From owner-freebsd-security Thu Jan 20 17: 1:15 2000 Delivered-To: freebsd-security@freebsd.org Received: from lariat.lariat.org (lariat.lariat.org [206.100.185.2]) by hub.freebsd.org (Postfix) with ESMTP id 1E6871540A; Thu, 20 Jan 2000 17:00:55 -0800 (PST) (envelope-from brett@lariat.org) Received: from workhorse (IDENT:ppp0.lariat.org@lariat.lariat.org [206.100.185.2]) by lariat.lariat.org (8.9.3/8.9.3) with ESMTP id SAA11640; Thu, 20 Jan 2000 18:00:35 -0700 (MST) Message-Id: <4.2.2.20000120175659.0167ce60@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.2 Date: Thu, 20 Jan 2000 18:00:33 -0700 To: Warner Losh From: Brett Glass Subject: Re: bugtraq posts: stream.c - new FreeBSD exploit? Cc: jamiE rishaw - master e*tard , Tom , Mike Tancsa , freebsd-security@FreeBSD.ORG, freebsd-stable@FreeBSD.ORG, security-officer@FreeBSD.ORG In-Reply-To: <4.2.2.20000120173540.01a26100@localhost> References: <200001210034.RAA06762@harmony.village.org> <4.2.2.20000120172607.0198f1e0@localhost> <3.0.5.32.20000120152818.01d7fa40@staff.sentex.ca> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Oops.... I've answered my own question. IPFW's "established" keyword only checks the RST or ACK bits; it can't tell if a session is REALLY established or not. Only a firewall that can save state (such as IPFilters), or the kernel itself, can do this. It'd be neat if we could use IPFilters to do a temporary fix for this, because it'd nuke the problem on several OSes at once -- including all of the BSDs. (They all just happen to come with IPFilters out of the box now.) This way, when the skript kiddies reading Bugtraq start trying this, there will be an immediate defense. --Brett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message