Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

rident.pl 0.9 file "deletion" and PID files modification
From: Martin <broadcast () mail ptraced net>
Date: Wed, 24 Mar 2004 11:16:38 -0300

Advisory attached.
Future advisories may be found at http://broadcast.ptraced.net

rident.pl 0.9.1b file "deletion" and PID files modification.

Martin (broadcast () mail ptraced net)

-------------------
Program Description
-------------------

Random Ident server (ridentd)

"This server application is meant for the totally paranoid that need 
access
to servers that require ident and don't want to give any information
about local users to the remote server or its other users.

...

The really paranoid may wish to start ridentd a few times a day 
from their cron in order to reseed both the random set of dictionary 
words
and the port modulo. When using in the cron it is adviced to use the 
'SILENT' option."

-----------------------------------
Problem Description and Explotation
-----------------------------------

$ ./ridentd.pl 

***** Random Ident Server 0.9.0b *****
* Using file /usr/lib/ispell/britishmed+.hash
* Counting usable words
* Generating random selection of 1184 from 38642
* Generating insertion table    
* Aquiring names
* 1184 words fetched             
  (local ports belonging to each uniq modulus of 1184 get
   a dictionary word assigned to them)
Need to be root to bind to the ident port

$ ls -l /tmp

lrwxrwxrwx    1 broadcast broadcast        4 2004-03-21 20:52 rident.pid -> sexy
-rw-r--r--    1 broadcast broadcast        4 2004-03-21 20:52 sexy

$ cat sexy
123

$ su -
Password: 

# ./rident.pl

***** Random Ident Server 0.9.0b *****
* Using file /usr/lib/ispell/britishmed+.hash
* Counting usable words
* Generating random selection of 2212 from 38642
* Generating insertion table    
* Aquiring names
* 2212 words fetched             
  (local ports belonging to each uniq modulus of 2212 get
   a dictionary word assigned to them)
* PID file found
* Checking for process with pid 123
* pid file apears to be old
* Binding to port 113
* Forking to background
* BG Process active
* BG Process seting uid/gid to nobody 65534/65534
* Looking if we can do socketpair lookups : Yep: LINUX

# cat /tmp/sexy
20199 

# exit

PID Files modification. Any user could link /tmp/rident.pid to any PID 
file. In fact, any user could link it to a file that only contains 
numerical characters. 

  unless ($opid =~ /^\d+$/)
  {
    print "HEY, SOMEONE F*CKED UP MY PIDFILE /tmp/rident.pid\n";
    exit;
  }

Potty mouth. Censored.
That's the starting point of the race, which ends in:

if ($pid)
{
  open(PID,">/tmp/rident.pid");
  print PID "$pid\n";
  close(PID);
  exit;
}

Winning the race will make the daemon write the PID number of the 
process into any file.

------------------
Possible Solutions
------------------

Discontinuing use of LSD may help with the paranoia.
Add a real check when opening /tmp/rident.pid instead of a regexp.
Discontinue the use of foul language.
Add another real check when reopening /tmp/rident.pid.

----------------
Vendor Contacted
----------------

Not yet.

------------
Official Fix
------------

None yet.

-------------
Related Links
-------------

http://www.securityfocus.com/tools/1935
http://www.xs4all.nl/~rmeijer/rident.html 


  By Date           By Thread  

Current thread:
  • rident.pl 0.9 file "deletion" and PID files modification Martin (Mar 24)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault