Security Incidents mailing list archives
(no subject)
From: del () BABEL COM AU (Del)
Date: Thu, 20 Apr 2000 21:37:15 +1200
Peter Eriksson wrote:
A client was hacked last week by what looked like a buffer overflow through in.identd. This was on a Red Hat 6.0 box. RH don't have any current security notices or fixes for in.identd on their servers, and I haven't seen other boxes hacked through in.identd recently....Anyone know of any current bug notices, exploits, or patches for in.identd?As the author of the Identd daemon I would *greatly* appreciate to be told about these issues directly, instead of finding out about them in second hand...
You might like to contact Red Hat about getting your name on the pidentd RPM. At the moment, rpm -qi pidentd says: Vendor: Red Hat Software There are no other clues in the binary as to you being the author.
As far as I know there are *no* buffer overrun bugs in Pidentd.
I can't see any either, which is why I suggested that it looked like identd, not that it definitely was. The evidence is: - There was nothing else running on the box ... apart from OpenSSH and Apache. sendmail was installed but not running as a daemon. - OpenSSH and Apache survived the attack. There were 4 identd daemons running as zombies after the attack, further attempts to connect on the auth port failed. Attempts to run further identd's failed. This possibly indicates something overran one of the running identd's buffers.
From the scarce information in the letter I was forwarded it*looks* like Redhat 6.0 is using Pidentd version 2, which uses code like this to parse the request from the remote client: rcode = fscanf(fp, " %d , %d", &lport, &fport);
Looks solid.
(On the data received from the remote client). I'm having a hard time to see how to get an exploitable buffer overrun from that code (sans strange bugs in Redhats libc).
Could very well be libc. This was a 2.1.0 glibc, not known to be entirely bug free. RH 6.1 comes with 2.1.2
Also, on Linux systems you don't have to run Identd as root (I *think* that Redhat ships with Identd started as user "nobody" from Inetd, atleast they did that in Redhat 5.0).
On RH 6.0 & 6.1 it's the same, but on RH 6.2 I've noticed that they run pidentd standalone rather than from inetd. I'm not sure of the security implications of that ... I assume it's just for performance reasons. Of course it's entirely possible that something else got rooted ... possibly even inetd. ----+------------------------+-------------------------- Del | mailto:del () babel co nz | Christchurch, New Zealand ----+------------------------+--------------------------
Current thread:
- Tools to analyze "captured" binaries? Anton Chuvakin (Apr 19)
- (no subject) Peter Eriksson (Apr 20)
- (no subject) Del (Apr 20)
- Re: Tools to analyze "captured" binaries? Pavel Kankovsky (Apr 20)
- Re: Tools to analyze "captured" binaries? Rob Lee (Apr 20)
- <Possible follow-ups>
- Re: Tools to analyze "captured" binaries? Living Prophet of the GREAT GRUG (Apr 20)
- Re: Tools to analyze "captured" binaries? karthik krishnamurthy (Apr 20)
- Re: Tools to analyze "captured" binaries? Pavel Kankovsky (Apr 22)
- (no subject) Peter Eriksson (Apr 20)