o-----------ooO--(- Important Message -)--Ooo------------o | | | SAVE BANDWITH, SPACE, TIME & MONEY, REPLY WITH PRUDENCE.| | | o----=[ Penguin @ My - Linux ([EMAIL PROTECTED]) ]=----o ---------- Forwarded message ---------- Date: Wed, 22 Sep 1999 11:56:40 -0700 From: David Brumley <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Subject: solaris DoS Hi, A while ago I noticed nmap V 2.08 with OS fingerprinting (the -O option) could cause solaris kernel panic. The trick is this: Select an active port to do an OS fingerprint. Kill the server after doing a fingerprint. Solaris will kernel panic. It doesn't matter what server you choose or whether or not it's on a priviledged port. However, it must be TCP. The attack is troublesome because of the time differential between the fingerprint and the kernel panic. You probably won't think twice about the scan when the server dies and causes panic. Tested on Solaris 2.6 using a simple listen/accept server, as well as with sendmail 8.9.3. I worked with Sun a while ago on this problem, and they have released patch 105529-07 (for sparc) and 105530 (for x86). According to the patch readme, the problem is with a recursive mutex_enter on the TCP streams driver. If you use nmap to scan your own network, use the -sT option to do vanilla connect()'s so you don't kill your own servers :) cheers, david #+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+# David Brumley - Stanford Computer Security - [EMAIL PROTECTED] Phone: +1-650-723-2445 WWW: http://www.stanford.edu/~dbrumley Fax: +1-650-725-9121 PGP: finger [EMAIL PROTECTED] #+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+# c:\winnt> secure_nt.exe Securing NT. Insert Linux boot disk to continue...... "I have opinions, my employer does not." ______________________________________________________ Get Your Private, Free Email at http://www.hotmail.com - o----------------ooO--(- Disclaimer / Footer -)--Ooo-----------------o | | | [EMAIL PROTECTED] and other email IDs under my-linux.org are owned | | by My-Linux. If you see any suspicious looking email ids under | | my-linux.org, the matter should be referred to [EMAIL PROTECTED] for | | clarification. | | | | This document and any attachments are strictly confidential and | | intended for the use of addressee only unless otherwise indicated. | | This message must not be copied or disseminated to any other person | | without our prior written consent. | | | | news://my.enemy.org/my-linux.bincang http://ku.rindu.net/penguin/ | | unsubscribe echo "unsubscribe penguin"|mail [EMAIL PROTECTED] | | | o-----------=[ Penguin @ My - Linux ([EMAIL PROTECTED]) ]=-----------o
