Bugtraq: Re: easy DoS in most RPC apps

[trost () CLOUD RAIN COM (Bill Trost)]

Peter van Dijk writes:
    Update: I tested the same trick on two NeXT Mach's. The portmapper is
    vulnerable there, as are possibly other services. NFS is not (not
    directly, a non-working portmapper does have it's effect) because it only
    uses UDP.

NFS might have problems on a server that also supports NFS over TCP.

FreeBSD-current seems to have the problem, too (tested against both
amd and portmapper).  The amd one is sort of amusing, as it means that
accesses via it will *hang* so long as the attack is in progress.

I also tried it against the portmapper on SunOS 4.1.3, with similar results.

I also wonder what the effect of this attack could be if combined with
T/TCP and multicast....

I have reported the bug to the FreeBSD folks.

    > On Sat, 28 Mar 1998, Peter van Dijk wrote:
    > > If you connect (using telnet, netcat, anything) to a TCP port assigned to
    > > some RPC protocol (tested with rpc.nfsd/mountd/portmap on Slackware
    > > 3.4/Kernel 2.0.33) and send some 'garbage' (like a newline ;) every 5
    > > seconds or faster, the service will completely stop responding.