Bugtraq mailing list archives
Re: portmap 4.0-8 DoS
From: peter () ATTIC VUURWERK NL (Peter van Dijk)
Date: Tue, 7 Apr 1998 22:17:58 +0200
On Wed, 1 Apr 1998, Michal Zalewski wrote:
It's possible to perform DoS attack by sending small amount of junk to tcp port 111 of machine running portmap 4.0 (and older). Simple exploit follows (only to send a few random 8-bit chars): telnet -E victim.com 111 </dev/random It will affect specific operations/services on attacked host, like login - depending on system speed, login attempt on idle machine (LA=0.01, Linux 2.0.x, x86) will take from over 10 seconds (k6/200MHz) to long minutes (486dx/80MHz). During attack, many select() calls will fail (timeout), so complex programs will become much slower (especially when resolving domain names :), but LA will not change significally. Smarter attacks (without /dev/random) are probably much more effective.
This is the very same bug I already reported as 'easy DoS in most RPC apps'. rpc.portmap is one I forgot to check ;) This bug is in (g)libc, I've been discussing it with some rpc developers, they don't see any simple solution... Greetz, Peter. ------------------------------------------------------------------------------ 'Selfishness and separation have led me to . Peter 'Hardbeat' van Dijk to believe that the world is not my problem . network security consultant I am the world. And you are the world.' . (yeah, right...) Live - 10.000 years (peace is now) . peter () attic vuurwerk nl ------------------------------------------------------------------------------ 10:16pm up 13 days, 19:56, 3 users, load average: 1.02, 0.52, 0.20 ------------------------------------------------------------------------------
Current thread:
- BSD coredumps follow symlinks Denis Papp (Mar 28)
- nmap -U <host> undetectable by netranger v2.0 Codex (Apr 01)
- portmap 4.0-8 DoS Michal Zalewski (Apr 01)
- Re: portmap 4.0-8 DoS Peter van Dijk (Apr 07)
- BSDI inetd crash Mark Schaefer (Apr 07)
- Re: BSDI inetd crash FrontLine Assembly (Apr 08)
- SGI O2 ipx security issue Fabrice Planchon (Apr 08)
- BIND vulnerability test program.. Joshua J. Drake (Apr 09)
- (Q) Sun Rpcbind problem. Chiaki Ishikawa (Apr 10)
- Re: (Q) Sun Rpcbind problem. Casper Dik (Apr 10)
- Wietse's RPCBIND Wietse Venema (Apr 10)
- announce: weaken for netscape !! (fwd) Ken Williams (Apr 10)
- Communicator exploits Fernand Portela (Apr 10)
- Sun rpcbind Nicolas Dubee (Apr 10)