Home page logo

bugtraq logo Bugtraq mailing list archives

Re: denial of service - inetd on solaris 2.4?
From: casper () holland Sun COM (Casper Dik)
Date: Fri, 24 May 1996 14:31:15 +0200

I discovered on our solaris 2.4 boxes, that if you telnet to
the discard port, then quit telnet (using control-right-bracket
and quit), you leave a single inetd running in an infinite
read loop. Do this twice, and you get two inetds running...

obviously you can quickly bog the machine down to a standstill..
This doesnt happen on solaris 2.5, so I guess it is some
inetd bug thats been fixed? anyone know a 2.4 patch for this?

Patches are:

    102922-03: SunOS 5.4: inetd fixes
    102923-03: SunOS 5.4_x86: inetd fixes

-01 of the above if fine too, -02 is not.

Version -03 was released in Sep '95, -01 some time before that.

Also: what I havent seen mentioned yet, the denial of service
attack is not just to bring down a box.. if one is employed on
Host A, which is trusted by Host B, then this allows
the network clear for the bad guy to impersonate Host A, (the
real Host A being effectively muzzled), thus get into
Host B.

The IP layer runs at kernel priority and does the 3-way handshake
regardless of user process stress, most of the time.  Connections
to the box will appear to be very slow, but that's because the daemons
will trake ages to start.

If I remember correctly, this was one of Mitnicks tricks
against Shimomuras collection of machines.

Actually, he filled the receive queue of a service with a lot of
embryonic connections so they came in "SYN_SENT" state.  That way
the target machine won't listen to further packets once the backlog
is overflown and won't send "RSTs" to bogus ACKs it receives.
Solaris 2.x will continue to send RSTs, even if the backlog is filled.
(And in 2.5+ the ISN is incremented with a random increment too)


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]