Bugtraq mailing list archives

Re: Omni-NFS/X Enterprise (nfsd.exe) DOS

From: mikael.olsson () ENTERNET SE (Mikael Olsson)
Date: Thu, 7 Oct 1999 18:33:23 +0200


"S.Faust" wrote:


Faulty software
---------------

Omni-NFS/X Enterprise version 6.1

Product
---------

Omni-NFS/X Enterprise  is a X, NFS server solution for win32 systems.
It is written by XLink Technology ( http://www.xlink.com ) .

Vulnerability
-------------

The nfs daemon ( nfsd.exe ) used by Omni-NFS/X will jump to 100% cpu usage
if you scan it
using nmap with ether the -O (OS detect ) or the -sS ( TCP SYN (half open) )


Classic URG bug. nmap uses the Urgent flag for OS fingerprinting.

Omni-NFS/X Enterprise probably checks to see "is there something
waiting for me in the TCP stream?" and gets the response "yes
there is". Then it tries to read the standard stream and gets
zero bytes. It does NOT poll the urgent (OOB) stream however.
Then loops back to see if there's input waiting, which there
still is.

Blah.

Hint to the developer, FOR EVERY SINGLE SOCKET YOU OPEN:
- Turn on SO_OOBINLINE to receive the urgent data in the
  normal stream
- OR do NOT set the FD_OOB flag in your WSAAsyncSelect() or
  WSAEventSelect() calls; this way you won't get notifications
  for urgent data (i'm not sure what happens to the data though).

Regards,
Mikael Olsson


Example :

(> (zorkeres@rh-mindlab)(Omni-X)(06/10/99) (1007)
$ nmap -O -p 111 slacky

Starting nmap V. 2.3BETA5 by Fyodor (fyodor () dhp com, www.insecure.org/nmap/)
Interesting ports on slacky (192.168.1.2):
Port    State       Protocol  Service
111     open        tcp       sunrpc

TCP Sequence Prediction: Class=trivial time dependency
                         Difficulty=2 (Trivial joke)
Remote operating system guess: Windows NT4 / Win95 / Win98

Nmap run completed -- 1 IP address (1 host up) scanned in 1 second
(> (zorkeres@rh-mindlab)(Omni-X)(06/10/99) (1008)
$

This was tested on  Microsoft Windows NT 4.0 Workstation with SP5 .
I'm preaty sure all their NFS solutions are affected by this.

------------------------------------------------
Sacha Faust sfaust () isi-mtl com
"He who despairs of the human condition is a coward, but he who has hope for
it is a fool. " - Albert Camus


--
Mikael Olsson, EnterNet Sweden AB, Box 393, S-891 28 ÖRNSKÖLDSVIK
Phone: +46-(0)660-105 50           Fax: +46-(0)660-122 50
Mobile: +46-(0)70-248 00 33
WWW: http://www.enternet.se        E-mail: mikael.olsson () enternet se

Current thread:

MicroImages MIX X Server Jan Szumiec (Oct 04)
- Re: MicroImages MIX X Server Jim Frost (Oct 05)
  - ssh 1.2.26 x11-fwd dos (Re: MicroImages MIX X Server) Dan Frasnelli (Oct 06)
  - Re: MicroImages MIX X Server Marcus Post (Oct 06)
- Re: MicroImages MIX X Server Paul McGovern (Oct 05)
- Re: MicroImages MIX X Server Rich Lafferty (Oct 05)
- Omni-NFS/X Enterprise (nfsd.exe) DOS S.Faust (Oct 06)
  - Re: Omni-NFS/X Enterprise (nfsd.exe) DOS H D Moore (Oct 06)
  - Re: Omni-NFS/X Enterprise (nfsd.exe) DOS Mikael Olsson (Oct 07)
  - Win95/98 and Novell client DoS Bruce Dennison (Oct 08)
    - Re: Win95/98 and Novell client DoS Gyorgy Camaszotisz, Novell DevNet SysOp 13 (Oct 08)
    - Re: Win95/98 and Novell client DoS Mike Richichi (Oct 08)
    - Re: Win95/98 and Novell client DoS Richard Reiner (Oct 08)
- Re: MicroImages MIX X Server H D Moore (Oct 06)
  - Re: MicroImages MIX X Server Rich Lafferty (Oct 08)
- Re: MicroImages MIX X Server Dan Stromberg (Oct 11)