From owner-freebsd-security  Sun Dec 20 05:16:48 1998
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id FAA09888
          for freebsd-security-outgoing; Sun, 20 Dec 1998 05:16:48 -0800 (PST)
          (envelope-from owner-freebsd-security@FreeBSD.ORG)
Received: from ol.kyrnet.kg (ol.kyrnet.kg [195.254.160.10])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id FAA09883
          for <security@FreeBSD.ORG>; Sun, 20 Dec 1998 05:16:43 -0800 (PST)
          (envelope-from mlists@gizmo.kyrnet.kg)
Received: from gizmo.kyrnet.kg (IDENT:mlists@gizmo.kyrnet.kg [195.254.160.13])
	by ol.kyrnet.kg (8.9.1a/8.9.1) with ESMTP id RAA25478;
	Sun, 20 Dec 1998 17:45:38 +0600
Received: from localhost (mlists@localhost)
	by gizmo.kyrnet.kg (8.9.1a/8.9.1) with ESMTP id SAA21260;
	Sun, 20 Dec 1998 18:14:49 +0500
Date: Sun, 20 Dec 1998 18:14:48 +0500 (KGT)
From: CyberPsychotic <mlists@gizmo.kyrnet.kg>
Reply-To: fygrave@tigerteam.net
To: Rico Pajarola <pajarola@cybertime.ch>
cc: security@FreeBSD.ORG
Subject: Re: nmap crashes inetd/portmap on 2.2.6
In-Reply-To: <3.0.32.19981219170558.0080a8c0@www.dlc.cybertime.ch>
Message-ID: <Pine.LNX.4.05.9812201812340.10479-100000@gizmo.kyrnet.kg>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Sat, 19 Dec 1998, Rico Pajarola wrote:

~ portscanning with nmap results in inetd crashing/hanging on FBSD 2.2.6
~ which makes an excellent DoS attack. Portmap is also affected, inetd hangs
~ initializing rpc/udp services when you HUP it, making it somewhat more
~ complicated to recover, as you'll have to restart all rpc services (in the
~ correct order). It is not always reproducible (sometimes you need to try
~ several times with different flags to nmap). I couldn't crash inetd on
~ FBSD-Current (may 28 1998) so I guess it has been fixed. Are there any
~ known issues I missed? other os are vulnerable as well (still testing).
~ 

 well, the similar(?) bug was found in linux inetd. The problem was with
the way accept() call was implemented in kernel. I suspect nearly the same
thing may appear here. For details related to linux glitch, see:
http://oliver.efri.hr/~crv/security/bugs/Linux/inetd.html  

~F.
--
fygrave@tigerteam.net		http://www.kalug.lug.net


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message