From owner-freebsd-hackers Wed Apr 12 11:50:36 2000 Delivered-To: freebsd-hackers@freebsd.org Received: from whizzo.transsys.com (whizzo.TransSys.COM [144.202.42.10]) by hub.freebsd.org (Postfix) with ESMTP id 4BC3937BDDA for ; Wed, 12 Apr 2000 11:44:44 -0700 (PDT) (envelope-from louie@whizzo.transsys.com) Received: from whizzo.transsys.com (localhost.transsys.com [127.0.0.1]) by whizzo.transsys.com (8.9.3/8.9.1) with ESMTP id OAA30359; Wed, 12 Apr 2000 14:42:33 -0400 (EDT) (envelope-from louie@whizzo.transsys.com) Message-Id: <200004121842.OAA30359@whizzo.transsys.com> X-Mailer: exmh version 2.1.1 10/15/1999 To: Graham Wheeler Cc: hackers@FreeBSD.ORG X-Image-URL: http://www.transsys.com/louie/images/louie-mail.jpg From: "Louis A. Mamakos" Subject: Re: Determining traffic on a socket - solution and security question References: <53045.955453206@axl.ops.uunet.co.za> <38F31395.68EFE3EF@cequrux.com> <38F44460.391BD4B9@cequrux.com> <38F46F1C.1115AEDE@cequrux.com> <38F496A6.1DE73643@cequrux.com> In-reply-to: Your message of "Wed, 12 Apr 2000 17:30:46 +0200." <38F496A6.1DE73643@cequrux.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Wed, 12 Apr 2000 14:42:33 -0400 Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG These approaches work well, so long as the 32-bit sequence space doesn't wrap. At 100Mb/s, this wraps in about 6 minutes. Sure, most connections don't carry more than 4GB of data but you might be interested in the ones that do. This also is a problem for the counters in struct if_data that are of type u_long and are going to wrap way too quickly on busy high-speed network interfaces. louie gram@cequrux.com said: > I have attached my final program which works on both FreeBSD 2.x and > FreeBSD 3.x (I don't have a FreeBSD 4.x box to test this on yet). > On FreeBSD 2.x one must be root to run this (to read /dev/kmem), but > on FreeBSD 3.x any user can run this. > I would argue that this is a potential security vulnerability. Some > clever user may be able to exploit this for some protocols to > determine the lengths of usernames and passwords (admittedly this is > unlikely to work with telnet unless in line mode). The sysctl calls > that extract things like TCP control blocks should require privileged > access (although the downside of this is that programs like netstat > would have to be setuid). To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message