COMMAND
TCP/IP
SYSTEMS AFFECTED
HP 10.10, DU, IRIX 5.3, 6.2, 6.3, Solaris, SunOS 4.x, Win9x and NT
(with NN), FORE PowerHub, some CISCOs, FakeBo, Omni-NFS/X
Enterprise version 6.1 (nfsd.exe)
PROBLEM
Sherwood Botsford and Lamont Granquist found following. Using
nmap v2.0, you may take down some machines. For a HP, do:
nmap -O
and it will be enough to crash HP box. Another nmap-induced
denial-of-service is against many machines inetd's when doing a
TCP connect() scan (-sT) with the result of killing the inetd
process. Lamont found that Digital Unix and Irix have been
vulnerable to this. He confirmed that it happens in response to
a connect() scan and not any other TCP scan type and that it
sometimes occurs immediately following a connect() scan when the
inetd had been verified immediately previously to be running fine.
Solaris versions earlier than Solaris 7 are affected. Irix 5.3,
6.2, 6.3 inetd's dies by:
nmap-1.51 with -vv
while Irix 6.5SE inetd's die with (same goes for UNICOS 10 inetd's
*may* die):
nmap-1.51 -F
SunOS 4.1.3 reboots when scanned by:
nmap-1.51 with -vv
nmap scanner will also killthe hfaxd daemon. This was confirmed
using nmap -sS and running hylafax-4.0.
A vulnerability also exists in the Novell Intranetware Client
version 3.0.0.0 (as distributed with Novell Netware 5) which
affects all Windows 95 and Windows 98 systems on which the Novell
Intranetware Client version 3.0.0.0 is installed. Windows 95 and
Windows 98 systems with the Novell Intranetware Client installed
experience a critical error (Blue Screen) when scanned with the
popular port-scanner tool "nmap" in "half-open" scanning mode
(-sS). Specifically, the vulnerable service in the Intranetware
client is the SLP Request service on TCP port 427. The command
nmap -sS -p427 target.com
which scans only port 427 on the target system with a TCP
half-open sequence, causes an immediate Blue Screen condition.
This condition is recoverable; however subsequently the affected
system loses all TCP network connectivity. Similarly, any "nmap
-sS" scan which includes port 427 in the range of scanned ports
causes the same fault (on most systems this includes the default
scan with no ports specified). NT platform seems to be affected
as well.
More fun with -Ss. Nmap 2.01++ can crash microsoft winnt telnetd.
Only need to have option -sS enabled when scanning... You will
get a aplication popup with message like this - program made an
illegal operation. Same goes for FORE PowerHub, 7-2.6.3.4-P10.
It hangs for about 80 seconds when scanned with nmap -sS -O (nmap
V2.00).
For CISCO stuff, see Cisco #15 in Others section.
Neoware's X-Terminal goes nuts too. Not that NetOS 2.0.1 is not
current. X-terminal information:
Model: @work Prima
Main Board: NC1
CPU: i960 CF 25 MHz
Video selector: 7 (V19CT) Jumpers: 2 (mon=7,jpr=2)
Video Osc: 5.000 MHz
Video Pixel Clock: 130.0 MHz
Keyboard type: IBM
Main memory size: 4 MB
SIMM memory size: 12 MB
Video memory size: 2048 KB
NVM size: 2 KB
Flash memory size: None
Ethernet address: 00:80:96:XX:XX
Base configuration: BA-J2710B3-XXX
Description: @25 V19CT 16M 8B2
Server Code Version: 2.0.1-D (Build 504)
PLCC Boot PROM Version: 2.0.2 (Build 520)
netOS Version: 2.0.1
What about FakeBo? Well, let's take a look:
nofx:~ # nmap -sS localhost -p 12345
Starting nmap V. 2.03 by Fyodor (fyodor@dhp.com, www.insecure.org/nmap/)
Interesting ports on localhost (127.0.0.1):
Port State Protocol Service
12345 open tcp unknown
nofx:~ # nmap -sS localhost -p 12345
Starting nmap V. 2.03 by Fyodor (fyodor@dhp.com, www.insecure.org/nmap/)
No ports open for host localhost (127.0.0.1)
Nmap run completed -- 1 IP address (1 host up) scanned in 0 seconds
So it seems a simple tcp SYN stealth port scan causes fakebo 0.3.1
to crash.
Omni-NFS/X Enterprise is a X, NFS server solution for win32
systems. It is written by XLink Technology The nfs daemon (
nfsd.exe ) used by Omni-NFS/X will jump to 100% cpu usage if you
scan it using nmap with ether the -O (OS detect) or the -sS (TCP
SYN (half open))
SOLUTION
The work-around for the nmap user is to never use connect() scans,
and to explicitly use -sS (or one of the other stealth scans) in
conjunction with -O. There is no workaround for the system admin
of the scanned system.
SGI recommends turning off the tcpmux and echo ports in
/etc/inetd.conf. The bug is fixed in IRIX 6.5.2, according to
SGI.
A simple interim workaround for nmap-kills-inetd is to replace
inetd invokations with
( trap "" 13; exec /path/to/inetd )
or, under Solaris
( trap "" 13; exec /usr/sbin/inetd -s )
this causes SIGPIPE to be ignored. Unfortunately, it is also
ignored for inetd's children. This may cause some problems for
services which run under inetd that expect SIGPIPE. Removing all
internal tcp services from inetd.conf will help too
time stream tcp nowait root internal
echo stream tcp nowait root internal
discard stream tcp nowait root internal
daytime stream tcp nowait root internal
chargen stream tcp nowait root internal
In fact, only the "time", "daytime" functions are affected. (the
other three fork).
Novell eliminated this with the Win95/98 v3.1 client (now at SP2
as of 10/03/1999). See Novell TID2948363 at
http://support.novell.com
for details.
Powerhub Software 5.0.1 (11193) fixes the problems relating to
nmap, as well as cheops/queso scans. The 5.0.1 software requires
the PH7000 have a "packet accelerator", so it wasn't possible to
install it on non-accelerated hardware. To solve this Fore
back-ported the fixes and rolled a new release (2.6.4.3).