[8811] in bugtraq
Re: Nmap network auditing/exploring tool V. 2.00 released
daemon@ATHENA.MIT.EDU (Casper Dik)
Thu Dec 24 18:22:46 1998
Date: Wed, 23 Dec 1998 10:12:57 +0100
Reply-To: Bugtraq List <BUGTRAQ@NETSPACE.ORG>
From: Casper Dik <casper@HOLLAND.SUN.COM>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: Your message of "Tue, 22 Dec 1998 13:40:45 PST."
<Pine.SGI.4.05.9812221312130.27494-100000@raven.genome.washington.edu>
>Another nmap-induced denial-of-service is against many machines inetd's
>when doing a TCP connect() scan (-sT) with the result of killing the inetd
>process. I've found that Digital Unix and Irix have been vulnerable to
>this. I cannot reliably reproduce the problem[*] and have not tested it
>against xinetd.
The TCP scan seems to be wide spread under inetd.
It's caused by the inetd "internal" TCP services; when a connection
is made and closed before a response can be send, inetd will die with
SIGPIPE.
This affects the services that do not fork() prior to running; discard,
echo and chargen do fork(), I believe, but time and daytime only send a
single respone and fork()ing wasn't deemed necessary.
It does affect Solaris prior to Solaris 7 (where it was fixed before it
was understood how easy it was to trigger)
Casper