[Nagios-devel] [Fwd: Found denial of service in NRPE for Solaris]
Posted: Thu May 22, 2003 12:07 am
FYI - response from the author of the advisory. The was ran against
NRPE in daemon mode.
greg
Gino Thomas wrote:
>
> i read the webarchive of nagios-devel and saw the
> post from Greg Panula.
>
> Since i am not subscribed, heres my answer (please forward it):
>
> >Isn't inetd a "super server"? Meaning it listens on the port, accepts
> >in the inbound connection and then spawns the service and passes the
> >connection off to freshly spawned the service/daemon.
>
> >The test he ran above is a little mis-leading... it could be that inetd
> >is dying and therefore port 5666 is longer listening.
>
> Yes, thats really my fault, i pasted the daemon test packets and (while
> running another pentest with inetd) messed up the advisory.
>
> The test was run against ./nrpe -d nrpe.cfg, aka running it in daemon mode,
> no inetd involved. Sorry for the misleading advisory.
>
> >I would suggest running the above test against NRPE while it is running
> >in daemon mode, not under inetd as he did.
>
> As noted, the test was made against nrpe in daemon mode.
>
> Updated Advisory:
>
> +=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=
>
> NUX-ACID ADVISORY #001
>
> Advisory name: Denial of Service in Nagios NRPE Plugin (Solaris)
> Risk: Low
> Date: xx.05.2003
> Application: NRPE
> Versions Vulnerable: nrpe-1.5-sol8-sparc
> Vendor: Ethan Galstad ([email protected])
>
> Timeline:
> 17.05.03 - found vulnerability
> 20.05.03 - informed the author
> xx.xx.xx - solution found
> xx.xx.xx - public release
>
> 2003 by Gino Thomas, http://www.nux-acid.org
> This information is provided freely to all interested parties
> and may be redistributed provided that it is not altered in any way
> +=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=
>
>
>
> =+[Overview]+=
>
> Form the website:
>
> "Nagios. is a host and service monitor designed to inform you of
> network problems before your clients, end-users or managers do. It has
> been designed to run under the Linux operating system, but works fine
> under most *NIX variants as well. The monitoring daemon runs
> intermittent checks on hosts and services you specify using external
> "plugins" which return status information to Nagios. When problems are
> encountered, the daemon can send notifications out to administrative
> contacts in a variety of different ways (email, instant message, SMS,
> etc.). Current status information, historical logs, and reports can
> all be accessed via a web browser."
>
> =+[Description]+=
>
> While pentesting the Nagios application i found the "NRPE Plugin" for
> Solaris vulnerable to a simple denial of service attack. The attack
> can be performed by sending the special packet order:
>
> attacker ---SYN---> victim
> attacker attacker ---ACK---> victim
> attacker ---RST---> victim
>
> It's a simple denial of service attack, which could be used in various
> ways, for example kill the service to get the admins attraction to
> that host (he'll probably login to see what happend).
>
> =+[Proof]+=
>
> The service (started in daemon mode) is running on port 5666 (tcp), as we can see
> with netstat:
>
> sunsolaris:~# netstat -an | grep 5666
> *.5666 *.* 0 0 24576 0 LISTEN
>
>
> Now use 'nessus 1.2.7 for FreeBSD' to perform a simple portscan, while
> sniffing the wire:
>
> sunsolaris:~# tcpdump -vv -s 1500 "port 5666 and host 172.xxx.xxx.xxx"
> tcpdump: listening on ge0
>
> 14:43:24.554860 172.xxx.xxx.xxx.1554 > fs038sys.xxx.de.nrpe:
> S 1052746983:1052746983(0) win 57344 0,nop,nop,timestamp 17222850 0> (DF) (ttl 64, id 34513)
>
> 14:43:24.554914 fs038sys.xxx.de.nrpe > 172.xxx.xxx.xxx.1554:
> S 2661476555:2661476555(0) ack 1052746984 win 24616 1889852912 17222850,nop,wscale 0,mss 1460> (DF) (ttl 64, id 46301)
>
> 14:43:24.555353 172.xxx.xxx.xxx.1554 > fs038sys.xxx.de.nrpe:
> . 1:1(0) ack 1 win 57920 <nop,nop,timestamp 17222850 1889852
...[email truncated]...
