Home page logo

bugtraq logo Bugtraq mailing list archives

Re: portmap 4.0-8 DoS
From: peter () ATTIC VUURWERK NL (Peter van Dijk)
Date: Tue, 7 Apr 1998 22:17:58 +0200

On Wed, 1 Apr 1998, Michal Zalewski wrote:

It's possible to perform DoS attack by sending small amount of junk to
tcp port 111 of machine running portmap 4.0 (and older). Simple exploit
follows (only to send a few random 8-bit chars):

  telnet -E victim.com 111 </dev/random

It will affect specific operations/services on attacked host, like login -
depending on system speed, login attempt on idle machine (LA=0.01, Linux
2.0.x, x86) will take from over 10 seconds (k6/200MHz) to long minutes
(486dx/80MHz). During attack, many select() calls will fail (timeout),
so complex programs will become much slower (especially when resolving
domain names :), but LA will not change significally.

Smarter attacks (without /dev/random) are probably much more effective.

This is the very same bug I already reported as 'easy DoS in most RPC
apps'. rpc.portmap is one I forgot to check ;)
This bug is in (g)libc, I've been discussing it with some rpc developers,
they don't see any simple solution...

Greetz, Peter.

 'Selfishness and separation have led me to   .      Peter 'Hardbeat' van Dijk
  to believe that the world is not my problem .    network security consultant
  I am the world. And you are the world.'     .               (yeah, right...)
          Live - 10.000 years (peace is now)  .        peter () attic vuurwerk nl
 10:16pm  up 13 days, 19:56,  3 users,  load average: 1.02, 0.52, 0.20

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]