| gabriel rosenkoetter on Thu, 30 Jan 2003 13:50:31 -0500 |
|
On Thu, Jan 30, 2003 at 11:57:05AM -0500, Jeff Abrahamson wrote: > So I could listen to know ports whatsoever and be compromised? How > would that work? Even if you have no daemon listening, I can send packets (to *any* port) that your kernel's IP stack has to do *something* with. If my payload's right and your kernel version's right, I can win that fight with ease, and there's nothing any software running at user level can do about it. Even if you're running a local firewall on that system, you're still screwed. This isn't the same as a DDoS (you're vulnerable to that dependent on the size of your pipe to the Internet and your upstream service provider's filtering; filtering packets at your firewall cannot help that situation if your bandwidth is saturated), it's a bug in kernel networking code that lead to a compromise, probably through a buffer overflow in that kernel's IP stack. These bugs have been LONG fixed in the Linux networking code. That doesn't mean there aren't more we don't know about yet, but the ones we know about are certainly fixed in the latest rendition of 2.2 and above kernels. I don't have a specific example handy and I'm at work right now without the time to do so, but I can probably go find one (plausibly just theoretical, not an actual exploit, since I don't know that any of the latter were ever released publicly) in the securityfocus.com archives, if you'd like me to. I *know* that it is possible to do this to NeXTStep 3.x, and that there is no (nor will there ever be) a fix for that (NeXT Computer being out of business and all), as they use a flawed 4.2 BSD IP stack. I've seen it exploited. Which is why my NeXTs will never receive traffic from the outside world except through TCP connections they establish (until I get NetBSD running on them, I guess). -- gabriel rosenkoetter gr@eclipsed.net Attachment:
pgp0QWUs0Wv30.pgp
|
|