Home page logo
/

bugtraq logo Bugtraq mailing list archives

Re: SuSE Linux 6.x 7.0 Ident buffer overflow
From: Roman Drahtmueller <draht () SUSE DE>
Date: Wed, 29 Nov 2000 05:50:05 +0100

Platforms: SuSE Linux 6.x 7.0
Risk Level: High
Author: Niels Heinen
Vendor Status: Notified patches will be available today.
***************************************************************************

First off, we thank Niels Heinen for contacting us at our security contact
address security () suse de  We have agreed on this date to release the
information about the bug.

Impact of the vulnerability:
====================

This advisory details a buffer overflow vulnerability under SuSE Linux
that can enable a malicious user to cause Identification Protocol
(Ident) handling to crash. Due to the overflow, the system will no
longer be able to establish certain connections which use Ident, for
example IRC (Internet Relay Chat) connections. If the Ident daemon is
not running, users wishing to connect to IRC will not be allowed to
make a connection. In the this case the vulnerability could be used in
a denial of service attack to keep a person of irc. It's not clear at
this present time whether this vulnerability could be exploited in
such a way that arbitrary code is executed. If so, this will happen
with the privileges of the user "nobody" in a default installation.

Thomas Biege, Sebastian Krahmer, Adrian Schröter and myself have been
looking at the code, each of us having found a glitch (the multithreaded
implementation makes debugging an interesting adventure! :-). It turned
out that the daemon dies because of a misinterpretation of the return
value of vsnprintf() (which was subject to a change in glibc2.1).
 Upon detecting that the buffer is too short to keep the data, the daemon
decides to "int *p = (int *) NULL; *p = 4711;", or, in other words,
segfault and commit suicide. This is bright because a return address on
the stack that might have been overwritten is not used (An actual buffer
overflow doesn't take place, though.). OTOH, it's not very bright since
the auth service is denied as a consequence of the daemon shooting itself
in the foot. The risk imposed by the crashed daemon is considerably low.

Personally, I find that this behaviour suits the necessity and the
usefulness of the protocol itself.

Who's vulnerable ?
==============

This vulnerability has been tested on SuSE version 6.x and version
7.0. Previous versions may also be affected. Further testing will
reveal whether other Linux distributions are vulnerable.

in.identd in older releases of the SuSE Linux distribution can be crashed,
too. Other vendors ship this daemon, too, and will release advisories
about the issue soon.

With the release of the SuSE-7.0 distribution, the in.identd daemon is
contained in a seperate package - before 7.0, it was included in the nkitb
package. We will provide updates for the 6.x and 7.0 distributions as
usual, but it will take another few days since changes in the nkitb
package need thorough testing.

In the meanwhile, you may want to disable the service by changing
START_IDENTD="yes"   # default
to
START_IDENTD="no"
 in /etc/rc.config and by killing the daemon (`killall in.identd´. Thanks
to Niels for pointing this out, too.

If you want to know more about the identd, please install the package
"rfc" that can be found in the documentation series of all SuSE
distributions and read rfc1413.txt, to be found in /usr/doc/rfc or
/usr/share/doc/rfc (SuSE-7.0).

Thanks,
Roman.
--
 -                                                                      -
| Roman Drahtmüller      <draht () suse de> //          "Caution: Cape does |
  SuSE GmbH - Security           Phone: //       not enable user to fly."
| Nürnberg, Germany     +49-911-740530 // (Batman Costume warning label) |
 -                                                                      -


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault