[14309] in bugtraq
nmap causes DoS on DGUX
daemon@ATHENA.MIT.EDU (The Unicorn)
Thu Mar 16 22:36:45 2000
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Message-Id: <20000316223001.E6467@unicorn.blackhats.org>
Date: Thu, 16 Mar 2000 22:30:01 +0100
Reply-To: The Unicorn <unicorn@BLACKHATS.ORG>
From: The Unicorn <unicorn@BLACKHATS.ORG>
X-To: BUGTRAQ@SECURITYFOCUS.COM
To: BUGTRAQ@SECURITYFOCUS.COM
BlackHats Security Advisory
Release date: March 16, 2000
Application: Data General (DG/UX 5.4R3.10) inetd
Severity: Any user can deny startup of all processes
normally started by inetd using a nmap scan
Author(s): annabelle@blackhats.org, unicorn@blackhats.org
---
Overview :
---
The inetd (see also: "man 8 inetd") daemon in any UNIX like
operating system is used to listen to any incoming connections on the
ports as specified in the /etc/inetd.conf (also described in the manual
page) file and start the service connected to that port as specified in
the same file. The purpose of having one such super daemon is to save
memory space and make it easier to startup other daemons as well. The
overhead of the necessary fork/exec is justified for a normally loaded
system. Processes started by the inetd daemon include, but are not
limited to, "ftp", "telnet" and "finger".
When using the nmap scanner, developed by Fyodor (see also:
http://www.insecure.org/nmap) to try and determine what operating system
the remote target is actually running (using a technique named "stack
fingerprinting"), the inetd daemon will change to such a state that it
is therafter no longer capable of spawning new services. The only
current solution being a restart of the inetd daemon by the operator of
the Data General system.
---
Affected systems:
---
Data General systems running DG/UX R4.20MU04/05, and R4.11MU06
(M88k) and perhaps other versions of this operating system as well (we
were unable to verify this because we did not have these available). The
only exception we were able to verify was the DG/UX B2 system
(R4.20MU04), which seemed not effected by this scan.
---
Workarounds/Fixes:
---
We have notified Data General of this problem in the second week
of february, and finally received patch tcpip_R4.20MU04.p11 today (one
month after disclosing the problem to Data General).
---
Example:
---
The following is the minimal command used to actually deny all
services started by inetd (which listens to the ftp port (21)):
nmap -O -p 21 <target>
To be on the safe side (and the actual command issued which lead to this
advisory) you can also use the following stealty scan of the reserved
ports of the Data General DG/UX system:
nmap -v -O -sS -p1-1023 <target>
Ciao,
Unicorn.
--
======= _ __,;;;/ TimeWaster ================================================
,;( )_, )~\| A Truly Wise Man Never Plays
;; // `--; Leapfrog With A Unicorn...
==='= ;\ = | ==== Youth is Not a Time in Life, It is a State of Mind! =======
Echelon Teasers: NSA CIA FBI Mossad BVD MI5 Cocaine Cuba Revolution Espionage
