Re: Possible DoS against inetd in Solaris

[Massimo Fubini <M.Fubini () ieee org>]

I think this old e-mails from the nmap-hackers mailing list can be of
interest:

AB> Date: Mon, 25 Sep 2000 10:25:33 -0600 (MDT)
AB> From: "Alek O. Komarnitsky (N-CSC)" <alek () ast lmco com>
AB> Subject: Sun finally releases patch for nmap inetd denial of service issue
AB> To: nmap-hackers () insecure org
AB>
AB> There was some Email discussion a while ago about running nmap
AB> can cause problems for inetd. Specifically, I've was able to
AB> reliabily cause a small percentage (5-10%) of "scanned" machines
AB> to "hang" inetd ... so that subsequent connections were hung.
AB> I'm just basically doing a single TCP port scan at something that is
AB> handled by inetd (rather than a standalone process). You can usually
AB> "unfreeze" it by doing a 'echo "" | telnet HOSTNAME PORTNUMBER'
AB>
AB>
AB> There was a patch for HPUX (PHNE_16832) that fixed this problem there.
AB>
AB>
AB> On Sun Solaris, there was an issue with inetd actually DYING, but that
AB> was fixed some time ago ... but the "hanging" inetd continues.
AB>
AB> Good News: Sun recently released Patch 109104-04 ... which based on
AB> my testing of 50+ machines, *DOES* fix the problem. I.e. I can nmap
AB> these puppies to death and inetd doesn't blink an eye - the README says:
AB>    4337605 inetd Denial of Service Attack - accept() hangs after successful select()
AB>
AB>
AB> Bad News: This patch is for Solaris 2.7 ONLY ... I've had some
AB> discussions with Sun and "suggested" they release 2.6 & 2.8 versions;
AB> since I can reliably "hang up" inetd 5-10% of the time on those.
AB> I've got about 500 of these machines (all recently patched),
AB> so a semi-decent testbed to use!   ;-)
AB>
AB>
AB> I'll let folks know what I hear about 2.6 & 2.8 patch availability.
AB> alek
AB>
AB> P.S. Pls note that this is NOT nmap's "fault" ... but rather buggy inetd;
AB> which should be more robust.
--------------------------------------------------------------------------------

And than this second one from the same mailing list:

AB> From: "Alek O. Komarnitsky (N-CSC)" <alek () ast lmco com>
AB> Subject: Re: Sun finally releases patch for nmap inetd denial of service issue
> > From: lamont () icopyright com
> > Subject: Re: Sun finally releases patch for nmap inetd denial of service issue
> > To: "Alek O. Komarnitsky (N-CSC)" <alek () ast lmco com>
> > Cc: nmap-hackers () insecure org
> >
> > The one-line description of the problem "accept() hangs after successful
> > select()" makes it sound more like its an OS issue than an inetd bug.
> > That would be an important clarification, since it would affect other
> > programs as well.
AB>
AB>
AB> You are EXACTLY correct ... I was a bit sloppy in my earlier Email
AB> saying this was an inetd problem - in fact, the fix is NOT the inetd
AB> executeable, but actually a patch to sockfs ... i.e. it is OS.
AB>
AB> I mentioned the inetd 'cause I can repeat the problem "using" that
AB> utility and it's a fairly serious DOS when inetd dies.
AB>
AB> alek
AB>
AB> P.S. I'm getting "lame" responses from Sun on Solaris2.6 & 2.8
AB> equivelent patches for 109104-04 (2.7 ONLY) ... so if anyone on
AB> this list has some "pull" with the Sun guys, you might nudge 'em
AB> that they should really releases patches to this DOS for other OS's.
AB>