"Andrew Griffiths" <andrewg@tasmail.com> writes: > Greets: (in no particular order) > > Marty (and others for their brilliant work with Snort) > Fyodor (for nmap) > LBNL Network Research Group > zen-parse [4] and jaguar for looking over this and suggesting > improvements. > > It is possible to read parts of a remote machines memory. To be specific, > it would have to be memory recently freed/swapped to disk. Consider this > for example: [...] Here is a patch for Linux 2.4 to fix the problem. > > AFFECTED: > > I assume it would be any OS that includes more than the ipaddresses/ports. It's only an implementation bug in Linux, likely not a generic problem. -Andi --- linux-work/net/ipv4/icmp.c-o Tue Jan 15 11:05:17 2002 +++ linux-work/net/ipv4/icmp.c Sun Jan 20 23:31:29 2002 @@ -495,7 +495,7 @@ icmp_param.data.icmph.checksum=0; icmp_param.csum=0; icmp_param.skb=skb_in; - icmp_param.offset=skb_in->nh.raw - skb_in->data; + icmp_param.offset=skb_in->data - skb_in->nh.raw; icmp_out_count(icmp_param.data.icmph.type); icmp_socket->sk->protinfo.af_inet.tos = tos; ipc.addr = iph->saddr; --- linux-work/net/ipv6/icmp.c-o Thu Sep 20 23:12:56 2001 +++ linux-work/net/ipv6/icmp.c Sun Jan 20 23:40:03 2002 @@ -361,7 +361,7 @@ msg.icmph.icmp6_pointer = htonl(info); msg.skb = skb; - msg.offset = skb->nh.raw - skb->data; + msg.offset = skb->data - skb->nh.raw; msg.csum = 0; msg.daddr = &hdr->saddr;
