Bugtraq mailing list archives

nmap causes DoS on DGUX

From: unicorn () BLACKHATS ORG (The Unicorn)
Date: Thu, 16 Mar 2000 22:30:01 +0100


                         BlackHats Security Advisory

           Release date: March 16, 2000
            Application: Data General (DG/UX 5.4R3.10) inetd
               Severity: Any user can deny startup of all processes
                         normally started by inetd using a nmap scan

              Author(s): annabelle () blackhats org, unicorn () blackhats org

---
Overview:
---

        The inetd  (see also:  "man 8  inetd") daemon  in any  UNIX like
operating system  is used to listen  to any incoming connections  on the
ports as specified in the  /etc/inetd.conf (also described in the manual
page) file and start the service  connected to that port as specified in
the same file.  The purpose of having  one such super daemon  is to save
memory space  and make it easier  to startup other daemons  as well. The
overhead of the  necessary fork/exec is justified for  a normally loaded
system.  Processes started  by the  inetd  daemon include,  but are  not
limited to, "ftp", "telnet" and "finger".

        When  using the  nmap scanner,  developed by  Fyodor (see  also:
http://www.insecure.org/nmap) to try and determine what operating system
the remote  target is actually  running (using a technique  named "stack
fingerprinting"), the inetd  daemon will change to such a  state that it
is  therafter no  longer  capable  of spawning  new  services. The  only
current solution being a restart of  the inetd daemon by the operator of
the Data General system.

---
Affected systems:
---

        Data General  systems running DG/UX R4.20MU04/05,  and R4.11MU06
(M88k) and perhaps  other versions of this operating system  as well (we
were unable to verify this because we did not have these available). The
only  exception  we  were  able  to  verify  was  the  DG/UX  B2  system
(R4.20MU04), which seemed not effected by this scan.

---
Workarounds/Fixes:
---

        We have notified Data General of this problem in the second week
of february,  and finally received patch  tcpip_R4.20MU04.p11 today (one
month after disclosing the problem to Data General).

---
Example:
---

        The following is  the minimal command used to  actually deny all
services started by inetd (which listens to the ftp port (21)):

nmap -O -p 21 <target>

To be on the safe side (and the actual command issued which lead to this
advisory) you  can also use the  following stealty scan of  the reserved
ports of the Data General DG/UX system:

nmap -v -O -sS -p1-1023 <target>

Ciao,
Unicorn.
--
======= _ __,;;;/ TimeWaster ================================================
     ,;( )_, )~\| A Truly Wise Man Never Plays
    ;; //  `--;     Leapfrog With A Unicorn...
==='= ;\ = | ==== Youth is Not a Time in Life, It is a State of Mind! =======
Echelon Teasers: NSA CIA FBI Mossad BVD MI5 Cocaine Cuba Revolution Espionage

Current thread:

Re: Process hiding in linux, (continued)
- - Re: Process hiding in linux Peter W (Mar 17)
    - PIX DMZ Denial of Service - TCP Resets Andrew Alston (Mar 20)
    - vqserver /........../ Johan Nilsson (Mar 21)
    - Re: PIX DMZ Denial of Service - TCP Resets Darren Reed (Mar 21)
    - Re: PIX DMZ Denial of Service - TCP Resets Guido van Rooij (Mar 27)
    - Re: Process hiding in linux Pavel Machek (Mar 20)
    - Security Bulletins Digest Aleph One (Mar 20)
  - Hide Drives does not work with OUTLOOK 98. jhw1970 () HOTMAIL COM (Mar 22)
  - Re: Process hiding in linux egmont () FAZEKAS HU (Mar 22)
- For those who installed Decon fix for con/con vulnerability Tima (Mar 16)
- nmap causes DoS on DGUX The Unicorn (Mar 16)