At 18:28 1/23/95, Jon E. Price wrote:
>CERT Advisory CA-95:01 states:
>"It is important to note that the described attack is possible even if no
>reply packets can reach the attacker."
>How can this be?
If you know (i.e., if you can predict) what the replies are going to be,
you don't need to see the replies. It all depends on what the goal of the
attack is. If it's to get data out (for instance, get an /etc/passwd file
out to run crack against), there are plenty of ways to do that indirectly
(for instance, issue a command that causes it to be mailed to you). If it's
to trash the system, a simple "rm -rf /" will suffice, regardless of whether
you can see the results or not. There are plenty of other ways to exploit
the ability to run commands, even blindly, to achieve various other attack
Brent Chapman | Great Circle Associates | Call or email for info about
COM | 1057 West Dana Street | upcoming Internet Security
+1 415 962 0841 | Mountain View, CA 94041 | Firewalls Tutorial dates