Date: Tue, 20 Mar 2001 20:43:55 -0500 From: "Bosko Milekic" <bmilekic@technokratis.com> To: <security@FreeBSD.ORG>, "Brett Glass" <brett@lariat.org> Subject: Re: Odd event -- possible security hole or DoS? Message-ID: <004a01c0b1a8$6444dab0$8564c918@jehovah> References: <4.3.2.7.2.20010319172800.00cf9c60@localhost>
next in thread | previous in thread | raw e-mail | index | archive | help
Brett Glass wrote:
> A fellow I know just stopped me as I walked past his office to
> say that his FreeBSD system was acting strangely. I stopped
> in to take a look for him. It's running FreeBSD 2.8 with
> security patches -- a WAY old release. (I got him to agree
> to let me upgrade it to 4.3-RELEASE for him if it's a good
> release.)
>
> In any event, I ran netstat on his machine and discovered that
> there was a huge backlog of open TCP connections, some of them
> stuck in states such as CLOSING, FIN_WAIT_1 and FIN_WAIT_2.
> Also, POP clients couldn't get through; it looked as if sockets
> were being opened but the daemons weren't being spawned.
A system that old likely suffers from the same problems we found
and fixed in 3.x and 4.x. Basically, there was one particular problem
of this nature that I specifically remember jlemon fixing some while
back.
> I was just about to reboot the server when it occured to me
> that this might erase any evidence of what was going wrong.
> So, I considered for a bit and realized that the behavior
> I was seeing just might happen if inetd somehow messed up.
> I decided to try sending a HUP to inetd, just to see
> what would happen.
>
> Immediately, the system sprang back to life and cleared the
> old connections. And the following appeared in the log:
>
> Mar 19 17:27:12 victim fingerd[16439]: query from 208.59.253.87:
`root '
> Mar 19 17:27:12 victim fingerd[16437]: query from 208.59.253.87: `
'
>
> Interesting. Someone with a cable modem playing games. Probably
> should identify the culprit, but I'm more interested in knowing
> how he managed to cause the system to malfunction.
>
> In case it helps, here's a bit more about the system configuration.
>
> The finger daemon had been set, via the -p option, to return a
> message saying that finger requests were being denied. The line
> in inetd.conf looked like this:
>
> finger stream tcp nowait nobody /usr/libexec/fingerd
fingerd -s -l -p /usr/local/bin/nonetfinger
>
> "nonetfinger" is a program that my friend grabbed from my BSDCon
> paper and compiled. It simply outputs a message to standard output.
> It doesn't even look at its arguments.
>
> Hmmm.
>
> So, what's going on here?
>
> Was someone trying to execute a DoS or remote root exploit
> here, perhaps by trying to feed something quoted to fingerd and/or
> the program it invoked? Why did it hang things up so badly? Does
> this hint at a security flaw in inetd or fingerd that needs
> attention (or has gotten some since that old version of FreeBSD)?
>
> --Brett
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?004a01c0b1a8$6444dab0$8564c918>