nmap-DoS-2.txt

`Date: Wed, 23 Dec 1998 09:31:23 -0500  
From: Richard Reiner <[email protected]>  
Reply-To: Bugtraq List <[email protected]>  
To: [email protected]  
Subject: [SecureXpert Labs Advisory SX-98.12.23-01] Widespread DoS vulnerability  
  
SecureXpert Labs Advisory SX-98.12.23-01  
  
Widespread DoS vulnerability can crash systems or disable critical services  
  
Reported by: SecureXpert Labs  
(with additional information from the Bugtraq & FreeBSD Security mailing  
lists)  
  
  
WARNING: this item is based on early analysis and additional field  
reports. The subject matter is still the subject of active research by  
SecureXpert Labs and others. Due to the broad scope of the vulnerability  
described and its active exploitation on the Internet, this early  
information release is being made.  
  
  
Summary  
  
A popular security tool called "nmap" can generate unusual network traffic,  
which can be exploited to generate a wide variety of failures and crashes  
on numerous operating systems.  
  
Note: this family of vulnerabilities is NOT the same as that described in  
CERT Advisory CA-98.13 - TCP/IP Denial of Service. CERT CA-98.13 refers to  
a fragmentation-related bug in some IP stacks. The DoS vulnerabilities  
described herein are not fragmentation related.  
  
  
Description  
  
The port scanner tool nmap has "stealth scanning" capabilities, designed to  
avoid notice by Intrusion Detection systems. When these are used, nmap  
generates several types of unusual IP packets (e.g. unexpected FIN packets,  
"Christmas Tree" packets, etc.), and unusual sequences of packets (e.g. TCP  
connection setup with a SYN packet immediately followed by RST). Nmap is  
widely available (http://www.insecure.org/nmap). Built-in functionality in  
nmap allows it to be used to target large numbers of systems  
simultaneously.  
  
SecureXpert Labs has determined that nmap's "half-open" scanning mode  
('nmap -sS') disables inetd on a number of operating systems, including  
certain Solaris versions (including 2.6) and some versions of Linux. Work  
at SecureXpert Labs has also demonstrated that this scanning mode also  
causes Microsoft Windows 98 to display a critical error ("Blue Screen"),  
subsequent to which the Windows 98 workstation loses all network  
connectivity.  
  
Independent reports also indicate that nmap scanning can cause similar  
failure of inetd on several additional operating systems, including HP-UX,  
AIX, SCO, and FreeBSD. Further reports indicate that the RPC portmapper  
may be affected on some systems. Additional reports indicate also that a  
different nmap scanning mode (UDP scanning with 'nmap -sU') crashes Cisco  
IOS version 12.0 (including 12.0T, 12.0S, etc.). It has also been reported  
that nmap with certain options can cause NeXTStep 3.3 systems to panic and  
reboot.  
  
Tests by SecureXpert Labs have confirmed the vulnerability of Solaris 2.6  
and what appears to be a small number of older Linux versions. Cisco  
Systems has confirmed the Cisco IOS vulnerability. The FreeBSD, HP-UX, AIX,  
SCO, and NeXTStep reports have not yet been corroborated.  
  
The nature of this vulnerability leads SecureXpert Labs to believe that  
additional operating systems may also be vulnerable.  
  
At this stage in SecureXpert Labs' investigations, it appears that several  
of these attacks leave no trace in system logs, unless external Intrusion  
Detection systems are in place.  
  
SecureXpert Labs has notified the vendors of affected systems, and is  
working with them on further testing, fault isolation, and remediation.  
  
  
Risks  
  
a. Denial of Service through inetd failure  
Remote attackers can disable critical server processes on affected systems.  
Failure of the inetd process will commonly disable all ftp and telnet  
access to a system, as well as other services such as rlogin and rsh. In  
some less common cases, failure of inetd can disable processes such as  
BOOTP servers, Web servers, Radius or other authentication servers, etc.  
  
b. Denial of Service through portmapper failure  
Remote attackers can disabled critical servers on affected systems.  
Failure of the portmapper process will commonly disable NFS and NIS  
services, as well as other services on some systems.  
  
c. Denial of Service through kernel panics, hangs, and crashes  
If reports that nmap can cause kernel panics, hangs, or crashes are  
confirmed, all services on affected servers can be disabled by remote  
attackers.  
  
