(Fwd) Found denial of service in NRPE for Solaris

[Greg Panula]

Ethan Galstad wrote:
> 
> Does anyone have any comments on the following DoS report for NRPE?
> I'm not that familiar with protecting against such attacks, so I
> don't know what can be done.  This seems like a low risk thing, but I
> thought I'd post it for comments.  I think xinetd provides some DoS
> protection for services that run under it, so that might fix it.
> However, I'm no expert, so comments are welcome.
> 
> ------- Forwarded message follows -------
> Date sent:              Tue, 20 May 2003 13:47:13 +0200
> From:                   Gino Thomas <g.thomas at nux-acid.org>
> Send reply to:          Gino Thomas <g.thomas at nux-acid.org>
> To:                     nagios at nagios.org
> Subject:                Found denial of service in NRPE for Solaris
> 
> Hello Mr. Ethan Galstad,
> 
> i recently found a simple denial of service attack for
> the nrpe-1.5-sol8-sparc Nagios plugin which can be downloaded at
> http://nagios.sourceforge.net/download/ports/solaris/
<snip> 
> =+[Description]+=
> 
> While pentesting the Nagios applikation i found the "NRPE Plugin" for
> Solaris vulnerable to a simple denial of service attack. The attack
> can be performed by sending the special packet order:
> 
> attacker        ---SYN--->      victim
> attacker        <---SYN/ACK---  victim
> attacker        ---ACK--->      victim
> attacker        ---RST--->      victim
> 
> It's a simple denial of service attack, which could be used in
> various
> ways, for example kill the service to get the admins attraction to
> that host (he'll probably login to see what happend).
> 
> =+[Proof]+=
> 
> The service (under inetd) is running on port 5666 (tcp), as we can
> see
> with netstat:
> 
> sunsolaris:~# netstat -an | grep 5666
>       *.5666               *.*                0      0 24576      0
>       LISTEN
> 
> Now use 'nessus 1.2.7 for FreeBSD' to perform a simple portscan,
> while
> sniffing the wire:
> 
> sunsolaris:~# tcpdump -vv -s 1500 "port 5666 and host 172.16.3.105"
> tcpdump: listening on ge0 14:43:24.554860 172.xxx.xxx.xxx.1554 >
> fs038sys.xxx.de.nrpe: S 1052746983:1052746983(0) win 57344 <mss
> 1460,nop,wscale 0,nop,nop,timestamp 17222850 0> (DF) (ttl 64, id
> 34513) 14:43:24.554914 fs038sys.xxx.de.nrpe > 172.xxx.xxx.xxx.1554: S
> 2661476555:2661476555(0) ack 1052746984 win 24616 <nop,nop,timestamp
> 1889852912 17222850,nop,wscale 0,mss 1460> (DF) (ttl 64, id 46301)
> 14:43:24.555353 172.xxx.xxx.xxx.1554 > fs038sys.xxx.de.nrpe: . 1:1(0)
> ack 1 win 57920 <nop,nop,timestamp 17222850 1889852912> (DF) (ttl 64,
> id 34517) 14:43:24.555399 172.xxx.xxx.xxx.1554 >
> fs038sys.xxx.de.nrpe:
> R 1:1(0) ack 1 win 57920 (DF) (ttl 64, id 34518) ^C 36554 packets
> received by filter 0 packets dropped by kernel
> 
> After the packets have arrived, another check with netstat:
> 
> fs038sys:~# netstat -an | grep 5666
> fs038sys:~#
> 
> The service is gone.
> 
> Vulnerable OS: SunSolaris 2.7 (tested on two boxes)
> Attacking  OS: FreeBSD 4.7 with Nessus 1.2.7

Isn't inetd a "super server"?  Meaning it listens on the port, accepts
in the inbound connection and then spawns the service and passes the
connection off to freshly spawned the service/daemon.

The test he ran above is a little mis-leading... it could be that inetd
is dying and therefore port 5666 is longer listening.

I would suggest running the above test against NRPE while it is running
in daemon mode, not under inetd as he did.

Just my two bits,
  greg


-------------------------------------------------------
This SF.net email is sponsored by: ObjectStore.
If flattening out C++ or Java code to make your application fit in a
relational database is painful, don't do it! Check out ObjectStore.
Now part of Progress Software. http://www.objectstore.net/sourceforge