Bug 12779 - bug in rdate server and very easy DoS attack
Summary: bug in rdate server and very easy DoS attack
Status: CLOSED DUPLICATE of bug 14876
Alias: None
Product: Red Hat Linux
Classification: Retired
Component: inetd (Show other bugs)
(Show other bugs)
Version: 6.2
Hardware: i386 Linux
Target Milestone: ---
Assignee: Jeff Johnson
QA Contact:
Keywords: Security
Depends On:
TreeView+ depends on / blocked
Reported: 2000-06-21 12:49 UTC by emmanuel.michon
Modified: 2008-05-01 15:37 UTC (History)
0 users

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2000-06-26 13:01:14 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

Description emmanuel.michon 2000-06-21 12:49:13 UTC

I'm running a RH6.2 Linux box called ``bunker'' with 

</etc/inetd.conf excerpt>
time    stream  tcp     nowait  root    internal

bunker is used by other hosts on the LAN to get a correct
time with rdate (Solaris and Linux rdate clients running 
``rdate bunker'' in a cron).

Looking at open files (with /usr/sbin/lsof) you can see a
new entry at each connection  of a client.

inetd      3163 root   11u  IPv4     403354               TCP
bunker.izinet.au:time->bonnie.izinet.au:1697 (CLOSE_WAIT)

After some time the table of open files is full and other
applications stop working properly (syslog, cvs server (connection
reset by server: too many open files) resulting in typical denial
of service attack possibility.

Reproduce it by running on the server:

watch "/usr/sbin/lsof |grep time |wc -l"

and on a client

while true; do rdate bunker; done

[As a fix I thought that the socket should close itself when
the client calls close() or when the client process exits.
This does not happen and it seems there's no timeout on server
side socket open in TCP_WAIT state.]

Comment 1 emmanuel.michon 2000-06-26 13:01:12 UTC
Submitted a CERT vulnerability report

Comment 2 Jeff Johnson 2000-08-01 21:45:32 UTC

*** This bug has been marked as a duplicate of 14876 ***

Note You need to log in before you can comment on or make changes to this bug.