Re: denial of service - inetd on solaris 2.4?

Brad Powell (bpowell@topsun.West.Sun.COM)
Fri, 24 May 1996 08:45:51 -0700

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: martinh@mailhost.emap.co.uk: "Is _your_ Netscape under remote control"
Previous message: Sven.Wijk: "Re: Security problem in ESRI's ArcDoc 7.0.4"
Maybe in reply to: Justin Beech: "denial of service - inetd on solaris 2.4?"
Next in thread: Jack Flory: "Re: denial of service - inetd on solaris 2.4?"

>From owner-bugtraq@NETSPACE.ORG  Thu May 23 23:12:14 1996
>Approved-By: ALEPH1@UNDERGROUND.ORG
>Approved-By:  Justin Beech <jb.sg@FP.CIBC.COM>
>Date:         Fri, 24 May 1996 09:56:48 +0800
>From: Justin Beech <jb.sg@fp.cibc.com>
>Subject:      denial of service - inetd on solaris 2.4?
>To: Multiple recipients of list BUGTRAQ <BUGTRAQ@NETSPACE.ORG>
>
>I discovered on our solaris 2.4 boxes, that if you telnet to
>the discard port, then quit telnet (using control-right-bracket
>and quit), you leave a single inetd running in an infinite
>read loop. Do this twice, and you get two inetds running...

yeah we found the same thing when building WAN probeing tools.
:-)
>
>obviously you can quickly bog the machine down to a standstill..
>This doesnt happen on solaris 2.5, so I guess it is some
>inetd bug thats been fixed? anyone know a 2.4 patch for this?

Patch-ID# 102922-03
Synopsis: SunOS 5.4: inetd fixes
BugId's fixed with this patch: 1175129 1202603 1217754
Changes incorporated in this version: 1217754

You should probably just turn off echo, discard, daytime and chargen
as well. From the comment in inetd.conf:
# Echo, discard, daytime, and chargen are used primarily for testing.

>
>Also: what I havent seen mentioned yet, the denial of service
>attack is not just to bring down a box.. if one is employed on
>Host A, which is trusted by Host B, then this allows
>the network clear for the bad guy to impersonate Host A, (the
>real Host A being effectively muzzled), thus get into
>Host B.
>If I remember correctly, this was one of Mitnicks tricks
>against Shimomuras collection of machines.


close enough. :-). This could potentially be used to bog down a
NIS or other server to allow a faster response from a "bad guy" host.

e.g., using denial of services to hedge a race condition.

=======================================================================
Brad Powell : brad.powell@Sun.COM
Sr. Network Security Consultant
Sun Microsystems Inc.
=======================================================================
               The views expressed are those of the author and may
                  not reflect the views of Sun Microsystems Inc.
=======================================================================

Next message: martinh@mailhost.emap.co.uk: "Is _your_ Netscape under remote control"
Previous message: Sven.Wijk: "Re: Security problem in ESRI's ArcDoc 7.0.4"
Maybe in reply to: Justin Beech: "denial of service - inetd on solaris 2.4?"
Next in thread: Jack Flory: "Re: denial of service - inetd on solaris 2.4?"