This post was automatically imported from historical nagios-devel mailing list archives
Original poster: [email protected]
NRPE in daemon mode.
greg
Gino Thomas wrote:
>
> i read the webarchive of nagios-devel and saw the
> post from Greg Panula.
>
> Since i am not subscribed, heres my answer (please forward it):
>
> >Isn't inetd a "super server"? Meaning it listens on the port, accepts
> >in the inbound connection and then spawns the service and passes the
> >connection off to freshly spawned the service/daemon.
>
> >The test he ran above is a little mis-leading... it could be that inetd
> >is dying and therefore port 5666 is longer listening.
>
> Yes, thats really my fault, i pasted the daemon test packets and (while
> running another pentest with inetd) messed up the advisory.
>
> The test was run against ./nrpe -d nrpe.cfg, aka running it in daemon mode,
> no inetd involved. Sorry for the misleading advisory.
>
> >I would suggest running the above test against NRPE while it is running
> >in daemon mode, not under inetd as he did.
>
> As noted, the test was made against nrpe in daemon mode.
>
> Updated Advisory:
>
> +=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=
>
> NUX-ACID ADVISORY #001
>
> Advisory name: Denial of Service in Nagios NRPE Plugin (Solaris)
> Risk: Low
> Date: xx.05.2003
> Application: NRPE
> Versions Vulnerable: nrpe-1.5-sol8-sparc
> Vendor: Ethan Galstad ([email protected])
>
> Timeline:
> 17.05.03 - found vulnerability
> 20.05.03 - informed the author
> xx.xx.xx - solution found
> xx.xx.xx - public release
>
> 2003 by Gino Thomas, http://www.nux-acid.org
> This information is provided freely to all interested parties
> and may be redistributed provided that it is not altered in any way
> +=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=
>
>
>
> =+[Overview]+=
>
> Form the website:
>
> "Nagios. is a host and service monitor designed to inform you of
> network problems before your clients, end-users or managers do. It has
> been designed to run under the Linux operating system, but works fine
> under most *NIX variants as well. The monitoring daemon runs
> intermittent checks on hosts and services you specify using external
> "plugins" which return status information to Nagios. When problems are
> encountered, the daemon can send notifications out to administrative
> contacts in a variety of different ways (email, instant message, SMS,
> etc.). Current status information, historical logs, and reports can
> all be accessed via a web browser."
>
> =+[Description]+=
>
> While pentesting the Nagios application i found the "NRPE Plugin" for
> Solaris vulnerable to a simple denial of service attack. The attack
> can be performed by sending the special packet order:
>
> attacker ---SYN---> victim
> attacker attacker ---ACK---> victim
> attacker ---RST---> victim
>
> It's a simple denial of service attack, which could be used in various
> ways, for example kill the service to get the admins attraction to
> that host (he'll probably login to see what happend).
>
> =+[Proof]+=
>
> The service (started in daemon mode) is running on port 5666 (tcp), as we can see
> with netstat:
>
> sunsolaris:~# netstat -an | grep 5666
> *.5666 *.* 0 0 24576 0 LISTEN
>
>
> Now use 'nessus 1.2.7 for FreeBSD' to perform a simple portscan, while
> sniffing the wire:
>
> sunsolaris:~# tcpdump -vv -s 1500 "port 5666 and host 172.xxx.xxx.xxx"
> tcpdump: listening on ge0
>
> 14:43:24.554860 172.xxx.xxx.xxx.1554 > fs038sys.xxx.de.nrpe:
> S 1052746983:1052746983(0) win 57344 0,nop,nop,timestamp 17222850 0> (DF) (ttl 64, id 34513)
>
> 14:43:24.554914 fs038sys.xxx.de.nrpe > 172.xxx.xxx.xxx.1554:
> S 2661476555:2661476555(0) ack 1052746984 win 24616 1889852912 17222850,nop,wscale 0,mss 1460> (DF) (ttl 64, id 46301)
>
> 14:43:24.555353 172.xxx.xxx.xxx.1554 > fs038sys.xxx.de.nrpe:
> . 1:1(0) ack 1 win 57920 <nop,nop,timestamp 17222850 1889852
...[email truncated]...
This post was automatically imported from historical nagios-devel mailing list archives
Original poster: [email protected]