Vulnerability Development mailing list archives

Previous By Date Next
Previous By Thread Next

Vulnerability in xinetd

From: ml <ml () BLAS NET>
Date: Fri, 16 Mar 2001 20:38:11 +0100
I'm curious about xinetd and its capabilities of truly filtering source IP address.

Hereafter is a trace made this night about somebody willing to test a few services on one of my machine.
On this machine Telnet is active but is limited to the local network of the machine thanks to xinetd.


Of course, If I try to to connect to this machine from outside its network using telnet or nc I get a REJECT.

x.x.x.x is the xinetd machine in all traces.


Typical telnet dialog
=====================

                y.y.y.y.38217 > x.x.x.x.telnet: S 1714687517:1714687517(0) win 5580 <mss 1395,sackOK,timestamp 
162442644[|tcp]> [tos 0x10]  (ttl 21, id 28667)
20:30:53.346284 x.x.x.x.telnet > y.y.y.y.38217: S 1787990521:1787990521(0) ack 1714687518 win 32085 <mss 
1395,sackOK,timestamp 1437763377[|tcp]> (DF) (ttl 64, id 30059)
20:30:53.423597 y.y.y.y.38217 > x.x.x.x.telnet: . 1:1(0) ack 1 win 5580 <nop,nop,timestamp 162442652 1437763377> [tos 
0x10]  (ttl 21, id 28923)
20:30:53.423870 x.x.x.x.telnet > y.y.y.y.38217: F 1:1(0) ack 1 win 32085 <nop,nop,timestamp 1437763385 162442652> (DF) 
(ttl 64, id 30061)
20:30:53.425628 y.y.y.y.38217 > x.x.x.x.telnet: P 1:25(24) ack 1 win 5580 <nop,nop,timestamp 162442652 1437763377> 
[telnet DO SUPPRESS GO AHEAD, WILL TERMINAL TYPE, WILL NAWS, WILL TSPEED, WILL LFLOW, WILL LINEMODE, WILL NEW-ENVIRON, 
DO STATUS] [tos 0x10]  (ttl 21, id 29179)
20:30:53.425680 x.x.x.x.telnet > y.y.y.y.38217: R 1787990522:1787990522(0) win 0 [tos 0x10]  (ttl 255, id 30063)
20:30:53.506060 y.y.y.y.38217 > x.x.x.x.telnet: F 25:25(0) ack 2 win 5580 <nop,nop,timestamp 162442660 1437763385> [tos 
0x10]  (ttl 21, id 29435)
20:30:53.506100 x.x.x.x.telnet > y.y.y.y.38217: R 1787990523:1787990523(0) win 0 [tos 0x10]  (ttl 255, id 30066)




So, this night, there was no intrusion since the server disconnected
the user just after the login but, nevertheless :
        - login was displayed as you can see in the extract of frame 219 thereafter.
        - there is no FAIL message in the log as you can see in the extract of xinetd log.


My question is, of course, why this guy could go sofar in the login process ?
Or, if you prefer, why xinetd didn't block him before the login ?
Is there a hole in xinetd bypassing control access for 62.x.x.x source address ?

Thanks,


db


Extract of xinetd log
=====================

01/3/16@02:56:51: START: telnet pid=32101 from=62.83.70.78
01/3/16@02:56:56: EXIT: telnet pid=32101 duration=5(sec)



Trace
=====

You can see in this trace that my machine claim for AUTH as for a true login.

