[Pkg-utopia-maintainers] Bug#614785: avahi-daemon uses 100% of cpu when scanned with nmap (DoS possible?)

Alexander Kurtz kurtz.alex at googlemail.com
Wed Feb 23 12:36:12 UTC 2011 

Package: avahi-daemon
Version: 0.6.27-2
Tags: security
Severity: critical
Justification: Introduces possible denial-of-service scenario.

Hi,

when I scan my server from another machine on the network using nmap, I
get this:

	# nmap -sU -p5353 192.168.2.2

	Starting Nmap 5.00 ( http://nmap.org ) at 2011-02-23 13:15 CET
	Interesting ports on 192.168.2.2:
	PORT     STATE         SERVICE
	5353/udp open|filtered zeroconf
	MAC Address: XX:XX:XX:XX:XX:XX (Netgear)

	Nmap done: 1 IP address (1 host up) scanned in 0.50 seconds
	# 

As soon as the scan starts, avahi-daemon on the server starts running
amok, top shows this: 

	  PID USER      PR  NI  VIRT  RES  SHR S %CPU %MEM    TIME+  COMMAND
	 5535 avahi     20   0 33884 1600 1280 R  100  0.0   2:28.47 avahi-daemon

Restarting avahi-daemon is not possible: 

	# /etc/init.d/avahi-daemon restart
	Restarting Avahi mDNS/DNS-SD Daemon: avahi-daemonFailed to kill daemon: Timer expired
	.
	#

Simply terminating the process doesn't work either: 

	# ps -Af | grep avahi-daemon
	avahi     5535     1 87 13:14 ?        00:04:43 avahi-daemon: running [server.local]
	avahi     5536  5535  0 13:14 ?        00:00:00 avahi-daemon: chroot helper
	root      5610  5581  0 13:20 pts/2    00:00:00 grep avahi-daemon
	# kill 5535
	# ps -Af | grep avahi-daemon
	avahi     5535     1 88 13:14 ?        00:05:02 avahi-daemon: running [server.local]
	avahi     5536  5535  0 13:14 ?        00:00:00 avahi-daemon: chroot helper
	root      5614  5581  0 13:20 pts/2    00:00:00 grep avahi-daemon
	#

Forcibly killing the process works:

	# kill -9 5535
	# ps -Af | grep avahi-daemon
	root      5629  5581  0 13:23 pts/2    00:00:00 grep avahi-daemon
	# 

I don't know what kind of data nmap sends when scanning for open UDP
ports, but it definitely shouldn't cause avahi-daemon to run amok.

Please note that I have not changed the Avahi configuration in any way,
so you should be able to reproduce this easily. Please tell me if you
need any more information!

Best regards

Alexander Kurtz
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part
URL: <http://lists.alioth.debian.org/pipermail/pkg-utopia-maintainers/attachments/20110223/d73c5c8e/attachment.pgp>

More information about the Pkg-utopia-maintainers mailing list