This is something Juggler found while poking around his ports. I investigated the problem further. If you connect (using telnet, netcat, anything) to a TCP port assigned to some RPC protocol (tested with rpc.nfsd/mountd/portmap on Slackware 3.4/Kernel 2.0.33) and send some 'garbage' (like a newline ;) every 5 seconds or faster, the service will completely stop responding. At the very moment the connection is closed, the service will return to normal work again. strace shows the following (from rpc.nfsd [nfs-server-2.2beta29]): alarm(5) = 0 sigreturn() = ? (mask now []) select(256, [4 5], NULL, NULL, NULL) = 1 (in [5]) accept(5, {sin_family=AF_INET, sin_port=htons(12406), sin_addr=inet_addr("127.0.0.1")}, [16]) = 0 select(256, [0 4 5], NULL, NULL, NULL) = 1 (in [0]) select(256, [0], NULL, NULL, {35, 0}) = 1 (in [0], left {35, 0}) read(0, "\r\n", 4000) = 2 The connection is accepted, after which a new select is started with both old file descriptors (tcp and udp listening sockets) and the new connection. Then some data arrives on the new connection, after which select is started with _only_ this connection as a parameter. Then a read is started, which can only be aborted by dropping the connection or hitting SIGALRM (which happens after 5 seconds). Right about that time, another newline is send restarting the whole loop. This bug can easily be exploited remotely without any special software and without taking any noticeable bandwidth (one packet every 5 seconds). This one worked perfectly for me: $ { while true ; do echo ; sleep 5 ; done } | telnet localhost 2049 Replacing the sleep 5 with sleep 6 or even more shows that the service will then respond every once in a while. Further examination shows that rpc.pcnfsd and rpc.ypxfrd are probably also vulnerable, as most other RPC applications that support TCP will be. Greetz, Peter. ------------------------------------------------------------------------------ 'Selfishness and separation have led me to . Peter 'Hardbeat' van Dijk to believe that the world is not my problem . network security consultant I am the world. And you are the world.' . (yeah, right...) Live - 10.000 years (peace is now) . peterat_private ------------------------------------------------------------------------------ 12:27am up 1 day, 23:05, 3 users, load average: 0.07, 0.10, 0.03 ------------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:47:18 PDT