On Thu, 16 Jan 1997, Nigel Metheringham wrote:
> I think this message (from the linux-security list regarding attacks on
> INETD) might be relevant to exim...
>
> The exploit was
> send a TCP SYN to an inetd internal service port (ie daytime)
> send a TCP RST (clearing the connection)
> on the next connection to an inetd service, inetd dies!
Evil - SYN -> exim host
Evil <- SYN|ACK - exim host
Evil - RST -> exim host
That is no problem at all since the three way handshake was never
established. Afaik the mail meant the following setup:
Evil - SYN -> exim host
Evil <- SYN|ACK - exim host
Evil - RST|ACK -> exim host
with the intention, that the ACK will establish the connection and the
RST will tear it down the same time.
I wrote a small programm to test this against our AIX hosts running exim
and couldnt see any problems at least exim wasnt crashing in any way or
producing panic logs. Though the linux machine I was using crashed during
the tests, I at least got a tcpdump output with the exact handshake
sequence as shone above.
So my guess would be the behavior depends very much on the tcp
implementation in the kernel.
Greetings
Niels Provos =8)
- PHYSnet Rechnerverbund PGP V2.6 Public key via finger or key server
Niels Provos
Universitaet Hamburg WWW: http://www.physnet.uni-hamburg.de/provos/
Jungiusstrasse 9 E-Mail: provos@???
Germany 20355 Hamburg Tel.: +49 40 4123-2504 Fax: -6571