Individual network services suffer from a great number of specific attacks, which are covered in later chapters devoted to the services themselves . Thankfully, the startup-script way of starting network services is fairly invulnerable to attacks. The inetd method suffers primarily from one well-known problem. As its purpose is to watch for network requests and start the appropriate servers to handle those requests , inetd could hardly have been better designed to facilitate denial of service (DoS) attacks.
Here is a brief listing of some recent reports on inetd vulnerabilities:
Denial of Service Vulnerability in inetd in Compaq Tru64 Unix (BugTraq ID 5242). A denial of service vulnerability exists in some versions of Compaq Tru64 Unix. Details on the vulnerability are not available, but patches to fix it are.
Denial of Service Vulnerability in inetd in Compaq Tru64 Unix (VU# 880624). A denial of service vulnerability exists in Compaq Tru64 Unix 5.1. As a result, inetd could stop accepting connections. Compaq made a patch available to fix this vulnerability.
Denial of Service Vulnerability in inetd in Red Hat 6.2(CVE-2001-0309). The inetd distributed with Red Hat 6.2 does not properly close sockets for the internal services, such as chargen , daytime , echo . This can result in a denial of service attack through connections to the internal services. Red Hat provided a patch to fix the problem.
FreeBSD inetd wheel Group File Read Vulnerability (CVE-2001-0196, BugTraq ID 2324). The inetd distributed with FreeBSD incorrectly sets up group privileges on child processes for identd . The vulnerability can allow attackers to read the first 16 bytes of files readable by group wheel . Attackers could potentially read the first entry of the encrypted password file and use that information to gain access to or elevated privileges on the local host. A FreeBSD patch was made available to fix the vulnerability.
With the most serious of the recent vulnerabilities, CVE-2001-0196, an attacker could potentially gain access to the host. In such situations, it is especially important to apply patches that fix the problem, or do the workaround, if one is recommended before a patch becomes available.
Not surprisingly, however, most of the vulnerabilities involve denial of service. In the vulnerability documented by CERT's VU# 880624, a DoS vulnerability for Compaq Tru64, the DoS attack results in inetd refusing to accept further connections and the machine losing all network connectivity. It's arguable whether this is a worse vulnerability than having inetd continue to accept connections and run the machine out of process resources instead, but almost any version of Unix will be affected in some fashion by an attempted DoS attack against inetd .
In an attempt to mitigate this mode of attack, xinetd has been created as a replacement for the functionality of inetd . xinetd , pronounced, according to its authors "zye-net-d," has been designed to allow for some protection in spite of the inherently DoS-friendly nature of the job it does. Among its features, discussed in greater length later in this chapter, are the capability to throttle particular connections to prevent overwhelming the machine with service requests, and to place limits on the number of connections to particular services, automatically blocking remote machines that appear to be attempting to conduct DoS attacks against it.