Bad thing is that cupsd process goes to 98% cpu and stay there...(normally in
listen is about at 1%) , I wait one hour and I need stop and restart cupsd to
return at normal state (on SMP I can print a test page also with cupsd at
98.4% of CPU from 20mins).
I tried to find the boundaries of the problem and give you info to
reproduce.... please read detail to reproduce on attachment....;o)
Only for info at the end of attachment there is nessus log interrupted soon
after cupsd hang.
If you don't interrupt there were more false positive like this on email, and
that fool me when I try subsets of plugins....;o/
Tried test with nessus-1.0.5-1 with all plugins and no optimization (also
extra plugins at today). I've got this message from nessus:
----------------------------------[...]
. Vulnerability found on port unknown (631/tcp) :
The remote web server seems to crash when it is issued
a too long argument to the 'Accept:' command :
Exemple :
GET / HTTP/1.0
Accept: <thousands of chars>/gif
This may allow an attacker to execute arbitrary code on
the remote system.
Solution : Contact your vendor for a patch.
Risk factor :
High
----------------------------------[...]
--
-
Franco Silvestro
c/o CeSIA - Universita' degli Studi di Bologna
My NOTES:
Test is on this laptop PIII 500/650 512MB ram....
qtcups-1.0-13mdk
cups-devel-1.1.3-13mdk
kups-0.8-21mdk
qtcups-devel-1.0-13mdk
kups-devel-0.8-21mdk
cups-1.1.3-13mdk
cups-drivers-0.3.6-25mdk
=================================
----------Same behaviour also on:
On SMP 2xPII300 320MB ram....
qtcups-1.0-12mdk
cups-devel-1.1.3-13mdk
kups-0.8-21mdk
qtcups-devel-1.0-13mdk
kups-devel-0.8-21mdk
cups-1.1.3-13mdk
cups-drivers-0.3.6-24mdk
----------Same behaviour also on:
On old P120 64MB ram...
cups-1.1.2-12mdk
cups-drivers-0.3.6-6mdk
=================================
Replaced my IP with : xxx.xxx.xxx.xxx
Replaced MyHost.MyDomain with : MyHost.MyDomain
*****************TO REPRODUCE***********************
Every time I try on all pc it appened that cupsd goes at more than 98% of cpu and stay there until I do './cups restart', it appens soon after 'stream.c' test at ~2/3 of progress bar.
I try with subset of plugins to reduce pb but I've no luck...;o/ (too much time for every test...)
(I begin with more configuration in prefs and all ports and on many PCs....I can reduce to only connect() and is sufficient to reproduce cpu hang)
I've pc coneccted with fast link (on 10/100 switch) but traffic is not much during plugin tests and before-during-after cupsd hang... ~20K
With this cupsd every times hangs
---------------------------------
On nessusd.conf I change to checks_read_timeout = 5 for speed
On nessus client:
Plugins : Enable all (updated with last 20001005 all.tar.gz on last nessus-1.0.5-1 downloaded from www.nessus.org)
Prefs : TCP scanning tecnique only : connect()
: No ping and no other configuration from default
Scan options : Port range : 1-1024
: Optimize the test
: Nmap tcp connet() scan
==============================================================
Only for info this is nessus log interrupted soon after cupsd hang
If you don't interrupt there were more false positive like that on email, and that fool me when I try subsets....;o/
Nessus Scan Report
------------------
SUMMARY
- Number of hosts which were alive during the test : 1
- Number of security holes found : 3
- Number of security warnings found : 7
- Number of security notes found : 4
TESTED HOSTS
xxx.xxx.xxx.xxx (Security holes found)
DETAILS
+ xxx.xxx.xxx.xxx :
. List of open ports :
o telnet (23/tcp) (Security warnings found)
o ssh (22/tcp) (Security notes found)
o smtp (25/tcp) (Security hole found)
o auth (113/tcp) (Security warnings found)
o printer (515/tcp)
o unknown (631/tcp) (Security warnings found)
o unknown (1024/tcp)
o general/udp (Security notes found)
o general/icmp (Security warnings found)
. Warning found on port telnet (23/tcp)
The Telnet service is running.
This service is dangerous in the sense that
it is not ciphered - that is, everyone can sniff
the data that passes between the telnet client
and the telnet server. This includes logins
and passwords.
You should disable this service and use OpenSSH instead.
(www.openssh.com)
Solution : Comment out the 'telnet' line in /etc/inetd.conf.
