[6466] in bugtraq
Re: portmap 4.0-8 DoS
daemon@ATHENA.MIT.EDU (Peter van Dijk)
Tue Apr 7 18:38:14 1998
Date: Tue, 7 Apr 1998 22:17:58 +0200
Reply-To: Peter van Dijk <peter@ATTIC.VUURWERK.NL>
From: Peter van Dijk <peter@ATTIC.VUURWERK.NL>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <Pine.LNX.3.96.980401171558.783A-100000@genome>
On Wed, 1 Apr 1998, Michal Zalewski wrote:
> It's possible to perform DoS attack by sending small amount of junk to
> tcp port 111 of machine running portmap 4.0 (and older). Simple exploit
> follows (only to send a few random 8-bit chars):
>
> telnet -E victim.com 111 </dev/random
>
> It will affect specific operations/services on attacked host, like login -
> depending on system speed, login attempt on idle machine (LA=0.01, Linux
> 2.0.x, x86) will take from over 10 seconds (k6/200MHz) to long minutes
> (486dx/80MHz). During attack, many select() calls will fail (timeout),
> so complex programs will become much slower (especially when resolving
> domain names :), but LA will not change significally.
>
> Smarter attacks (without /dev/random) are probably much more effective.
This is the very same bug I already reported as 'easy DoS in most RPC
apps'. rpc.portmap is one I forgot to check ;)
This bug is in (g)libc, I've been discussing it with some rpc developers,
they don't see any simple solution...
Greetz, Peter.
------------------------------------------------------------------------------
'Selfishness and separation have led me to . Peter 'Hardbeat' van Dijk
to believe that the world is not my problem . network security consultant
I am the world. And you are the world.' . (yeah, right...)
Live - 10.000 years (peace is now) . peter@attic.vuurwerk.nl
------------------------------------------------------------------------------
10:16pm up 13 days, 19:56, 3 users, load average: 1.02, 0.52, 0.20
------------------------------------------------------------------------------
