Chargen denial of service (Chargen Denial of Service)

About this signature or vulnerability

BlackICE:


Default risk level

Medium risk vulnerability  Medium

Sensors that have this signature

BlackICE: 3.0

Systems affected

IBM eventsmanager-multiple-xss, Wind River BSDOS, HP HP-UX, SGI IRIX, Linux Kernel, Sun Solaris, IBM OS2, Microsoft Windows 95, Data General DG/UX, Microsoft Windows NT: 4.0, Microsoft Windows 98, Novell NetWare, SCO SCO Unix, Microsoft Windows 98SE, Microsoft Windows 2000, Cisco IOS, Microsoft Windows Me, Compaq Tru64, Microsoft Windows XP, Apple Mac OS, Microsoft Windows 2003 Server, Microsoft Windows Vista, Microsoft Windows 7, Microsoft Windows Server 2008, Microsoft Windows Server 2008: R2, Microsoft Windows Server 2012, Microsoft Windows 8

Type

Denial of Service

Vulnerability description

The chargen service was detected as running. The chargen (port 19) service can be spoofed into sending data from one service on one computer to another service on another computer. This action causes an infinite loop and creates a denial of service attack. The attack can consume increasing amounts of network bandwidth, causing loss of performance or a total shutdown of the affected network segments.

In addition, URLs such as "http://localhost:19" could cause a similar denial of service to a system running Lynx and chargen. Netscape Navigator disallows access to port 19 and is not vulnerable.

This attack can effectively disable a Unix server by causing it to spend all its time processing packets that it has echoed back to itself.

How to remove this vulnerability

Disable the service, unless it is needed.

In Unix: To disable chargen when started from inetd:

  1. Edit the /etc/inetd.conf (or equivalent) file.
  2. Locate the line that controls the chargen daemon.
  3. Type a # at the beginning of the line to comment out the daemon.
  4. Restart inetd.

Windows: The chargen service is not native to Windows, but may be present.

CAUTION: Use Registry Editor at your own risk. Any change using Registry Editor may cause severe and irreparable damage and may require you to reinstall your operating system. Internet Security Systems cannot guarantee that problems caused by the use of Registry Editor can be solved.

To disable only the chargen service:

  1. Open the registry editor.
  2. Go to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SimpTcp\Parameters.
  3. Double-click the EnableTcpChargen key to display the DWORD Editor.
  4. Replace the value in the Data field with 0.
  5. Click OK.
  6. Repeat steps 3 through 5 for the EnableUdpChargen key.
  7. To implement your changes, stop and restart the Simple TCP/IP Service.

Novell:

Disable the chargen port as described in Novell Technical Information Document #2946023:

  1. Install NIAS4.0 or later.
  2. Load INETCFG —> Protocols —> TCP/IP, and set filter support to ENABLED.
  3. Load FILTCFG —> TCP/IP —> Packet Forwarding filters, and set the status to ENABLED.
  4. Verify that the action is Deny packets in filter list. Press ENTER on "(Filters: list of denied packets)".
  5. Press INSERT go to packet type: Name: <all>.
  6. Press ENTER, find the port chargen TCP 19.
  7. Press ENTER, ESCAPE, save filters: YES.

References

CERT Advisory CA-1996-01
UDP Port Denial-of-Service Attack
http://www.cert.org/advisories/CA-1996-01.html

BugTraq Mailing List, Mon, 10 Mar 1997 15:05:20 -0500
Lynx/MSIE denial-of-service
http://archives.neohapsis.com/archives/bugtraq/1997_1/0264.html

Novell Technical Information Document #2946023
TCPIP blocking ports (7, 9, 19, etc)
http://support.novell.com/cgi-bin/search/searchtid.cgi?/10022164.htm

ISS X-Force
Chargen denial of service
http://www.iss.net/security_center/static/36.php

CVE
CVE-1999-0103
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0103