(Fwd) Found denial of service in NRPE for Solaris

local.coder code at novageeks.org
Wed May 21 15:41:30 CEST 2003


Is this seen only when being done under inetd or is the same true for daemon 
mode ?

My first thought would be this. We take the IP source verification code and 
instead of killing the connection we move up the pipe and just discard all 
traffic that is not from an authorized host. That may help in defeating this 
attack and other possible sequence type attacks.

I can run some tests here and see what other details we can find from this.

Derrick

Quoting Ethan Galstad <nagios at nagios.org>:

> Does anyone have any comments on the following DoS report for NRPE?
> I'm not that familiar with protecting against such attacks, so I
> don't know what can be done.  This seems like a low risk thing, but I
> thought I'd post it for comments.  I think xinetd provides some DoS
> protection for services that run under it, so that might fix it.
> However, I'm no expert, so comments are welcome.
> 
> 
> 
> ------- Forwarded message follows -------
> Date sent:      	Tue, 20 May 2003 13:47:13 +0200
> From:           	Gino Thomas <g.thomas at nux-acid.org>
> Send reply to:  	Gino Thomas <g.thomas at nux-acid.org>
> To:             	nagios at nagios.org
> Subject:        	Found denial of service in NRPE for Solaris
> 
> Hello Mr. Ethan Galstad,
> 
> i recently found a simple denial of service attack for
> the nrpe-1.5-sol8-sparc Nagios plugin which can be downloaded at
> http://nagios.sourceforge.net/download/ports/solaris/
> 
> See my advisory attached, please inform me:
> 1) if you're planning to fix the bug
> 2) at what time the community can expect a patch/newer version
> 3) if you found this advisory sufficient
> 
> Feel free to ask me for further information.
> 
> regards & wishes
> Gino Thomas
> 
> 
> +=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=
> ++=+=
> NUX-ACID ADVISORY #001
> 
> Advisory name           : Denial of Service in Nagios NRPE Plugin
> (Solaris) Risk                    : Low Date                    :
> xx.05.2003 Application             : NRPE Versions Vulnerable     :
> nrpe-1.5-sol8-sparc Vendor                  : Ethan Galstad
> (nagios at nagios.org)
> 
> Timeline:
> 17.05.03 - found vulnerability
> 20.05.03 - informed the author
> xx.xx.xx - solution found
> xx.xx.xx - public release
> 
> 
> 2003 by Gino Thomas, http://www.nux-acid.org
> This information is provided freely to all interested parties
> and may be redistributed provided that it is not altered in any way
> +=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=
> +=+=
> 
> 
> =+[Overview]+=
> 
> Form the website:
> 
> "Nagios® is a host and service monitor designed to inform you of
> network problems before your clients, end-users or managers do. It
> has
> been designed to run under the Linux operating system, but works fine
> under most *NIX variants as well. The monitoring daemon runs
> intermittent checks on hosts and services you specify using external
> "plugins" which return status information to Nagios. When problems
> are
> encountered, the daemon can send notifications out to administrative
> contacts in a variety of different ways (email, instant message, SMS,
> etc.). Current status information, historical logs, and reports can
> all be accessed via a web browser."
> 
> =+[Description]+=
> 
> While pentesting the Nagios applikation i found the "NRPE Plugin" for
> Solaris vulnerable to a simple denial of service attack. The attack
> can be performed by sending the special packet order:
> 
> attacker        ---SYN--->      victim
> attacker        <---SYN/ACK---  victim
> attacker        ---ACK--->      victim
> attacker        ---RST--->      victim
> 
> It's a simple denial of service attack, which could be used in
> various
> ways, for example kill the service to get the admins attraction to
> that host (he'll probably login to see what happend).
> 
> =+[Proof]+=
> 
> The service (under inetd) is running on port 5666 (tcp), as we can
> see
> with netstat:
> 
> sunsolaris:~# netstat -an | grep 5666
>       *.5666               *.*                0      0 24576      0
>       LISTEN
> 
> 
> Now use 'nessus 1.2.7 for FreeBSD' to perform a simple portscan,
> while
> sniffing the wire:
> 
> sunsolaris:~# tcpdump -vv -s 1500 "port 5666 and host 172.16.3.105"
> tcpdump: listening on ge0 14:43:24.554860 172.xxx.xxx.xxx.1554 >
> fs038sys.xxx.de.nrpe: S 1052746983:1052746983(0) win 57344 <mss
> 1460,nop,wscale 0,nop,nop,timestamp 17222850 0> (DF) (ttl 64, id
> 34513) 14:43:24.554914 fs038sys.xxx.de.nrpe > 172.xxx.xxx.xxx.1554: S
> 2661476555:2661476555(0) ack 1052746984 win 24616 <nop,nop,timestamp
> 1889852912 17222850,nop,wscale 0,mss 1460> (DF) (ttl 64, id 46301)
> 14:43:24.555353 172.xxx.xxx.xxx.1554 > fs038sys.xxx.de.nrpe: . 1:1(0)
> ack 1 win 57920 <nop,nop,timestamp 17222850 1889852912> (DF) (ttl 64,
> id 34517) 14:43:24.555399 172.xxx.xxx.xxx.1554 >
> fs038sys.xxx.de.nrpe:
> R 1:1(0) ack 1 win 57920 (DF) (ttl 64, id 34518) ^C 36554 packets
> received by filter 0 packets dropped by kernel
> 
> After the packets have arrived, another check with netstat:
> 
> fs038sys:~# netstat -an | grep 5666
> fs038sys:~#
> 
> The service is gone.
> 
> Vulnerable OS: SunSolaris 2.7 (tested on two boxes)
> Attacking  OS: FreeBSD 4.7 with Nessus 1.2.7
> 
> =+[Solution]+=
> 
> The author has yet to be informed.
> 
> 
> ------- End of forwarded message -------
> 
> Ethan Galstad,
> Nagios Developer
> ---
> Email: nagios at nagios.org
> Website: http://www.nagios.org
> 
> 
> 
> -------------------------------------------------------
> This SF.net email is sponsored by: ObjectStore.
> If flattening out C++ or Java code to make your application fit in a
> relational database is painful, don't do it! Check out ObjectStore.
> Now part of Progress Software. http://www.objectstore.net/sourceforge
> _______________________________________________
> Nagios-devel mailing list
> Nagios-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/nagios-devel
> 




-------------------------------------------------------
This SF.net email is sponsored by: ObjectStore.
If flattening out C++ or Java code to make your application fit in a
relational database is painful, don't do it! Check out ObjectStore.
Now part of Progress Software. http://www.objectstore.net/sourceforge




More information about the Developers mailing list