October 3rd, 2002, 01:05 AM
Was this responible disclosure
Got this off of bugtraq:
Unisys "Clearpath" mainframes are very sensitive to the probes of nmap and
similar programs. Basically, by only port-scanning (not even
fingerprinting), you can cause the entire machine to seize up. (Yes, the
whole machine...not just a job or the TCP/IP device.)
The problem may be occurring because the host fires up a job to log each
incomplete TCP handshake - other people have suggested a problem with the
TCP/IP stack on the iron, but I really don't know for sure.
I know people might think that I am just DOS'ing the machine, but I got
this to happen with "nmap -T Normal" and it happens even easier at higher
speeds. If I do the same scans against Windows, *nix, VAX, or any other
type of TCP/IP devices I can find, the target machine continues to respond
after the scan. (Even on some 20mhz DOS machines running a custom build of
TCP/IP!) It's only the Clearpaths which seem to nose-dive.
Lest you think I am complaining about a problem on a single machine, let me
assure you I have seen this happen three different times at three different
locations (2 financial data centers and 1 bank) on three different
machines. I wrote this report after another security researcher
mentioned privately to me that he observed the same thing.
So...what's my advice? Don't use nmap or other port scanners against a
Clearpath - it will probably be fatal.
Say hello to my little friend: "nmapnt 10.0.0.8 -p 1-1023 -T Normal" (If
that doesn't work, make it less polite. Watch the "SPO" for added fun.)
* * * Vendor notification
Unisys field engineers have been notified of each occurrence at the various
sites. (I saw my first one go down in October 2001, saw the third do it
about a week ago. All were on current releases.)
Also notified Fyodor (of nmap) and submitted the "Unisys Clearpath NX"
fingerprints I had.
The problem I see with this is it appears that Unisys has not fixed the problem. If that's the case then this individual just gave all the kiddies the key to downing these mainframes! No wonder people like HP want to sue all of us...Does anybody else see this the way I do?
October 3rd, 2002, 07:17 AM
the problem existed since before oct last year, the manufacture was notified long before this release. yes id have to say this was responsibe disclosure.
if seeing this dosn't cause a security person to react nothing will, and it is the job of a security specialist to look for this this type of thing at security sites.
Bukhari:V3B48N826 “The Prophet said, ‘Isn’t the witness of a woman equal to half of that of a man?’ The women said, ‘Yes.’ He said, ‘This is because of the deficiency of a woman’s mind.’”