From marks@SHELL.FLINET.COM Wed Apr  8 01:43:39 1998
From: Mark Schaefer 
To: BUGTRAQ@NETSPACE.ORG
Date: Tue, 7 Apr 1998 17:22:36 -0400
Subject: BSDI inetd crash

This is a serious bug in BSDI 3.1 servers.  One of my coworkers was
playing with the nmap utility which was mentioned here the other day, and
he managed to crash inetd on our servers.  We quickly duplicated the
attack against a Linux box running RedHat 4.2, and it did not happen.  I
tried again, myself, on a non-critical BSDI 3.1 server.  It happened
again.

The nmap command line used was (as a non-priviledged user):
./nmap -p 1-64000 -i 

I notified BSDI and they suggested that I remove the "tcpmux" entry from
the /etc/inetd.conf file.  After doing this, and attempting the attack
again, it did not result in a crash of inetd.  It was also mentioned that
patch M310-009 should have fixed this.  I tried the attack again, with
this new patch, and without tcpmux commented out, and it still didn't
crash inetd.

I would recommend patching up to M310-009, or commenting out this servince
in tcpmux, which you should probably do anyway unless you know you're
using it.

Nmap can be obtained from:  http://www.dhp.com/~fyodor/nmap



BSDI-2.1 is vulnerable too.

This not only affects BSDi BSD/OS 3.1 but 3.0, 2.1, & 2.0. It also crashes
when the Win 95/NT program portscan.exe (made by 7thsphere) is run against
the host.