Re: Omni-NFS/X Enterprise (nfsd.exe) DOS

From: Mikael Olsson (mikael.olssonat_private)
Date: Thu Oct 07 1999 - 09:33:23 PDT

Next message: Joe Melhado: "Re: RFP9903: AeDebug vulnerability"

Previous message: Dan Frasnelli: "ssh 1.2.26 x11-fwd dos (Re: MicroImages MIX X Server)"
Maybe in reply to: S.Faust: "Omni-NFS/X Enterprise (nfsd.exe) DOS"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

"S.Faust" wrote:
>
> Faulty software
> ---------------
>
> Omni-NFS/X Enterprise version 6.1
>
> Product
> ---------
>
> Omni-NFS/X Enterprise  is a X, NFS server solution for win32 systems.
> It is written by XLink Technology ( http://www.xlink.com ) .
>
> Vulnerability
> -------------
>
> The nfs daemon ( nfsd.exe ) used by Omni-NFS/X will jump to 100% cpu usage
> if you scan it
> using nmap with ether the -O (OS detect ) or the -sS ( TCP SYN (half open) )


Classic URG bug. nmap uses the Urgent flag for OS fingerprinting.

Omni-NFS/X Enterprise probably checks to see "is there something
waiting for me in the TCP stream?" and gets the response "yes
there is". Then it tries to read the standard stream and gets
zero bytes. It does NOT poll the urgent (OOB) stream however.
Then loops back to see if there's input waiting, which there
still is.

Blah.

Hint to the developer, FOR EVERY SINGLE SOCKET YOU OPEN:
- Turn on SO_OOBINLINE to receive the urgent data in the
  normal stream
- OR do NOT set the FD_OOB flag in your WSAAsyncSelect() or
  WSAEventSelect() calls; this way you won't get notifications
  for urgent data (i'm not sure what happens to the data though).

Regards,
Mikael Olsson

>
> Example :
>
> (zorkeres@rh-mindlab)(Omni-X)(06/10/99) (1007)
> $ nmap -O -p 111 slacky
>
> Starting nmap V. 2.3BETA5 by Fyodor (fyodorat_private, www.insecure.org/nmap/)
> Interesting ports on slacky (192.168.1.2):
> Port    State       Protocol  Service
> 111     open        tcp       sunrpc
>
> TCP Sequence Prediction: Class=trivial time dependency
>                          Difficulty=2 (Trivial joke)
> Remote operating system guess: Windows NT4 / Win95 / Win98
>
> Nmap run completed -- 1 IP address (1 host up) scanned in 1 second
> (zorkeres@rh-mindlab)(Omni-X)(06/10/99) (1008)
> $
>
> This was tested on  Microsoft Windows NT 4.0 Workstation with SP5 .
> I'm preaty sure all their NFS solutions are affected by this.
>
> ------------------------------------------------
> Sacha Faust sfaust@isi-mtl.com
> "He who despairs of the human condition is a coward, but he who has hope for
> it is a fool. " - Albert Camus

--
Mikael Olsson, EnterNet Sweden AB, Box 393, S-891 28 ÖRNSKÖLDSVIK
Phone: +46-(0)660-105 50           Fax: +46-(0)660-122 50
Mobile: +46-(0)70-248 00 33
WWW: http://www.enternet.se        E-mail: mikael.olssonat_private

Next message: Joe Melhado: "Re: RFP9903: AeDebug vulnerability"
Previous message: Dan Frasnelli: "ssh 1.2.26 x11-fwd dos (Re: MicroImages MIX X Server)"
Maybe in reply to: S.Faust: "Omni-NFS/X Enterprise (nfsd.exe) DOS"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:06:55 PDT