Vulnerability

    inetd

Affected

    Solaris, Linux

Description

    Alla Bezroutchko stumbled upon something that looks like a bug  in
    inetd on Solaris.  If a Solaris box is portscaned by nmap with  -T
    Insane option (very quick scan) daemons that are started by  inetd
    stop responding.  That is you can connect to them, connection  get
    accepted, by they don't display  any banner or answer in  any way.
    It stays that  way until inetd  is restarted.   Other daemons (not
    started by inetd) seem to be unaffected by this.

    The  effect  depends  on  number  of  daemons  enabled  in   inetd
    configuration.  If  only one daemon  (ftp in my  case) is enabled,
    nothing happens at all.  Inetd with two daemons does hang but  not
    always.  Five daemons enabled make it hang every time.

    This was tested over a 10Mbps LAN against Solaris 7 and 8 on Sparc
    and Solaris 7 on Intel.  All three were affected.

    All linux versions are vulnerable as well, you can kill inetd over
    a 28.8 modem in less than 40 seconds ... you just need to  connect
    and disconnect really fast .....

Solution

    Properly  patched  Solaris  doesn't  seem  to  react  to intensive
    portscan  in  any  way.   Unpatched  Solaris  inetd  does hang and
    doesn't seem to do it on purpose.  It doesn't log anything and  it
    doesn't answer  to any  host connecting  to it,  not only  the one
    that did the  scan.  Inetd  sleeps on accept  syscall (normally it
    sleeps on poll) and stays that way until restarted.