On Wed, Dec 15, 2004 at 01:34:33PM +0100, Paul Starzetz wrote: > On Tue, 14 Dec 2004, stephen joseph butler wrote: > > > > /proc/net/igmp > > > /proc/net/mcfilter > > > > > > if both exist and are non-empty you are vulnerable! > > > > Just to be clear: if "mcfilter" is empty, then you aren't vulnerable? > > I have both files, and "igmp" contains data, but "mcfilter" is empty. > > You are not vulnerable to the remote attack described under (3), however > your kernel may be still buggy. Note that you need a running process that > has manipulated its multicast socket filters. If your kernel is buggy and > you have local users such an application can always appear, at a time you > don't expect it. This afternoon I tried the exploit on my machine, which has exactly those symptoms (data in igmp, mcfilter empty). It froze solid, hard power-cycle required. -- Matthew
