[<prev] [next>] [day] [month] [year] [list]
From: memetic-engineer at australia.edu (memetic-engineer@...tralia.edu)
Subject: remote kernel exploits?
>- - Given the skill required to craft such an exploit, I'd think it
>would be way out of the grasp of the kids. Since no researcher has
>come forth with such a vulnerability, it's logical to conclude that
>this does not exist.
>The bugs are said to have something to do with integer manipulation in
>the kernels' TCP/IP stacks. That's all he was able to offer me, but was
>very forward in saying that he has full confidence based on
>conversations with others that these bugs do indeed exist.
I would hope so. Unsigned integer manipulation | TCP/IP steganography is not
a new idea. Does this look familiar?
#phrend 1
18:50:29.071117 ryan.blueboar.com.7350 > poor.theo.com.www: S
1207959552:1207959552(0)
win 512 (ttl 64, id 49408)
Decoding:... S 1207959552/16777216 [ASCII: 72(H)]
#phrend 2
18:50:30.071117 ryan.blueboar.com.7351 > poor.theo.com.www: S
1157627904:1157627904(0)
win 512 (ttl 64, id 47616)
Decoding:... S 1157627904/16777216 [ASCII: 69(E)]
#phrend 3
18:50:31.071117 ryan.blueboar.com.7353 > poor.theo.com.www: S
1275068416:1275068416(0)
win 512 (ttl 64, id 41984)
Decoding:... S 1275068416/16777216 [ASCII: 76(L)]
#phrend 4
18:50:32.071117 ryan.blueboar.com.7354 > poor.theo.com.www: S
1275068416:1275068416(0)
win 512 (ttl 64, id 7936)
Decoding:... S 1275068416/16777216 [ASCII: 76(L)]
#phrend 5
18:50:33.071117 ryan.blueboar.com.7355 > poor.theo.com.www: S
1325400064:1325400064(0)
win 512 (ttl 64, id 3072)
Decoding:... S 1325400064/16777216 [ASCII: 79(O)]
#phrend 6
18:50:34.071117 ryan.blueboar.com.7356 > poor.theo.com.www: S
167772160:167772160(0)
win 512 (ttl 64, id 54528)
Decoding:... S 167772160/16777216 [ASCII: 10(Carriage Return)]
4,294,967,296 numbers can be stored in a 32 bit address space. sequence number
is a nice place to hide data.
Im sure some clever katz have made improvements on this and other techniques.
Who knows though. I could be way off base.
This message was sent from http://australia.edu
Check out the new international site at http://australia.edu/international
Powered by blists - more mailing lists