From: SMTP%"everhart@mail09.mitre.org" 22-JAN-1998 17:22:50.12 To: everhart@gce.com (everhart@gce.com) CC: Subj: FWD: another attack on port 3020 --===_tgate3_45194_96627092_=== Content-Type: text/plain; charset="us-ascii" ----- Forwarded message follows ----- Date: Wed, 21 Jan 98 23:18:01 -0500 Reply-To: Common Internet File System From: Andrew Tridgell Subject: another attack on port 3020 To: Just when you thought that 3020 could not get any worse, here is another attack on it. This attack was mentioned on a FreeBSD mailing list when somebody proposed a change in the port number handling there. The attack works on any Unix system where the SMB/CIFS daemon is launched via inetd. It goes like this: while true; do nc -z localhost 3020 ; done that's all you need to do. The inetd daemon will notice that the service is looping and will close the port for 5 minutes. The port is then available to any user. A malicious user can run the above command then start the posted port 3020 exploit. I have tested this attack on a Linux box and it does work. Presumably it also works on FreeBSD as that was the context for the message I saw. I have no idea how many other unixes are affected. Privileged ports are there for a reason. If the above attack was made on a privleged port then a denial of service attack would result. With port 3020 is it a security breach. Of course, you could get all the unix vendors to fix their inetd implementations before releasing NT5. Or we could just save a lot of fuss and stick to 139. Or you could restrict SMB/CIFS daemons never to be run via inetd and only to be run as daemons. That is a severe restriction to impose when there is so little to be gained by the port number change. Andrew ---------------------------------------------------------------- Users Guide http://www.microsoft.com/sitebuilder/resource/mailfaq.asp contains important info including how to unsubscribe. Save time, search the archives at http://discuss.microsoft.com/archives/index.html ----- End of forwarded message ----- --===_tgate3_45194_96627092_===-- ================== RFC 822 Headers ================== Return-Path: everhart@mail09.mitre.org Received: by norlmn.gce.com (UCX X4.2-14, OpenVMS E7.1-1H1 Alpha); Thu, 22 Jan 1998 17:16:27 -0500 Received: from mbunix.mitre.org (mbunix.mitre.org [129.83.20.100]) by mercury.mv.net (8.8.8/mem-971025) with ESMTP id IAA00213 for ; Thu, 22 Jan 1998 08:47:57 -0500 (EST) Received: from TGATE3 (tgate3.mitre.org [129.83.20.27]) by mbunix.mitre.org (8.8.8/8.8.8/mitre.0) with ESMTP id IAA07670 for ; Thu, 22 Jan 1998 08:51:33 -0500 (EST) Received: from mail09.mitre.org (unverified [129.83.20.43]) by tgate3.mitre.org (EMWAC SMTPRS 0.83) with SMTP id ; Thu, 22 Jan 1998 08:51:32 -0500 Received: by mail09.mitre.org; (5.65v3.2/1.1.8.2/22Jun94-0628PM) id AA17296; Thu, 22 Jan 1998 08:51:28 -0500 Subject: FWD: another attack on port 3020 From: everhart@mail09.mitre.org (Glenn C. Everhart) To: everhart@gce.com (everhart@gce.com) Message-Id: <980122085126.31233@mail09.mitre.org.0> Date: Thu, 22 Jan 98 08:51:27 -0500 X-Mailer: MailWorks 2.0-4 Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="===_tgate3_45194_96627092_==="