easy DoS in most RPC apps

From: Peter van Dijk (peterat_private)
Date: Sat Mar 28 1998 - 04:25:26 PST

Next message: Rop Gonggrijp: "Netscape passes mailbox path and message ID as refferer"

Previous message: Steven Pritchard: "Re: Majordomo /tmp exploit"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This is something Juggler found while poking around his ports. I
investigated the problem further.

If you connect (using telnet, netcat, anything) to a TCP port assigned to
some RPC protocol (tested with rpc.nfsd/mountd/portmap on Slackware
3.4/Kernel 2.0.33) and send some 'garbage' (like a newline ;) every 5
seconds or faster, the service will completely stop responding. At the
very moment the connection is closed, the service will return to normal
work again.
strace shows the following (from rpc.nfsd [nfs-server-2.2beta29]):

alarm(5)                                = 0
sigreturn()                             = ? (mask now [])
select(256, [4 5], NULL, NULL, NULL)    = 1 (in [5])
accept(5, {sin_family=AF_INET, sin_port=htons(12406),
sin_addr=inet_addr("127.0.0.1")}, [16]) = 0
select(256, [0 4 5], NULL, NULL, NULL)  = 1 (in [0])
select(256, [0], NULL, NULL, {35, 0})   = 1 (in [0], left {35, 0})
read(0, "\r\n", 4000)                   = 2

The connection is accepted, after which a new select is started with both
old file descriptors (tcp and udp listening sockets) and the new
connection. Then some data arrives on the new connection, after which
select is started with _only_ this connection as a parameter. Then a read
is started, which can only be aborted by dropping the connection or
hitting SIGALRM (which happens after 5 seconds). Right about that time,
another newline is send restarting the whole loop.

This bug can easily be exploited remotely without any special software and
without taking any noticeable bandwidth (one packet every 5 seconds).
This one worked perfectly for me:
$ { while true ; do echo ; sleep 5 ; done } | telnet localhost 2049
Replacing the sleep 5 with sleep 6 or even more shows that the service
will then respond every once in a while.

Further examination shows that rpc.pcnfsd and rpc.ypxfrd are probably also
vulnerable, as most other RPC applications that support TCP will be.

Greetz, Peter.

------------------------------------------------------------------------------
 'Selfishness and separation have led me to   .      Peter 'Hardbeat' van Dijk
  to believe that the world is not my problem .    network security consultant
  I am the world. And you are the world.'     .               (yeah, right...)
          Live - 10.000 years (peace is now)  .        peterat_private
------------------------------------------------------------------------------
 12:27am  up 1 day, 23:05,  3 users,  load average: 0.07, 0.10, 0.03
------------------------------------------------------------------------------

Next message: Rop Gonggrijp: "Netscape passes mailbox path and message ID as refferer"
Previous message: Steven Pritchard: "Re: Majordomo /tmp exploit"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:47:18 PDT