 20:00:33 +0100 (MET) Message-Id: <199711201900.UAA28913@bb-prg.eunet.cz> Received: (qmail 3854 invoked from network); 20 Nov 1997 19:00:32 -0000 Received: from woody.eunet.cz (HELO eunet.cz) (@193.85.255.60) by kamna.eunet.cz with SMTP; 20 Nov 1997 19:00:32 -0000 X-Mailer: exmh version 2.0zeta 7/24/97 To: freebsd-security@FreeBSD.ORG Subject: Re: new TCP/IP bug in win95 (fwd) In-reply-to: Your message of "Thu, 20 Nov 1997 12:34:05 EST." Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Thu, 20 Nov 1997 20:00:31 +0100 From: Martin Machacek Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk > > This seems relevant, although no doubt by the time this arrives, others > will have managed to foward this to the list :) > > Have not confirmed results, don't have any machines localy that I can > afford to blow away. I've tried the exploit against FreeBSD 2.2.2, 2.2.5 and 3.0-current and the results were interesting. FreeBSD 2.2.2 does not seem to be vulnerable, however both 2.2.5 and 3.0 froze. Another interesting thing is that the exploit cannot be run on FreeBSD (I've patched it to compile) because sendto even on raw socket plugs correct source address into the packet. I've also tried the exploit against BSD/OS 2.1 and it also froze. There was little difference in behaviour of FreeBSD and BSD/OS in the frozen state. FreeBSD at least responded to ICMP echo packets and also managed to establish TCP connections. I've tried telnet from other machine and it reported connected to ...(buit that was all). BSD/OS was totally dead, repsonding only to the reset switch. The problem is in my opinion not that critical because every decent network should have IP spoofs filtered on the external router, so packets with identical source and destination should not reach any inside machine (even not the TCP layer on the external router). > Windows 95 without Winsock2 and the VIP update IS vulnerable. Yes. > FreeBSD 2.2.5 IS reported as vulnerable. Unfortunately yes. Cheers, -- Martin Machacek [Internet CZ, Zirovnicka 6/3133, 106 00 Prague 10, Czech Republic] [phone: +420 2 24245624 fax: +420 2 24316598] [PGP KeyID 00F9E4BD]