  
Vulnerable versions  
  
Further details on affected systems and versions will be provided as more  
information become available.  
  
  
Actions  
  
a. Determine if your systems are vulnerable, ether through your own testing  
with nmap or through the user of an external audit firm. (nmap is available  
>from http://www.insecure.org/nmap/)  
  
b. Install vendor patches as they become available  
  
c. In the short term, critical systems can be defended through application  
proxies (or, in some cases, multi-level filters) deployed on non-vulnerable  
firewall platforms.  
  
---------------------------------------------------------------------------  
  
Date: Thu, 24 Dec 1998 11:38:07 -0500  
From: Jordan Ritter <[email protected]>  
Reply-To: Bugtraq List <[email protected]>  
To: [email protected]  
Subject: Re: [SecureXpert Labs Advisory SX-98.12.23-01] Widespread DoS  
  
Richard Reiner ([email protected]) wrote:  
  
> WARNING: this item is based on early analysis and additional field  
> reports. The subject matter is still the subject of active research  
> by SecureXpert Labs and others. Due to the broad scope of the  
> vulnerability described and its active exploitation on the Internet,  
> this early information release is being made.  
  
I would *hardly* call this an "early information release":  
  
http://geek-girl.com/bugtraq/1997_4/0398.html  
http://geek-girl.com/bugtraq/1998_1/0507.html  
http://geek-girl.com/bugtraq/1998_2/0037.html  
http://geek-girl.com/bugtraq/1998_2/0055.html  
  
Even aleph1 responds:  
  
http://geek-girl.com/bugtraq/1997_4/0401.html  
  
  
Jordan Ritter  
Network Security Engineer Systems Administrator  
Ring-Zero, Netect, Inc. Boston, MA Darkridge Security Solutions  
  
---------------------------------------------------------------------------  
  
Date: Thu, 24 Dec 1998 17:07:36 -0800  
From: Aleph One <[email protected]>  
Reply-To: Bugtraq List <[email protected]>  
To: [email protected]  
Subject: Network Scan Vulnerability [SUMMARY]  
  
This is a summary of the reports on nmap crashing inetd's and some  
operating systems. As mentioned elsewhere, as opposed to what SecureXpert  
Labs seems to think, this is a rather old issue that appears every  
once in a while.  
  
The reports:  
  
xinetd on FreeBSD 2.2.7 does not crash when scanned with nmap -sT.  
Solaris versions earlier than Solaris 7 are affected.  
Irix 5.3, 6.2, 6.3 inetd's dies by nmap-1.51 with -vv  
Irix 6.5SE inetd's die with nmap-1.51 -F  
SunOS 4.1.3 reboots when scanned by nmap-1.51 with -vv.  
UNICOS 10 inetd's *may* die when scanned by nmap-1.51 -F.  
No can can seem to crash Windows 98 as reported by SecureXpert Labs.  
OpenBSD 2.4 seems fine.  
  
If anyone can get Windows 98 to crash please let me know as this was  
really the only *new* information in the SecureXpert advisory.  
  
Thanks to:  
  
Joe Shaw <[email protected]>  
"HD Moore" <[email protected]>  
Kameron Gasso <[email protected]>  
"Richard Johnson" <[email protected]>  
Philipp Schott <[email protected]>  
Alla Bezroutchko <[email protected]>  
  
--  
Aleph One / [email protected]  
http://underground.org/  
KeyID 1024/948FD6B5  
Fingerprint EE C9 E8 AA CB AF 09 61 8C 39 EA 47 A8 6A B8 01  
  
---------------------------------------------------------------------------  
  
Date: Thu, 31 Dec 1998 00:08:40 -0500  
From: David Gale <[email protected]>  
To: [email protected]  
Subject: nmap kills hylafax too.  
  
Dont know if it has been reported yet, but the nmap scanner will also kill  
the hfaxd daemon. This was confirmed using nmap -sS and running  
hylafax-4.0  
  
DG  
  
`