From owner-freebsd-security  Wed Jan 31 10:55:03 1996
Return-Path: owner-security
Received: (from root@localhost)
          by freefall.freebsd.org (8.7.3/8.7.3) id KAA29244
          for security-outgoing; Wed, 31 Jan 1996 10:55:03 -0800 (PST)
Received: from puli.cisco.com (puli.cisco.com [171.69.1.174])
          by freefall.freebsd.org (8.7.3/8.7.3) with SMTP id KAA29238
          Wed, 31 Jan 1996 10:55:01 -0800 (PST)
Received: from localhost.cisco.com (localhost.cisco.com [127.0.0.1]) by puli.cisco.com (8.6.8+c/8.6.5) with SMTP id KAA05100; Wed, 31 Jan 1996 10:54:27 -0800
Message-Id: <199601311854.KAA05100@puli.cisco.com>
To: security@freebsd.org, wollman@freebsd.org
Subject: [cisco.external.bugtraq] Re: BoS: bind() Security Problems
Date: Wed, 31 Jan 1996 10:54:27 -0800
From: Paul Traina <pst@cisco.com>
Sender: owner-security@freebsd.org
Precedence: bulk

Yuck, I hate to think of what we're going to break when we fix this, but
we should definitely fix this, otherwise users can hose NFS & friends.

Paul

p.s. I haven't looked at our code yet to verify this bug.

------- Forwarded Message

From: Bernd.Lehle@rus.uni-stuttgart.de (Bernd Lehle)
To: Multiple recipients of list BUGTRAQ <BUGTRAQ@CRIMELAB.COM>
Newsgroups: cisco.external.bugtraq
Subject: Re: BoS: bind() Security Problems
Date: 31 Jan 1996 04:18:29 PST
Organization: Internet-USENET Gateway at cisco Systems
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit

>
>
>               System Call: bind()
>   Affected Operating System: Linux, SunOS, FreeBSD, BSDI, Ultrix
>                            Probably others.
>               Requirement: account on system.
>       Security Compromise: Stealing packets from
>                            nfsd, yppasswd, ircd, etc.
>                   Credits: *Hobbit* <hobbit@avian.org>
>                            bitblt <bitblt@infosoc.com>
>                            Aleph One <aleph1@underground.org>
>                  Synopsis: bind() does not properly check
>                            to make sure there is not a socket
>                            already bound to INADDR_ANY on the same
>                            port when binding to a specific address.
>

IRIX 5.3 is vulnerable, too.

> Exploit:
[..]
> Run netcat:
>
> w00p% nc -v -v -u -s 192.88.209.5 -p 2049
> listening on [192.88.209.5] 2049 ...

To take a look at irc packets: nc -v -v -l -s Your.IP.Adress -p 6667

--
> Bernd Lehle - Stuttgart University Computer Center * A supercomputer <
>       Visualization / SFB 382 / Astrophysics       *  is a machine   <
> lehle@rus.uni-stuttgart.de   Tel:+49-711-685-5531  *  that runs an   <
>   http://www.tat.physik.uni-tuebingen.de/~lehle    *  endless loop   <
>  pgp? -> finger bernd@visbl.rus.uni-stuttgart.de   *  in 2 seconds   <

------- End of Forwarded Message