Bugtraq mailing list archives
nmap causes DoS on DGUX
From: unicorn () BLACKHATS ORG (The Unicorn)
Date: Thu, 16 Mar 2000 22:30:01 +0100
BlackHats Security Advisory Release date: March 16, 2000 Application: Data General (DG/UX 5.4R3.10) inetd Severity: Any user can deny startup of all processes normally started by inetd using a nmap scan Author(s): annabelle () blackhats org, unicorn () blackhats org --- Overview: --- The inetd (see also: "man 8 inetd") daemon in any UNIX like operating system is used to listen to any incoming connections on the ports as specified in the /etc/inetd.conf (also described in the manual page) file and start the service connected to that port as specified in the same file. The purpose of having one such super daemon is to save memory space and make it easier to startup other daemons as well. The overhead of the necessary fork/exec is justified for a normally loaded system. Processes started by the inetd daemon include, but are not limited to, "ftp", "telnet" and "finger". When using the nmap scanner, developed by Fyodor (see also: http://www.insecure.org/nmap) to try and determine what operating system the remote target is actually running (using a technique named "stack fingerprinting"), the inetd daemon will change to such a state that it is therafter no longer capable of spawning new services. The only current solution being a restart of the inetd daemon by the operator of the Data General system. --- Affected systems: --- Data General systems running DG/UX R4.20MU04/05, and R4.11MU06 (M88k) and perhaps other versions of this operating system as well (we were unable to verify this because we did not have these available). The only exception we were able to verify was the DG/UX B2 system (R4.20MU04), which seemed not effected by this scan. --- Workarounds/Fixes: --- We have notified Data General of this problem in the second week of february, and finally received patch tcpip_R4.20MU04.p11 today (one month after disclosing the problem to Data General). --- Example: --- The following is the minimal command used to actually deny all services started by inetd (which listens to the ftp port (21)): nmap -O -p 21 <target> To be on the safe side (and the actual command issued which lead to this advisory) you can also use the following stealty scan of the reserved ports of the Data General DG/UX system: nmap -v -O -sS -p1-1023 <target> Ciao, Unicorn. -- ======= _ __,;;;/ TimeWaster ================================================ ,;( )_, )~\| A Truly Wise Man Never Plays ;; // `--; Leapfrog With A Unicorn... ==='= ;\ = | ==== Youth is Not a Time in Life, It is a State of Mind! ======= Echelon Teasers: NSA CIA FBI Mossad BVD MI5 Cocaine Cuba Revolution Espionage
Current thread:
- Re: Process hiding in linux, (continued)
- Re: Process hiding in linux Peter W (Mar 17)
- PIX DMZ Denial of Service - TCP Resets Andrew Alston (Mar 20)
- vqserver /........../ Johan Nilsson (Mar 21)
- Re: PIX DMZ Denial of Service - TCP Resets Darren Reed (Mar 21)
- Re: PIX DMZ Denial of Service - TCP Resets Guido van Rooij (Mar 27)
- Re: Process hiding in linux Peter W (Mar 17)
- Re: Process hiding in linux Pavel Machek (Mar 20)
- Security Bulletins Digest Aleph One (Mar 20)
- Hide Drives does not work with OUTLOOK 98. jhw1970 () HOTMAIL COM (Mar 22)
- Re: Process hiding in linux egmont () FAZEKAS HU (Mar 22)