(Fwd) Found denial of service in NRPE for Solaris
Ethan Galstad
nagios at nagios.org
Wed May 21 04:52:08 CEST 2003
Does anyone have any comments on the following DoS report for NRPE?
I'm not that familiar with protecting against such attacks, so I
don't know what can be done. This seems like a low risk thing, but I
thought I'd post it for comments. I think xinetd provides some DoS
protection for services that run under it, so that might fix it.
However, I'm no expert, so comments are welcome.
------- Forwarded message follows -------
Date sent: Tue, 20 May 2003 13:47:13 +0200
From: Gino Thomas <g.thomas at nux-acid.org>
Send reply to: Gino Thomas <g.thomas at nux-acid.org>
To: nagios at nagios.org
Subject: Found denial of service in NRPE for Solaris
Hello Mr. Ethan Galstad,
i recently found a simple denial of service attack for
the nrpe-1.5-sol8-sparc Nagios plugin which can be downloaded at
http://nagios.sourceforge.net/download/ports/solaris/
See my advisory attached, please inform me:
1) if you're planning to fix the bug
2) at what time the community can expect a patch/newer version
3) if you found this advisory sufficient
Feel free to ask me for further information.
regards & wishes
Gino Thomas
+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=
++=+=
NUX-ACID ADVISORY #001
Advisory name : Denial of Service in Nagios NRPE Plugin
(Solaris) Risk : Low Date :
xx.05.2003 Application : NRPE Versions Vulnerable :
nrpe-1.5-sol8-sparc Vendor : Ethan Galstad
(nagios at nagios.org)
Timeline:
17.05.03 - found vulnerability
20.05.03 - informed the author
xx.xx.xx - solution found
xx.xx.xx - public release
2003 by Gino Thomas, http://www.nux-acid.org
This information is provided freely to all interested parties
and may be redistributed provided that it is not altered in any way
+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=
+=+=
=+[Overview]+=
Form the website:
"Nagios® is a host and service monitor designed to inform you of
network problems before your clients, end-users or managers do. It
has
been designed to run under the Linux operating system, but works fine
under most *NIX variants as well. The monitoring daemon runs
intermittent checks on hosts and services you specify using external
"plugins" which return status information to Nagios. When problems
are
encountered, the daemon can send notifications out to administrative
contacts in a variety of different ways (email, instant message, SMS,
etc.). Current status information, historical logs, and reports can
all be accessed via a web browser."
=+[Description]+=
While pentesting the Nagios applikation i found the "NRPE Plugin" for
Solaris vulnerable to a simple denial of service attack. The attack
can be performed by sending the special packet order:
attacker ---SYN---> victim
attacker <---SYN/ACK--- victim
attacker ---ACK---> victim
attacker ---RST---> victim
It's a simple denial of service attack, which could be used in
various
ways, for example kill the service to get the admins attraction to
that host (he'll probably login to see what happend).
=+[Proof]+=
The service (under inetd) is running on port 5666 (tcp), as we can
see
with netstat:
sunsolaris:~# netstat -an | grep 5666
*.5666 *.* 0 0 24576 0
LISTEN
Now use 'nessus 1.2.7 for FreeBSD' to perform a simple portscan,
while
sniffing the wire:
sunsolaris:~# tcpdump -vv -s 1500 "port 5666 and host 172.16.3.105"
tcpdump: listening on ge0 14:43:24.554860 172.xxx.xxx.xxx.1554 >
fs038sys.xxx.de.nrpe: S 1052746983:1052746983(0) win 57344 <mss
1460,nop,wscale 0,nop,nop,timestamp 17222850 0> (DF) (ttl 64, id
34513) 14:43:24.554914 fs038sys.xxx.de.nrpe > 172.xxx.xxx.xxx.1554: S
2661476555:2661476555(0) ack 1052746984 win 24616 <nop,nop,timestamp
1889852912 17222850,nop,wscale 0,mss 1460> (DF) (ttl 64, id 46301)
14:43:24.555353 172.xxx.xxx.xxx.1554 > fs038sys.xxx.de.nrpe: . 1:1(0)
ack 1 win 57920 <nop,nop,timestamp 17222850 1889852912> (DF) (ttl 64,
id 34517) 14:43:24.555399 172.xxx.xxx.xxx.1554 >
fs038sys.xxx.de.nrpe:
R 1:1(0) ack 1 win 57920 (DF) (ttl 64, id 34518) ^C 36554 packets
received by filter 0 packets dropped by kernel
After the packets have arrived, another check with netstat:
fs038sys:~# netstat -an | grep 5666
fs038sys:~#
The service is gone.
Vulnerable OS: SunSolaris 2.7 (tested on two boxes)
Attacking OS: FreeBSD 4.7 with Nessus 1.2.7
=+[Solution]+=
The author has yet to be informed.
------- End of forwarded message -------
Ethan Galstad,
Nagios Developer
---
Email: nagios at nagios.org
Website: http://www.nagios.org
-------------------------------------------------------
This SF.net email is sponsored by: ObjectStore.
If flattening out C++ or Java code to make your application fit in a
relational database is painful, don't do it! Check out ObjectStore.
Now part of Progress Software. http://www.objectstore.net/sourceforge
More information about the Developers
mailing list