From owner-freebsd-security Tue Mar 20 17:44:24 2001 Delivered-To: freebsd-security@freebsd.org Received: from VL-MS-MR001.sc1.videotron.ca (relais.videotron.ca [24.201.245.36]) by hub.freebsd.org (Postfix) with ESMTP id 5D99E37B73D for ; Tue, 20 Mar 2001 17:44:07 -0800 (PST) (envelope-from bmilekic@technokratis.com) Received: from jehovah ([24.201.100.133]) by VL-MS-MR001.sc1.videotron.ca (Netscape Messaging Server 4.15) with SMTP id GAIY0F05.8LF; Tue, 20 Mar 2001 20:41:03 -0500 Message-ID: <004a01c0b1a8$6444dab0$8564c918@jehovah> From: "Bosko Milekic" To: , "Brett Glass" References: <4.3.2.7.2.20010319172800.00cf9c60@localhost> Subject: Re: Odd event -- possible security hole or DoS? Date: Tue, 20 Mar 2001 20:43:55 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2919.6700 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Brett Glass wrote: > A fellow I know just stopped me as I walked past his office to > say that his FreeBSD system was acting strangely. I stopped > in to take a look for him. It's running FreeBSD 2.8 with > security patches -- a WAY old release. (I got him to agree > to let me upgrade it to 4.3-RELEASE for him if it's a good > release.) > > In any event, I ran netstat on his machine and discovered that > there was a huge backlog of open TCP connections, some of them > stuck in states such as CLOSING, FIN_WAIT_1 and FIN_WAIT_2. > Also, POP clients couldn't get through; it looked as if sockets > were being opened but the daemons weren't being spawned. A system that old likely suffers from the same problems we found and fixed in 3.x and 4.x. Basically, there was one particular problem of this nature that I specifically remember jlemon fixing some while back. > I was just about to reboot the server when it occured to me > that this might erase any evidence of what was going wrong. > So, I considered for a bit and realized that the behavior > I was seeing just might happen if inetd somehow messed up. > I decided to try sending a HUP to inetd, just to see > what would happen. > > Immediately, the system sprang back to life and cleared the > old connections. And the following appeared in the log: > > Mar 19 17:27:12 victim fingerd[16439]: query from 208.59.253.87: `root ' > Mar 19 17:27:12 victim fingerd[16437]: query from 208.59.253.87: ` ' > > Interesting. Someone with a cable modem playing games. Probably > should identify the culprit, but I'm more interested in knowing > how he managed to cause the system to malfunction. > > In case it helps, here's a bit more about the system configuration. > > The finger daemon had been set, via the -p option, to return a > message saying that finger requests were being denied. The line > in inetd.conf looked like this: > > finger stream tcp nowait nobody /usr/libexec/fingerd fingerd -s -l -p /usr/local/bin/nonetfinger > > "nonetfinger" is a program that my friend grabbed from my BSDCon > paper and compiled. It simply outputs a message to standard output. > It doesn't even look at its arguments. > > Hmmm. > > So, what's going on here? > > Was someone trying to execute a DoS or remote root exploit > here, perhaps by trying to feed something quoted to fingerd and/or > the program it invoked? Why did it hang things up so badly? Does > this hint at a security flaw in inetd or fingerd that needs > attention (or has gotten some since that old version of FreeBSD)? > > --Brett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message