Re: panic on failed accept

Pàgina inicial
Delete this message
Reply to this message
Autor: Niels Provos
Data:  
A: Nigel Metheringham
Assumpte: Re: panic on failed accept
On Thu, 16 Jan 1997, Nigel Metheringham wrote:
> I think this message (from the linux-security list regarding attacks on
> INETD) might be relevant to exim...
>
> The exploit was
>     send a TCP SYN to an inetd internal service port (ie daytime)
>     send a TCP RST (clearing the connection)
>     on the next connection to an inetd service, inetd dies!

Evil  - SYN     -> exim host
Evil <- SYN|ACK -  exim host
Evil  - RST     -> exim host


That is no problem at all since the three way handshake was never
established. Afaik the mail meant the following setup:
Evil  - SYN     -> exim host
Evil <- SYN|ACK -  exim host
Evil  - RST|ACK -> exim host


with the intention, that the ACK will establish the connection and the
RST will tear it down the same time.
I wrote a small programm to test this against our AIX hosts running exim
and couldnt see any problems at least exim wasnt crashing in any way or
producing panic logs. Though the linux machine I was using crashed during
the tests, I at least got a tcpdump output with the exact handshake
sequence as shone above.
So my guess would be the behavior depends very much on the tcp
implementation in the kernel.

Greetings
Niels Provos =8)

- PHYSnet Rechnerverbund     PGP V2.6 Public key via finger or key server
  Niels Provos               
  Universitaet Hamburg       WWW: http://www.physnet.uni-hamburg.de/provos/   
  Jungiusstrasse 9           E-Mail: provos@???
  Germany 20355 Hamburg      Tel.:   +49 40 4123-2504     Fax: -6571