Date: Wed, 23 Dec 1998 09:31:23 -0500
From: Richard Reiner <rreiner@FSCINTERNET.COM>
Reply-To: Bugtraq List <BUGTRAQ@netspace.org>
To: BUGTRAQ@netspace.org
Subject: [SecureXpert Labs Advisory SX-98.12.23-01] Widespread DoS              vulnerability

SecureXpert Labs Advisory SX-98.12.23-01

Widespread DoS vulnerability can crash systems or disable critical services

Reported by: SecureXpert Labs
(with additional information from the Bugtraq & FreeBSD Security mailing
lists)


WARNING: this item is based on early analysis and additional field
reports.  The subject matter is still the subject of active research by
SecureXpert Labs and others.  Due to the broad scope of the vulnerability
described and its active exploitation on the Internet, this early
information release is being made.


Summary

A popular security tool called "nmap" can generate unusual network traffic,
which can be exploited to generate a wide variety of failures and crashes
on numerous operating systems.

Note: this family of vulnerabilities is NOT the same as that described in
CERT Advisory CA-98.13 - TCP/IP Denial of Service.  CERT CA-98.13 refers to
a fragmentation-related bug in some IP stacks.  The DoS vulnerabilities
described herein are not fragmentation related.


Description

The port scanner tool nmap has "stealth scanning" capabilities, designed to
avoid notice by Intrusion Detection systems.  When these are used, nmap
generates several types of unusual IP packets (e.g. unexpected FIN packets,
"Christmas Tree" packets, etc.), and unusual sequences of packets (e.g. TCP
connection setup with a SYN packet immediately followed by RST).  Nmap is
widely available (http://www.insecure.org/nmap).  Built-in functionality in
nmap allows it to be used to target large numbers of systems
simultaneously.

SecureXpert Labs has determined that nmap's "half-open" scanning mode
('nmap -sS') disables inetd on a number of operating systems, including
certain Solaris versions (including 2.6) and some versions of Linux.  Work
at SecureXpert Labs has also demonstrated that this scanning mode also
causes Microsoft Windows 98 to display a critical error ("Blue Screen"),
subsequent to which the Windows 98 workstation loses all network
connectivity.

Independent reports also indicate that nmap scanning can cause similar
failure of inetd on several additional operating systems, including HP-UX,
AIX, SCO, and FreeBSD.  Further reports indicate that the RPC portmapper
may be affected on some systems.  Additional reports indicate also that a
different nmap scanning mode (UDP scanning with 'nmap -sU') crashes Cisco
IOS version 12.0 (including 12.0T, 12.0S, etc.). It has also been reported
that nmap with certain options can cause NeXTStep 3.3 systems to panic and
reboot.

Tests by SecureXpert Labs have confirmed the vulnerability of Solaris 2.6
and what appears to be a small number of older Linux versions. Cisco
Systems has confirmed the Cisco IOS vulnerability. The FreeBSD, HP-UX, AIX,
SCO, and NeXTStep reports have not yet been corroborated.

The nature of this vulnerability leads SecureXpert Labs to believe that
additional operating systems may also be vulnerable.

At this stage in SecureXpert Labs' investigations, it appears that several
of these attacks leave no trace in system logs, unless external Intrusion
Detection systems are in place.

SecureXpert Labs has notified the vendors of affected systems, and is
working with them on further testing, fault isolation, and remediation.


Risks

a. Denial of Service through inetd failure
Remote attackers can disable critical server processes on affected systems.
Failure of the inetd process will commonly disable all ftp and telnet
access to a system, as well as other services such as rlogin and rsh.  In
some less common cases, failure of inetd can disable processes such as
BOOTP servers, Web servers, Radius or other authentication servers, etc.

b. Denial of Service through portmapper failure
Remote attackers can disabled critical servers on affected systems.
Failure of the portmapper process will commonly disable NFS and NIS
services, as well as other services on some systems.

c. Denial of Service through kernel panics, hangs, and crashes
If reports that nmap can cause kernel panics, hangs, or crashes are
confirmed, all services on affected servers can be disabled by remote
attackers.


Vulnerable versions

Further details on affected systems and versions will be provided as more
information become available.


Actions

a. Determine if your systems are vulnerable, ether through your own testing
with nmap or through the user of an external audit firm. (nmap is available
>from http://www.insecure.org/nmap/)

b. Install vendor patches as they become available

c. In the short term, critical systems can be defended through application
proxies (or, in some cases, multi-level filters) deployed on non-vulnerable
firewall platforms.

---------------------------------------------------------------------------

Date: Thu, 24 Dec 1998 11:38:07 -0500
From: Jordan Ritter <jpr5@DARKRIDGE.COM>
Reply-To: Bugtraq List <BUGTRAQ@netspace.org>
To: BUGTRAQ@netspace.org
Subject: Re: [SecureXpert Labs Advisory SX-98.12.23-01] Widespread DoS

Richard Reiner (rreiner@FSCINTERNET.COM) wrote:

> WARNING: this item is based on early analysis and additional field
> reports.  The subject matter is still the subject of active research
> by SecureXpert Labs and others.  Due to the broad scope of the
> vulnerability described and its active exploitation on the Internet,
> this early information release is being made.

I would *hardly* call this an "early information release":

http://geek-girl.com/bugtraq/1997_4/0398.html
http://geek-girl.com/bugtraq/1998_1/0507.html
http://geek-girl.com/bugtraq/1998_2/0037.html
http://geek-girl.com/bugtraq/1998_2/0055.html

Even aleph1 responds:

http://geek-girl.com/bugtraq/1997_4/0401.html


Jordan Ritter
Network Security Engineer                        Systems Administrator
Ring-Zero, Netect, Inc.  Boston, MA       Darkridge Security Solutions

---------------------------------------------------------------------------

Date: Thu, 24 Dec 1998 17:07:36 -0800
From: Aleph One <aleph1@UNDERGROUND.ORG>
Reply-To: Bugtraq List <BUGTRAQ@netspace.org>
To: BUGTRAQ@netspace.org
Subject: Network Scan Vulnerability [SUMMARY]

This is a summary of the reports on nmap crashing inetd's and some
operating systems. As mentioned elsewhere, as opposed to what SecureXpert
Labs seems to think, this is a rather old issue that appears every
once in a while.

The reports:

xinetd on FreeBSD 2.2.7 does not crash when scanned with nmap -sT.
Solaris versions earlier than Solaris 7 are affected.
Irix 5.3, 6.2, 6.3 inetd's dies by nmap-1.51 with -vv
Irix 6.5SE inetd's die with nmap-1.51 -F
SunOS 4.1.3 reboots when scanned by nmap-1.51 with -vv.
UNICOS 10 inetd's *may* die when scanned by nmap-1.51 -F.
No can can seem to crash Windows 98 as reported by SecureXpert Labs.
OpenBSD 2.4 seems fine.

If anyone can get Windows 98 to crash please let me know as this was
really the only *new* information in the SecureXpert advisory.

Thanks to:

Joe  Shaw <jshaw@insync.net>
"HD Moore" <hdmoore@usa.net>
Kameron Gasso <krg@lockdown.net>
"Richard Johnson" <rdump@river.com>
Philipp Schott <schott@uni-freiburg.de>
Alla Bezroutchko <alla@sovlink.ru>

--
Aleph One / aleph1@underground.org
http://underground.org/
KeyID 1024/948FD6B5
Fingerprint EE C9 E8 AA CB AF 09 61  8C 39 EA 47 A8 6A B8 01
