Re: SuSE Linux 6.x 7.0 Ident buffer overflow (fwd)
This is my answer to bugtraq.
Roman.
---------- Forwarded message ----------
_From: Roman Drahtmueller
Platforms: SuSE Linux 6.x 7.0 Risk Level: High Author: Niels Heinen Vendor Status: Notified patches will be available today. ***************************************************************************
First off, we thank Niels Heinen for contacting us at our security contact address security@suse.de. We have agreed on this date to release the information about the bug.
Impact of the vulnerability: ====================
This advisory details a buffer overflow vulnerability under SuSE Linux that can enable a malicious user to cause Identification Protocol (Ident) handling to crash. Due to the overflow, the system will no longer be able to establish certain connections which use Ident, for example IRC (Internet Relay Chat) connections. If the Ident daemon is not running, users wishing to connect to IRC will not be allowed to make a connection. In the this case the vulnerability could be used in a denial of service attack to keep a person of irc. It's not clear at this present time whether this vulnerability could be exploited in such a way that arbitrary code is executed. If so, this will happen with the privileges of the user "nobody" in a default installation.
Thomas Biege, Sebastian Krahmer, Adrian Schröter and myself have been looking at the code, each of us having found a glitch (the multithreaded implementation makes debugging an interesting adventure! :-). It turned out that the daemon dies because of a misinterpretation of the return value of vsnprintf() (which was subject to a change in glibc2.1). Upon detecting that the buffer is too short to keep the data, the daemon decides to "int *p = (int *) NULL; *p = 4711;", or, in other words, segfault and commit suicide. This is bright because a return address on the stack that might have been overwritten is not used (An actual buffer overflow doesn't take place, though.). OTOH, it's not very bright since the auth service is denied as a consequence of the daemon shooting itself in the foot. The risk imposed by the crashed daemon is considerably low. Personally, I find that this behaviour suits the necessity and the usefulness of the protocol itself.
Who's vulnerable ? ==============
This vulnerability has been tested on SuSE version 6.x and version 7.0. Previous versions may also be affected. Further testing will reveal whether other Linux distributions are vulnerable.
in.identd in older releases of the SuSE Linux distribution can be crashed,
too. Other vendors ship this daemon, too, and will release advisories
about the issue soon.
With the release of the SuSE-7.0 distribution, the in.identd daemon is
contained in a seperate package - before 7.0, it was included in the nkitb
package. We will provide updates for the 6.x and 7.0 distributions as
usual, but it will take another few days since changes in the nkitb
package need thorough testing.
In the meanwhile, you may want to disable the service by changing
START_IDENTD="yes" # default
to
START_IDENTD="no"
in /etc/rc.config and by killing the daemon (`killall in.identd´. Thanks
to Niels for pointing this out, too.
If you want to know more about the identd, please install the package
"rfc" that can be found in the documentation series of all SuSE
distributions and read rfc1413.txt, to be found in /usr/doc/rfc or
/usr/share/doc/rfc (SuSE-7.0).
Thanks,
Roman.
--
- -
| Roman Drahtmüller
participants (1)
-
Roman Drahtmueller