Date: Wed, 13 May 1998 16:30:20 -0700 (PDT) From: trost@cloud.rain.com To: freebsd-gnats-submit@FreeBSD.ORG Subject: bin/6627: TCP-based RPC denial-of-service attack Message-ID: <199805132330.QAA14271@hub.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 6627
>Category: bin
>Synopsis: TCP-based RPC denial-of-service attack
>Confidential: no
>Severity: critical
>Priority: medium
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Wed May 13 16:30:01 PDT 1998
>Last-Modified:
>Originator: Bill Trost
>Organization:
Trost Computing
>Release: current
>Environment:
FreeBSD grey.cloud.rain.com 3.0-CURRENT FreeBSD 3.0-CURRENT #5: Mon May 4 13:42:11 PDT 1998 trost@grey.cloud.rain.com:/mnt/usr/src/sys/compile/GREY i386
>Description:
From: Peter van Dijk <peter@ATTIC.VUURWERK.NL>
Subject: Re: easy DoS in most RPC apps
To: BUGTRAQ@NETSPACE.ORG
On Sat, 28 Mar 1998, Peter van Dijk wrote:
> If you connect (using telnet, netcat, anything) to a TCP port assigned to
> some RPC protocol (tested with rpc.nfsd/mountd/portmap on Slackware
> 3.4/Kernel 2.0.33) and send some 'garbage' (like a newline ;) every 5
> seconds or faster, the service will completely stop responding. At the
> very moment the connection is closed, the service will return to normal
> work again.
> read(0, "\r\n", 4000) = 2
>
[bullshit cut]
>
> This bug can easily be exploited remotely without any special software and
> without taking any noticeable bandwidth (one packet every 5 seconds).
> This one worked perfectly for me:
> $ { while true ; do echo ; sleep 5 ; done } | telnet localhost 2049
> Replacing the sleep 5 with sleep 6 or even more shows that the service
> will then respond every once in a while.
Further examination and discussion (with Thomas Kukuk) shows that the bug
is probably in libc (and glibc?) and therefore probably affects _all_ rpc
applications using libc to do their rpc work (like, all Linux rpc
applications). Also, Wietse Venema responded today... Discussion still
starting up with him :)
The impact of this bug should not be underestimated. Anything that depends
on nfs to function can be shutdown completely (temporarily, that is) with
little or no effort... You don't need maths to see that even someone with
a simple 28k8 line can shutdown 100s of sites at the same time.
>How-To-Repeat:
See description.
>Fix:
Sorry....
>Audit-Trail:
>Unformatted:
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199805132330.QAA14271>