Bug 12779

Summary: bug in rdate server and very easy DoS attack
Product: [Retired] Red Hat Linux Reporter: emmanuel.michon
Component: inetdAssignee: Jeff Johnson <jbj>
Status: CLOSED DUPLICATE QA Contact:
Severity: medium Docs Contact:
Priority: high    
Version: 6.2Keywords: Security
Target Milestone: ---   
Target Release: ---   
Hardware: i386   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2000-06-26 13:01:14 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description emmanuel.michon 2000-06-21 12:49:13 UTC
Hi,

I'm running a RH6.2 Linux box called ``bunker'' with 

</etc/inetd.conf excerpt>
...
time    stream  tcp     nowait  root    internal
...

bunker is used by other hosts on the LAN to get a correct
time with rdate (Solaris and Linux rdate clients running 
``rdate bunker'' in a cron).

Looking at open files (with /usr/sbin/lsof) you can see a
new entry at each connection  of a client.

inetd      3163 root   11u  IPv4     403354               TCP
bunker.izinet.au:time->bonnie.izinet.au:1697 (CLOSE_WAIT)

After some time the table of open files is full and other
applications stop working properly (syslog, cvs server (connection
reset by server: too many open files) resulting in typical denial
of service attack possibility.

Reproduce it by running on the server:

watch "/usr/sbin/lsof |grep time |wc -l"

and on a client

while true; do rdate bunker; done

[As a fix I thought that the socket should close itself when
the client calls close() or when the client process exits.
This does not happen and it seems there's no timeout on server
side socket open in TCP_WAIT state.]

Comment 1 emmanuel.michon 2000-06-26 13:01:12 UTC
Submitted a CERT vulnerability report

Comment 2 Jeff Johnson 2000-08-01 21:45:32 UTC

*** This bug has been marked as a duplicate of 14876 ***