[12167] in bugtraq
Re: Omni-NFS/X Enterprise (nfsd.exe) DOS
daemon@ATHENA.MIT.EDU (Mikael Olsson)
Fri Oct 8 17:19:15 1999
Mime-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: 8bit
Message-Id: <37FCCB53.272B51BA@enternet.se>
Date: Thu, 7 Oct 1999 18:33:23 +0200
Reply-To: Mikael Olsson <mikael.olsson@ENTERNET.SE>
From: Mikael Olsson <mikael.olsson@ENTERNET.SE>
X-To: "S.Faust" <sfaust@ISI-MTL.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
"S.Faust" wrote:
>
> Faulty software
> ---------------
>
> Omni-NFS/X Enterprise version 6.1
>
> Product
> ---------
>
> Omni-NFS/X Enterprise is a X, NFS server solution for win32 systems.
> It is written by XLink Technology ( http://www.xlink.com ) .
>
> Vulnerability
> -------------
>
> The nfs daemon ( nfsd.exe ) used by Omni-NFS/X will jump to 100% cpu usage
> if you scan it
> using nmap with ether the -O (OS detect ) or the -sS ( TCP SYN (half open) )
Classic URG bug. nmap uses the Urgent flag for OS fingerprinting.
Omni-NFS/X Enterprise probably checks to see "is there something
waiting for me in the TCP stream?" and gets the response "yes
there is". Then it tries to read the standard stream and gets
zero bytes. It does NOT poll the urgent (OOB) stream however.
Then loops back to see if there's input waiting, which there
still is.
Blah.
Hint to the developer, FOR EVERY SINGLE SOCKET YOU OPEN:
- Turn on SO_OOBINLINE to receive the urgent data in the
normal stream
- OR do NOT set the FD_OOB flag in your WSAAsyncSelect() or
WSAEventSelect() calls; this way you won't get notifications
for urgent data (i'm not sure what happens to the data though).
Regards,
Mikael Olsson
>
> Example :
>
> (zorkeres@rh-mindlab)(Omni-X)(06/10/99) (1007)
> $ nmap -O -p 111 slacky
>
> Starting nmap V. 2.3BETA5 by Fyodor (fyodor@dhp.com, www.insecure.org/nmap/)
> Interesting ports on slacky (192.168.1.2):
> Port State Protocol Service
> 111 open tcp sunrpc
>
> TCP Sequence Prediction: Class=trivial time dependency
> Difficulty=2 (Trivial joke)
> Remote operating system guess: Windows NT4 / Win95 / Win98
>
> Nmap run completed -- 1 IP address (1 host up) scanned in 1 second
> (zorkeres@rh-mindlab)(Omni-X)(06/10/99) (1008)
> $
>
> This was tested on Microsoft Windows NT 4.0 Workstation with SP5 .
> I'm preaty sure all their NFS solutions are affected by this.
>
> ------------------------------------------------
> Sacha Faust sfaust@isi-mtl.com
> "He who despairs of the human condition is a coward, but he who has hope for
> it is a fool. " - Albert Camus
--
Mikael Olsson, EnterNet Sweden AB, Box 393, S-891 28 VRNSKVLDSVIK
Phone: +46-(0)660-105 50 Fax: +46-(0)660-122 50
Mobile: +46-(0)70-248 00 33
WWW: http://www.enternet.se E-mail: mikael.olsson@enternet.se
