>And then we modify nmap(1) (Around line 687) so it only transmits the >first fragment out of a fragmented scan. This will illict a ICMP TTL >Exceeded message. Due to Linux including a lot more of the packet than most >other OS's, we have around 20 bytes to read. From memory, Solaris includes >a little bit extra on ICMP messages. I don't believe Solaris is vulnerable to this attack; while it does return some bytes from the packet that caused an ICMP message, it does so by prepending an ICMP header and truncating the packet if it is longer than the (configurable) number of bytes it wants to send back. It returns the same STREAMs message buffer which does not contain holes or uninitialized data. (A quick check is reboot your Solaris system with "set kmem_flags = 0xf" in /etc/system; this enabled the kernel memory debugger and causes all uninitialized data reads to 0xbaddcafe; if it reads from previously freememory you'll find 0xdeadbeef; if you read from a buffer's readzone you'll get 0xfeedface. An packet returning bad data would most likely contain 0xbaddcafe. Casper
