Scanning with nmap creates DoS when Xvnc is started from xinetd
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
vnc4 (Ubuntu) |
New
|
Undecided
|
Unassigned |
Bug Description
Hi,
I run Xvnc -inetd from xinetd in nowait mode, and I noticed that, after scanning my system with nmap, Xvnc was hung and taking 100% CPU time.
I'm running Ubuntu Hardy 8.04.3.
Versions of packages:
xinetd 1:2.3.14-5
vnc4server 4.1.2 (Francesco Santini's packages, mentioned in https:/
Also confirmed with vnc4server 4.1.1+xorg1.
STEPS TO REPRODUCE:
Install vnc4server, nmap, and xinetd.
Put in xinetd.conf
service vnc
{
interface = 127.0.0.1
only_from = 127.0.0.1
type = UNLISTED
protocol = tcp
port = 5900
disable = no
wait = no
user = nobody
group = nogroup
server = /usr/bin/Xvnc
server_args = -inetd -query localhost -once -SecurityTypes=none -extension XFIXES
}
run /etc/init.d/xinetd restart
run
nmap localhost
Now run top, and you'll see an entry like this:
PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
32352 nobody 20 0 9084 4924 2144 R 100 0.2 0:09.98 Xvnc
--- Xvnc takes 100% of cpu time.
I run Xvnc only on a local interface in my setup, and it would be weird to run it on a port open to the internet since there's no encryption, but the possibility of such an easy way to do a denial of service should be fixed.
If it were fixed, it would notice that the connection was closed, and shut itself down.
Thanks!
-Thomas Smith
security vulnerability: | yes → no |
visibility: | private → public |