199 2001-03-16 02:56:51.0662  62.83.70.78 -> x.x.x.x TCP 3035 > 23 [SYN] Seq=2587230012 Ack=0 Win=16060 Len=0 MSS=1460 
TSV=2896941 TSER=0 WS=0
200 2001-03-16 02:56:51.0663 x.x.x.x -> 62.83.70.78  TCP 23 > 3035 [SYN, ACK] Seq=3723776700 Ack=2587230013 Win=32120 
Len=0 MSS=1460 TSV=1431439149 TSER=2896941 WS=0
201 2001-03-16 02:56:51.4501  62.83.70.78 -> x.x.x.x TCP 3035 > 23 [ACK] Seq=2587230013 Ack=3723776701 Win=16060 Len=0 
TSV=2896979 TSER=1431439149
202 2001-03-16 02:56:51.4672  62.83.70.78 -> x.x.x.x TELNET Telnet Data ...
203 2001-03-16 02:56:51.4672 x.x.x.x -> 62.83.70.78  TCP 23 > 3035 [ACK] Seq=3723776701 Ack=2587230037 Win=32120 Len=0 
TSV=1431439189 TSER=2896979
204 2001-03-16 02:56:51.6293 x.x.x.x -> 62.83.70.78  TCP 2108 > 113 [SYN] Seq=3727437373 Ack=0 Win=32120 Len=0 MSS=1460 
TSV=1431439206 TSER=0 WS=0
205 2001-03-16 02:56:51.9308  62.83.70.78 -> x.x.x.x TCP 113 > 2108 [RST, ACK] Seq=0 Ack=3727437374 Win=0 Len=0
206 2001-03-16 02:56:52.1385 x.x.x.x -> 62.83.70.78  TELNET Telnet Data ...
207 2001-03-16 02:56:52.4592  62.83.70.78 -> x.x.x.x TCP 3035 > 23 [ACK] Seq=2587230037 Ack=3723776713 Win=16048 Len=0 
TSV=2897080 TSER=1431439257
208 2001-03-16 02:56:52.4593 x.x.x.x -> 62.83.70.78  TELNET Telnet Data ...
209 2001-03-16 02:56:52.4597  62.83.70.78 -> x.x.x.x TELNET Telnet Data ...
210 2001-03-16 02:56:52.4780 x.x.x.x -> 62.83.70.78  TCP 23 > 3035 [ACK] Seq=3723776728 Ack=2587230040 Win=32120 Len=0 
TSV=1431439291 TSER=2897080
211 2001-03-16 02:56:52.8276  62.83.70.78 -> x.x.x.x TELNET Telnet Data ...
212 2001-03-16 02:56:52.8277 x.x.x.x -> 62.83.70.78  TELNET Telnet Data ...
213 2001-03-16 02:56:53.2116  62.83.70.78 -> x.x.x.x TELNET Telnet Data ...
214 2001-03-16 02:56:53.2281 x.x.x.x -> 62.83.70.78  TCP 23 > 3035 [ACK] Seq=3723776746 Ack=2587230083 Win=32120 Len=0 
TSV=1431439366 TSER=2897156
215 2001-03-16 02:56:53.2412 x.x.x.x -> 62.83.70.78  TELNET Telnet Data ...
216 2001-03-16 02:56:53.5795  62.83.70.78 -> x.x.x.x TELNET Telnet Data ...
217 2001-03-16 02:56:53.5802 x.x.x.x -> 62.83.70.78  TELNET Telnet Data ...
218 2001-03-16 02:56:53.8684  62.83.70.78 -> x.x.x.x TELNET Telnet Data ...
219 2001-03-16 02:56:53.8684 x.x.x.x -> 62.83.70.78  TELNET Telnet Data ...
220 2001-03-16 02:56:54.1884  62.83.70.78 -> x.x.x.x TCP 3035 > 23 [ACK] Seq=2587230089 Ack=3723776764 Win=16060 Len=0 
TSV=2897255 TSER=1431439430
221 2001-03-16 02:56:56.6065  62.83.70.78 -> x.x.x.x TELNET Telnet Data ...
222 2001-03-16 02:56:56.6086 x.x.x.x -> 62.83.70.78  TCP 23 > 3035 [FIN, ACK] Seq=3723776764 Ack=2587230090 Win=32120 
Len=0 TSV=1431439704 TSER=2897495
223 2001-03-16 02:56:56.9264  62.83.70.78 -> x.x.x.x TCP 3035 > 23 [ACK] Seq=2587230090 Ack=3723776765 Win=16059 Len=0 
TSV=2897527 TSER=1431439704
224 2001-03-16 02:56:56.9275  62.83.70.78 -> x.x.x.x TCP 3035 > 23 [FIN, ACK] Seq=2587230090 Ack=3723776765 Win=16060 
Len=0 TSV=2897527 TSER=1431439704
225 2001-03-16 02:56:56.9275 x.x.x.x -> 62.83.70.78  TCP 23 > 3035 [ACK] Seq=3723776765 Ack=2587230091 Win=32120 Len=0 
TSV=1431439735 TSER=2897527


Data for Frame 219
==================

Telnet
    Data: \r\n
    Data: h1 login:
Previous By Date Next
Previous By Thread Next

Current thread: