|
Vulnerability inetd Affected Solaris, Linux Description Alla Bezroutchko stumbled upon something that looks like a bug in inetd on Solaris. If a Solaris box is portscaned by nmap with -T Insane option (very quick scan) daemons that are started by inetd stop responding. That is you can connect to them, connection get accepted, by they don't display any banner or answer in any way. It stays that way until inetd is restarted. Other daemons (not started by inetd) seem to be unaffected by this. The effect depends on number of daemons enabled in inetd configuration. If only one daemon (ftp in my case) is enabled, nothing happens at all. Inetd with two daemons does hang but not always. Five daemons enabled make it hang every time. This was tested over a 10Mbps LAN against Solaris 7 and 8 on Sparc and Solaris 7 on Intel. All three were affected. All linux versions are vulnerable as well, you can kill inetd over a 28.8 modem in less than 40 seconds ... you just need to connect and disconnect really fast ..... Solution Properly patched Solaris doesn't seem to react to intensive portscan in any way. Unpatched Solaris inetd does hang and doesn't seem to do it on purpose. It doesn't log anything and it doesn't answer to any host connecting to it, not only the one that did the scan. Inetd sleeps on accept syscall (normally it sleeps on poll) and stays that way until restarted.