Date: Wed, 23 Dec 1998 09:31:23 -0500 From: Richard Reiner Reply-To: Bugtraq List To: BUGTRAQ@netspace.org Subject: [SecureXpert Labs Advisory SX-98.12.23-01] Widespread DoS vulnerability SecureXpert Labs Advisory SX-98.12.23-01 Widespread DoS vulnerability can crash systems or disable critical services Reported by: SecureXpert Labs (with additional information from the Bugtraq & FreeBSD Security mailing lists) WARNING: this item is based on early analysis and additional field reports. The subject matter is still the subject of active research by SecureXpert Labs and others. Due to the broad scope of the vulnerability described and its active exploitation on the Internet, this early information release is being made. Summary A popular security tool called "nmap" can generate unusual network traffic, which can be exploited to generate a wide variety of failures and crashes on numerous operating systems. Note: this family of vulnerabilities is NOT the same as that described in CERT Advisory CA-98.13 - TCP/IP Denial of Service. CERT CA-98.13 refers to a fragmentation-related bug in some IP stacks. The DoS vulnerabilities described herein are not fragmentation related. Description The port scanner tool nmap has "stealth scanning" capabilities, designed to avoid notice by Intrusion Detection systems. When these are used, nmap generates several types of unusual IP packets (e.g. unexpected FIN packets, "Christmas Tree" packets, etc.), and unusual sequences of packets (e.g. TCP connection setup with a SYN packet immediately followed by RST). Nmap is widely available (http://www.insecure.org/nmap). Built-in functionality in nmap allows it to be used to target large numbers of systems simultaneously. SecureXpert Labs has determined that nmap's "half-open" scanning mode ('nmap -sS') disables inetd on a number of operating systems, including certain Solaris versions (including 2.6) and some versions of Linux. Work at SecureXpert Labs has also demonstrated that this scanning mode also causes Microsoft Windows 98 to display a critical error ("Blue Screen"), subsequent to which the Windows 98 workstation loses all network connectivity. Independent reports also indicate that nmap scanning can cause similar failure of inetd on several additional operating systems, including HP-UX, AIX, SCO, and FreeBSD. Further reports indicate that the RPC portmapper may be affected on some systems. Additional reports indicate also that a different nmap scanning mode (UDP scanning with 'nmap -sU') crashes Cisco IOS version 12.0 (including 12.0T, 12.0S, etc.). It has also been reported that nmap with certain options can cause NeXTStep 3.3 systems to panic and reboot. Tests by SecureXpert Labs have confirmed the vulnerability of Solaris 2.6 and what appears to be a small number of older Linux versions. Cisco Systems has confirmed the Cisco IOS vulnerability. The FreeBSD, HP-UX, AIX, SCO, and NeXTStep reports have not yet been corroborated. The nature of this vulnerability leads SecureXpert Labs to believe that additional operating systems may also be vulnerable. At this stage in SecureXpert Labs' investigations, it appears that several of these attacks leave no trace in system logs, unless external Intrusion Detection systems are in place. SecureXpert Labs has notified the vendors of affected systems, and is working with them on further testing, fault isolation, and remediation. Risks a. Denial of Service through inetd failure Remote attackers can disable critical server processes on affected systems. Failure of the inetd process will commonly disable all ftp and telnet access to a system, as well as other services such as rlogin and rsh. In some less common cases, failure of inetd can disable processes such as BOOTP servers, Web servers, Radius or other authentication servers, etc. b. Denial of Service through portmapper failure Remote attackers can disabled critical servers on affected systems. Failure of the portmapper process will commonly disable NFS and NIS services, as well as other services on some systems. c. Denial of Service through kernel panics, hangs, and crashes If reports that nmap can cause kernel panics, hangs, or crashes are confirmed, all services on affected servers can be disabled by remote attackers. Vulnerable versions Further details on affected systems and versions will be provided as more information become available. Actions a. Determine if your systems are vulnerable, ether through your own testing with nmap or through the user of an external audit firm. (nmap is available >from http://www.insecure.org/nmap/) b. Install vendor patches as they become available c. In the short term, critical systems can be defended through application proxies (or, in some cases, multi-level filters) deployed on non-vulnerable firewall platforms. --------------------------------------------------------------------------- Date: Thu, 24 Dec 1998 11:38:07 -0500 From: Jordan Ritter Reply-To: Bugtraq List To: BUGTRAQ@netspace.org Subject: Re: [SecureXpert Labs Advisory SX-98.12.23-01] Widespread DoS Richard Reiner (rreiner@FSCINTERNET.COM) wrote: > WARNING: this item is based on early analysis and additional field > reports. The subject matter is still the subject of active research > by SecureXpert Labs and others. Due to the broad scope of the > vulnerability described and its active exploitation on the Internet, > this early information release is being made. I would *hardly* call this an "early information release": http://geek-girl.com/bugtraq/1997_4/0398.html http://geek-girl.com/bugtraq/1998_1/0507.html http://geek-girl.com/bugtraq/1998_2/0037.html http://geek-girl.com/bugtraq/1998_2/0055.html Even aleph1 responds: http://geek-girl.com/bugtraq/1997_4/0401.html Jordan Ritter Network Security Engineer Systems Administrator Ring-Zero, Netect, Inc. Boston, MA Darkridge Security Solutions --------------------------------------------------------------------------- Date: Thu, 24 Dec 1998 17:07:36 -0800 From: Aleph One Reply-To: Bugtraq List To: BUGTRAQ@netspace.org Subject: Network Scan Vulnerability [SUMMARY] This is a summary of the reports on nmap crashing inetd's and some operating systems. As mentioned elsewhere, as opposed to what SecureXpert Labs seems to think, this is a rather old issue that appears every once in a while. The reports: xinetd on FreeBSD 2.2.7 does not crash when scanned with nmap -sT. Solaris versions earlier than Solaris 7 are affected. Irix 5.3, 6.2, 6.3 inetd's dies by nmap-1.51 with -vv Irix 6.5SE inetd's die with nmap-1.51 -F SunOS 4.1.3 reboots when scanned by nmap-1.51 with -vv. UNICOS 10 inetd's *may* die when scanned by nmap-1.51 -F. No can can seem to crash Windows 98 as reported by SecureXpert Labs. OpenBSD 2.4 seems fine. If anyone can get Windows 98 to crash please let me know as this was really the only *new* information in the SecureXpert advisory. Thanks to: Joe Shaw "HD Moore" Kameron Gasso "Richard Johnson" Philipp Schott Alla Bezroutchko -- Aleph One / aleph1@underground.org http://underground.org/ KeyID 1024/948FD6B5 Fingerprint EE C9 E8 AA CB AF 09 61 8C 39 EA 47 A8 6A B8 01