Re: remote DoS against inetd and ssh

From: Vincent Janelle (malokaiat_private)
Date: Wed Sep 08 1999 - 12:36:24 PDT

Next message: Seth R Arnold: "Re: SCO 5.0.5 /bin/doctor local root comprimise"

Previous message: Brock Tellier: "SCO OpenServer 5.0.5 /bin/doctor root compromise"
Maybe in reply to: Grzegorz Stelmaszek: "remote DoS against inetd and ssh"
Next in thread: Jedi/Sector One: "Re: remote DoS against inetd and ssh"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This works against a lot of other stuff too.. Thats the problem with
inetd, unless you use xinetd.  It doesn't really support the limiting of
the number of processes that can be open.  Its quite easy to fill the
process table if you can make enough of the processes linger around.

Why run ssh from inetd anyways?  I thought thats what its daemon mode is
for.  If you're worried about it crashing, use the daemontools package,
and 'supervise' it.  It'll get restarted if the process dies.

------------
Real roxen error message: Error: The server failed to fulfill your query, due
to an internal error in the internal error routine.
--http://random.gimp.org --mailto:randomat_private --UIN 23939474

On Fri, 3 Sep 1999, Grzegorz Stelmaszek wrote:

> Hi,
>
> At the beginning i'd like to excuse all of you if it is commonly well
> known (hmm, i guess it is, but noone patched it ;>.
>
> Both DoS`s use something known as portfuck (e.g. `while true; do telnet
> host port & done`).
> 1. If you use it against any inetd service, inetd will shoutdown that
> service for about 30 minutes (i did not checked, but it seems to be about
> that time).
> 2. If you use it against sshd, you have 99% that you crash the mashine in
> few seconds.
> TESTED:
> sshd-1.2.26 on Debian 2.0
> sshd-1.2.27 on Debian 2.1
> sshd-1.2.27 on RedHat 5.2
> inetd - one provided with Debian 2.0/2.1/Redhat 5.2
> all above platforms are VULNURABLE to this attack
> COMPROMISE:
> Allows any user to hang many machines in the Internet (i guess that only
> these behind a firewall are secure ;>
> SOLUTION:
> propaply running in ulimit envirmont (like qmail does) should help and
> additionally in inetd remove this strange 'protection'.
>
> regards,
>   greg AKA VanitaS
>
> ***************************************************************************
> * Grzegorz Stelmaszek        *          For my public PGP key:
> * mailto:gregat_private       *           finger:gregat_private
> * http://www.tenet.pl        *         18 E9 5E 6D 78 F0 11 F2
> ******************************         45 CF CF 63 77 C0 A4 20
>

Next message: Seth R Arnold: "Re: SCO 5.0.5 /bin/doctor local root comprimise"
Previous message: Brock Tellier: "SCO OpenServer 5.0.5 /bin/doctor root compromise"
Maybe in reply to: Grzegorz Stelmaszek: "remote DoS against inetd and ssh"
Next in thread: Jedi/Sector One: "Re: remote DoS against inetd and ssh"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:02:27 PDT