Risk factor : Low
CVE : CAN-1999-0619
. Information found on port telnet (23/tcp)
Remote telnet banner :
Welcome to MyHost.MyDomain
. Information found on port ssh (22/tcp)
Remote SSH version :
ssh-1.99-openssh_2.2.0p1
. Vulnerability found on port smtp (25/tcp) :
The remote SMTP server did not complain when issued the
command :
MAIL FROM: root@this_host
RCPT TO: |testing
This probably means that it is possible to send mail directly
to programs, which is a serious threat, since this allows
anyone to execute arbitrary command on this host.
NOTE : ** This security hole might be a false positive, since
some MTAs will not complain to this test, and instead will
just drop the message silently **
Solution : upgrade your MTA or change it.
Risk factor : High
CVE : CAN-1999-0163
. Vulnerability found on port smtp (25/tcp) :
The remote SMTP server did not complain when issued the
command :
MAIL FROM: root@this_host
RCPT TO: /tmp/nessus_test
This probably means that it is possible to send mail directly
to files, which is a serious threat, since this allows
anyone to overwrite any file on the remote server.
NOTE : ** This security hole might be a false positive, since
some MTAs will not complain to this test and will
just drop the message silently. Check for the presence
of file 'nessus_test' in /tmp ! **
Solution : upgrade your MTA or change it.
Risk factor : High
CVE : CVE-1999-0096
. Vulnerability found on port smtp (25/tcp) :
The remote SMTP server did not complain when issued the
command :
MAIL FROM: |testing
This probably means that it is possible to send mail
that will be bounced to a program, which is
a serious threat, since this allows anyone to execute
arbitrary command on this host.
NOTE : ** This security hole might be a false positive, since
some MTAs will not complain to this test, but instead
just drop the message silently **
Solution : upgrade your MTA or change it.
Risk factor : High
CVE : CAN-1999-0203
. Warning found on port smtp (25/tcp)
The remote STMP server seems to allow remote users to
send mail anonymously by providing a too long argument
to the HELO command (more than 1024 chars).
This problem may allow bad guys to send hate
mail, or threatening mail using your server
and keep their anonymity.
Risk factor : Low.
Solution : If you are using sendmail, upgrade to
version 8.9.x. If you do not run sendmail, contact
your vendor.
CVE : CAN-1999-0098
. Warning found on port smtp (25/tcp)
The remote SMTP server is vulnerable to a redirection
attack. That is, if a mail is sent to :
user@hostname1@victim
Then the remote SMTP server (victim) will happily send the
mail to :
user@hostname1
Using this flaw, an attacker may route a message
through your firewall, in order to exploit other
SMTP servers that can not be reached from the
outside.
*** THIS WARNING MAY BE A FALSE POSITIVE, SINCE
SOME SMTP SERVERS LIKE POSTFIX WILL NOT
COMPLAIN BUT DROP THIS MESSAGE ***
Solution : if you are using sendmail, then at the top
of ruleset 98, in /etc/sendmail.cf, insert :
R$*@$*@$* $#error $@ 5.7.1 $: '551 Sorry, no redirections.'
Risk factor :
Low
. Warning found on port smtp (25/tcp)
The remote SMTP server allows the relaying. This means that
it allows spammers to use your mail server to send their mails to
the world, thus wasting your network bandwidth.
Risk factor : Low/Medium
Solution : configure your SMTP server so that it can't be used as a relay
any more.
CVE : CAN-1999-0512
. Information found on port smtp (25/tcp)
Remote SMTP server banner :
MyHost.MyDomain ESMTP Postfix (Postfix-19991231-pl08)
(Linux-Mandrake)
502 Error: command not
implemented
. Warning found on port auth (113/tcp)
The 'ident' service provides sensitives informations
to the intruders : it mainly says which accounts are running which
services. This helps attackers to focus on valuable services [those
owned by root]. If you don't use this service, disable it.
Risk factor : Low.
Solution : comment out the 'auth' line in /etc/inetd.conf
CVE : CAN-1999-0629
. Warning found on port unknown (631/tcp)
a web server is running on this
port
. Information found on port general/udp
For your information, here is the traceroute to xxx.xxx.xxx.xxx :
xxx.xxx.xxx.xxx
. Warning found on port general/icmp
The remote host answers to an ICMP timestamp
request. This allows an attacker to know the
date which is set on your machine.
This may help him to defeat all your
time based authentifications protocols.
Solution : filter out the icmp timestamp
requests (13), and the outgoing icmp
timestamp replies (14).
Risk factor : Low
CVE : CAN-1999-0524
------------------------------------------------------
This file was generated by the Nessus Security Scanner
