Re: TCPwrappers race condition

Nicolai E M Plum (nicolai-bugtraq@UUNET.PIPEX.COM)
Fri, 03 Oct 1997 10:06:12 +0000

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Robert Watson: "Re: Ulrich Flegel's SSH/X11 "vulnerability""
Previous message: John Bashinski: "Re: underestimating crackers"
Maybe in reply to: Thamer Al-Herbish: "TCPwrappers race condition"
Next in thread: Wietse Venema: "Re: TCPwrappers race condition"

Thamer Al-Herbish writes:
> TCPwrappers do a getpeername() after bieng passed the socket descriptor from
> inetd. On some OSs this can cause a problem, atleast on SCO. It seems that
> if you connect real fast, and disconnect (just connect() then exit()). It
> winds up logging "unknown" as the hostname. This is because by the time
> tcpwrappers get to make that call the OS has already gotten a FIN and closed
> off the connection. I verfied this with a sniffer.

This can also happen on Solaris and SunOS. We have had people connected on
dialup lines use a piece of software called ``Ponger32''. It claims to ping a
remote host to keep a line up, but actually makes a very short TCP connection
as described above (not very good design).

This causes a stream of notifications from TCPwrappers, but since TCPwrappers
should reject connections that cannot be authenticated, it does not weaken
security, but does cause a nuisance.

And indeed the only way to work out what is actually going on is to snoop the
network.

Nicolai

Next message: Robert Watson: "Re: Ulrich Flegel's SSH/X11 "vulnerability""
Previous message: John Bashinski: "Re: underestimating crackers"
Maybe in reply to: Thamer Al-Herbish: "TCPwrappers race condition"
Next in thread: Wietse Venema: "Re: TCPwrappers race condition"