[Fwd: Found denial of service in NRPE for Solaris]

Greg Panula greg.panula at dolaninformation.com
Thu May 22 10:06:58 CEST 2003

Previous message: handling of comments in config files
Next message: Performance patches (was [ nagiosplug-Patches-740404 ] 1.3.0 perf ormance addon for disk/http/load/ping/procs/swap/u)
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

FYI - response from the author of the advisory.  The was ran against
NRPE in daemon mode.

greg

Gino Thomas wrote:
> 
> i read the webarchive of nagios-devel and saw the
> post from Greg Panula.
> 
> Since i am not subscribed, heres my answer (please forward it):
> 
> >Isn't inetd a "super server"?  Meaning it listens on the port, accepts
> >in the inbound connection and then spawns the service and passes the
> >connection off to freshly spawned the service/daemon.
> 
> >The test he ran above is a little mis-leading... it could be that inetd
> >is dying and therefore port 5666 is longer listening.
> 
> Yes, thats really my fault, i pasted the daemon test packets and (while
> running another pentest with inetd) messed up the advisory.
> 
> The test was run against ./nrpe -d nrpe.cfg, aka running it in daemon mode,
> no inetd involved. Sorry for the misleading advisory.
> 
> >I would suggest running the above test against NRPE while it is running
> >in daemon mode, not under inetd as he did.
> 
> As noted, the test was made against nrpe in daemon mode.
> 
> Updated Advisory:
> 
> +=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=
> 
>  NUX-ACID ADVISORY #001
> 
>  Advisory name: Denial of Service in Nagios NRPE Plugin (Solaris)
>  Risk: Low
>  Date: xx.05.2003
>  Application: NRPE
>  Versions Vulnerable: nrpe-1.5-sol8-sparc
>  Vendor: Ethan Galstad (nagios at nagios.org)
> 
>  Timeline:
>  17.05.03 - found vulnerability
>  20.05.03 - informed the author
>  xx.xx.xx - solution found
>  xx.xx.xx - public release
> 
>  2003 by Gino Thomas, http://www.nux-acid.org
>  This information is provided freely to all interested parties
>  and may be redistributed provided that it is not altered in any way
>  +=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=
> 
> 
> 
>  =+[Overview]+=
> 
>  Form the website:
> 
>  "Nagios. is a host and service monitor designed to inform you of
>  network problems before your clients, end-users or managers do. It has
>  been designed to run under the Linux operating system, but works fine
>  under most *NIX variants as well. The monitoring daemon runs
>  intermittent checks on hosts and services you specify using external
>  "plugins" which return status information to Nagios. When problems are
>  encountered, the daemon can send notifications out to administrative
>  contacts in a variety of different ways (email, instant message, SMS,
>  etc.). Current status information, historical logs, and reports can
>  all be accessed via a web browser."
> 
>  =+[Description]+=
> 
>  While pentesting the Nagios application i found the "NRPE Plugin" for
>  Solaris vulnerable to a simple denial of service attack. The attack
>  can be performed by sending the special packet order:
> 
>  attacker        ---SYN--->      victim
>  attacker        <---SYN/ACK---  victim
>  attacker        ---ACK--->      victim
>  attacker        ---RST--->      victim
> 
>  It's a simple denial of service attack, which could be used in various
>  ways, for example kill the service to get the admins attraction to
>  that host (he'll probably login to see what happend).
> 
>  =+[Proof]+=
> 
>  The service (started in daemon mode) is running on port 5666 (tcp), as we can see
>  with netstat:
> 
>  sunsolaris:~# netstat -an | grep 5666
>  *.5666               *.*                0      0 24576      0    LISTEN
> 
> 
>  Now use 'nessus 1.2.7 for FreeBSD' to perform a simple portscan, while
>  sniffing the wire:
> 
>  sunsolaris:~# tcpdump -vv -s 1500 "port 5666 and host 172.xxx.xxx.xxx"
>  tcpdump: listening on ge0
> 
>  14:43:24.554860 172.xxx.xxx.xxx.1554 > fs038sys.xxx.de.nrpe:
>  S 1052746983:1052746983(0) win 57344 <mss 1460,nop,wscale
>  0,nop,nop,timestamp 17222850 0> (DF) (ttl 64, id 34513)
> 
>  14:43:24.554914 fs038sys.xxx.de.nrpe > 172.xxx.xxx.xxx.1554:
>  S 2661476555:2661476555(0) ack 1052746984 win 24616 <nop,nop,timestamp
>  1889852912 17222850,nop,wscale 0,mss 1460> (DF) (ttl 64, id 46301)
> 
>  14:43:24.555353 172.xxx.xxx.xxx.1554 > fs038sys.xxx.de.nrpe:
>  . 1:1(0) ack 1 win 57920 <nop,nop,timestamp 17222850 1889852912> (DF)
>  (ttl 64, id 34517)
> 
>  14:43:24.555399 172.xxx.xxx.xxx.1554 > fs038sys.xxx.de.nrpe:
>  R 1:1(0) ack 1 win 57920 (DF) (ttl 64, id 34518)
> 
>  ^C 36554 packets
>  received by filter 0 packets dropped by kernel
> 
>  After the packets have arrived, another check with netstat:
> 
>  fs038sys:~# netstat -an | grep 5666
>  fs038sys:~#
> 
>  The service is gone.
> 
>  Vulnerable OS: SunSolaris 2.7 (tested two boxes)
>  Attacking  OS: FreeBSD 4.7 with Nessus 1.2.7
> 
>  =+[Solution]+=
> 
>  The author was informed 20.05.2003. Fix has to be found.
>


-------------------------------------------------------
This SF.net email is sponsored by: ObjectStore.
If flattening out C++ or Java code to make your application fit in a
relational database is painful, don't do it! Check out ObjectStore.
Now part of Progress Software. http://www.objectstore.net/sourceforge

Previous message: handling of comments in config files
Next message: Performance patches (was [ nagiosplug-Patches-740404 ] 1.3.0 perf ormance addon for disk/http/load/ping/procs/swap/u)
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the Developers mailing list