(no subject)

[del () BABEL COM AU (Del)]

Peter Eriksson wrote:

> > A client was hacked last week by what looked like a buffer
> > overflow through in.identd.  This was on a Red Hat 6.0
> > box.
> >
> > RH don't have any current security notices or fixes for
> > in.identd on their servers, and I haven't seen other
> > boxes hacked through in.identd recently.
> ...
> > Anyone know of any current bug notices, exploits, or
> > patches for in.identd?
>
> As the author of the Identd daemon I would *greatly* appreciate
> to be told about these issues directly, instead of finding out
> about them in second hand...

You might like to contact Red Hat about getting your name on the
pidentd RPM.  At the moment, rpm -qi pidentd says:

    Vendor: Red Hat Software

There are no other clues in the binary as to you being the author.

> As far as I know there are *no* buffer overrun bugs in Pidentd.

I can't see any either, which is why I suggested that it looked
like identd, not that it definitely was.  The evidence is:

-       There was nothing else running on the box ... apart
        from OpenSSH and Apache.  sendmail was installed but
        not running as a daemon.

-       OpenSSH and Apache survived the attack.  There were
        4 identd daemons running as zombies after the attack,
        further attempts to connect on the auth port failed.
        Attempts to run further identd's failed.  This possibly
        indicates something overran one of the running identd's
        buffers.

> > From the scarce information in the letter I was forwarded it
> *looks* like Redhat 6.0 is using Pidentd version 2, which
> uses code like this to parse the request from the remote client:
>
>      rcode = fscanf(fp, " %d , %d", &lport, &fport);

Looks solid.

> (On the data received from the remote client). I'm having
> a hard time to see how to get an exploitable buffer overrun
> from that code (sans strange bugs in Redhats libc).

Could very well be libc.  This was a 2.1.0 glibc, not known to be
entirely bug free.  RH 6.1 comes with 2.1.2

> Also, on Linux systems you don't have to run Identd as
> root (I *think* that Redhat ships with Identd started as
> user "nobody" from Inetd, atleast they did that in Redhat 5.0).

On RH 6.0 & 6.1 it's the same, but on RH 6.2 I've noticed that
they run pidentd standalone rather than from inetd.  I'm not sure
of the security implications of that ... I assume it's just for
performance reasons.

Of course it's entirely possible that something else got rooted
... possibly even inetd.

----+------------------------+--------------------------
Del | mailto:del () babel co nz | Christchurch, New Zealand
----+------------------------+--------------------------