From owner-freebsd-security Mon Apr 19 11:42:14 1999 Delivered-To: freebsd-security@freebsd.org Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by hub.freebsd.org (Postfix) with ESMTP id 32E7B14F47 for ; Mon, 19 Apr 1999 11:42:06 -0700 (PDT) (envelope-from robert@cyrus.watson.org) Received: from fledge.watson.org (robert@fledge.pr.watson.org [192.0.2.3]) by fledge.watson.org (8.8.8/8.8.8) with SMTP id OAA15783; Mon, 19 Apr 1999 14:35:25 -0400 (EDT) (envelope-from robert@cyrus.watson.org) Date: Mon, 19 Apr 1999 14:35:24 -0400 (EDT) From: Robert Watson X-Sender: robert@fledge.watson.org Reply-To: Robert Watson To: Poul-Henning Kamp Cc: Paul Hart , Chris , security@FreeBSD.ORG Subject: Re: poink and freebsd In-Reply-To: <19223.924546292@critter.freebsd.dk> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, 19 Apr 1999, Poul-Henning Kamp wrote: > In message , Paul Hart writes: > >On Mon, 19 Apr 1999, Chris wrote: > > > >> id rather not post the source to the list, since this is how exploits > >> get distributed, and bad things occur. > > > >Well, so much for the full-disclosure so many of us value. Is this the > >same "poink" that was recently posted to Bugtraq? > > It sounds like, which means you have to be on same ethernet and what it > does is make it look like another machine is configured with same IP. > > Not a big threat for most people. His report suggests it does nasty things to -STABLE and -CURRENT, although off hand my response on seeing the bugtraq posting was exactly the same: arp is arp is arp is not so very evil. However, I have not tested it, and we've had one positive report of pain resulting from poink. I did not realize it was the same poink as the bugtraq one, as I had already dismissed it as "unlikely". The threat that did come to mind is the kernel message thing: syslogd appears to fsync the log after each message coming from the kernel. If someone can generate sufficient log messages, they can seriously consume disk i/o bandwidth. I discovered this the hard way when I stuck a bit too much debugging code into my tokens module. :) Now I just kill syslogd before doing anything resulting in a lot of kernel output. Since arp announcements do come from the kernel, I suspect lots could cause pain. But I would hope it wouldn't crash the machine. Anyhow, my crash boxes are all tied up right now (being crashed by other code, that is) so maybe someone out there could verify this? Robert N Watson robert@fledge.watson.org http://www.watson.org/~robert/ PGP key fingerprint: AF B5 5F FF A6 4A 79 37 ED 5F 55 E9 58 04 6A B1 Carnegie Mellon University http://www.cmu.edu/ TIS Labs at Network Associates, Inc. http://www.tis.com/ Safeport Network Services http://www.safeport.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message