BSDI tcpmux DOS

Description:Apparently BSDI 2.0,2.1,3.0,and 3.1 servers with tcpmux enabled can be crashed with a fast portscanner.
Author:Mark Schaefer <marks@SHELL.FLINET.COM>
Compromise:DOS attack
Vulnerable Systems:BSDI 2.0, 2.1, 3.0, and 3.1 with tcpmux enabled and without patch M310-009
Date:7 April 1998
Notes:Note the portscanner he used -- my nmap.

Date: Tue, 7 Apr 1998 17:22:36 -0400
From: Mark Schaefer <marks@SHELL.FLINET.COM>
Subject: BSDI inetd crash

This is a serious bug in BSDI 3.1 servers.  One of my coworkers was
playing with the nmap utility which was mentioned here the other day, and
he managed to crash inetd on our servers.  We quickly duplicated the
attack against a Linux box running RedHat 4.2, and it did not happen.  I
tried again, myself, on a non-critical BSDI 3.1 server.  It happened

The nmap command line used was (as a non-priviledged user):
./nmap -p 1-64000 -i <target host>

I notified BSDI and they suggested that I remove the "tcpmux" entry from
the /etc/inetd.conf file.  After doing this, and attempting the attack
again, it did not result in a crash of inetd.  It was also mentioned that
patch M310-009 should have fixed this.  I tried the attack again, with
this new patch, and without tcpmux commented out, and it still didn't
crash inetd.

I would recommend patching up to M310-009, or commenting out this servince
in tcpmux, which you should probably do anyway unless you know you're
using it.

Nmap can be obtained from:

Mark Schaefer             The Brigade Quake Clan
System Administrator           Email me, it's faster, better, AND cheaper.
Florida Internet Corporation              Annex BBS telnet://
(561)615-0001                Bell Labs Unix -- Reach out and grep someone.
icq:2991916       Erwyn's AntiSpam Page

More Exploits!

The master index of all exploits is available here (Very large file)
Or you can pick your favorite operating system:
All OS's Linux Solaris/SunOS Micro$oft
*BSD Macintosh AIX IRIX
ULTRIX/Digital UNIX HP/UX SCO Remote exploits

This page is part of Fyodor's exploit world. For a free program to automate scanning your network for vulnerable hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resources: