5791967 2000-11-28 17:20 +0100 /102 rader/ Niels Heinen <niels.heinen@UBIZEN.COM> Sänt av: joel@lysator.liu.se Importerad: 2000-11-28 23:47 av Brevbäraren (som är implementerad i) Python Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM Externa svar till: niels.heinen@UBIZEN.COM Mottagare: Bugtraq (import) <13946> Ärende: SuSE Linux 6.x 7.0 Ident buffer overflow ------------------------------------------------------------ *************************************************************************** Subject: Ident buffer overflow Platforms: SuSE Linux 6.x 7.0 Risk Level: High Author: Niels Heinen Vendor Status: Notified patches will be available today. *************************************************************************** Impact of the vulnerability: ==================== This advisory details a buffer overflow vulnerability under SuSE Linux that can enable a malicious user to cause Identification Protocol (Ident) handling to crash. Due to the overflow, the system will no longer be able to establish certain connections which use Ident, for example IRC (Internet Relay Chat) connections. If the Ident daemon is not running, users wishing to connect to IRC will not be allowed to make a connection. In the this case the vulnerability could be used in a denial of service attack to keep a person of irc. It's not clear at this present time whether this vulnerability could be exploited in such a way that arbitrary code is executed. If so, this will happen with the privileges of the user "nobody" in a default installation. Who's vulnerable ? ============== This vulnerability has been tested on SuSE version 6.x and version 7.0. Previous versions may also be affected. Further testing will reveal whether other Linux distributions are vulnerable. Technical description: ================ By sending longer than expected strings to the identd port, a remote attacker can crash the daemon. The daemon will also fail to leave any log message given the right length of he string. Seeing the following in the logfile (/var/log/messages) date: suse-machine in.identd[xxx]: s_snprintf(...) = ?: buffer overrun is a clear indication of being attacked by a message length producing log entries. Some other Linux distributions are not vulnerable in the same way, but have to be looked at for suspicious log entries. Another test machine running Red Hat issued here a "Full buffer closing connection" error. Workarounds: =========== If you don't need the Ident, you can keep risk lowest by disabling the ident deamon. This can be done by editing /etc/rc.config. Look for a line like below: START_INDENTD="yes" Change the yes value into no and save the file. After that type as root killall -9 in.identd to stop the ident deamon. More information: ============== Bug finder: Niels Heinen (niels.heinen@ubizen.com) Suse web site: http://www.suse.com Suse security email: security@suse.com SecurityWatch.com: http://www.securitywatch.com Ident RFC: http://andrew2.andrew.cmu.edu/rfc/rfc1413.html The Disclaimer: ============= *********************************************************************************** All documents and services are provided as is. Ubizen expressly disclaims all warranties, express or implied, including without limitation any implied warranties of merchantability or fitness for a particular purpose, and warranties as to accuracy, completeness or adequacy of information. Ubizen cannot be held accountable for any incorrect or erroneous information. By using the provided documents or services, the user assumes all risks. *********************************************************************************** (5791967) --------------------------------(Ombruten) Bilaga (application/x-pkcs7-signature) i text 5791968 5791968 2000-11-28 17:20 +0100 /15 rader/ Niels Heinen <niels.heinen@UBIZEN.COM> Bilagans filnamn: "smime.p7s" Importerad: 2000-11-28 23:47 av Brevbäraren (som är implementerad i) Python Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM Externa svar till: niels.heinen@UBIZEN.COM Mottagare: Bugtraq (import) <13947> Bilaga (text/plain) till text 5791967 Ärende: Bilaga (smime.p7s) till: SuSE Linux 6.x 7.0 Ident buffer overflow ------------------------------------------------------------ 0i *H÷ Z0V10 + 0 *H÷ k0o0Ø âÆ0 *H÷ 0]10 UBE10U GlobalSign nv-sa10U Class 2 CA10UGlobalSign Class 2 CA0 001030163536Z 011030163536Z0L10 Ube10Uniels heinen1&0$ *H÷ niels.heinen@ubizen.com00 *H÷ 0 ï /kÁu-lòøuÆy" «ôÀ~û6¶ø~¦yêÌéOÞ-¼m}ÎW¥¾qïaß"ûüô`§4©äØ!1AZ Æ1çü;!h ®°ÎlÁsp·Î°òí?/ðÚ[[Á|q1OR&hßÓ £F0D0 `HøB 0Uÿð0U#0n×`ËäW W¨½v3åYQ0 *H÷ È ¬7</8áïe1'UüD(ÈãIüÁDõÅ"اdò½ºàg]VD3+iÛ^ø½ÆÚÄÒX$Ë{y}B¢È©^umqÐ]7ß.,Ðú»g§RÏRê¢?0SuÂâ/J ÁøFqëiu]0D0, Öxº¢æ0 *H÷ 0m10 UBE10U GlobalSign nv-sa10UPrimary Class 2 CA1&0$UGlobalSign Primary Class 2 CA0 990128120001Z 040128120000Z0]10 UBE10U GlobalSign nv-sa10U Class 2 CA10UGlobalSign Class 2 CA00 *H÷ 0 ØQ[ÇI`wQãuuÉ Lv¤îz+üǾN @¬2ÓÁyüùDÑSÏÛÓ»-_)¹úºûT¢ÛÆÓæµÀ/µNÜËyö¿Ý4zÞ3 Zè2uÏCaE ãÈ;G¡åß-lGùNØûöà £y0w0Uÿ 0Un×`ËäW W¨½v3åYQ0U#0|ç²±,Þ±§kévá£ýNlǹö0 `HøB 0Uÿ0ÿ 0 *H÷ CäºÀ¤l$9ËB©,3ïüH§nG·µZ¸±-%ÎvpnÚÇüÉ2U!ÙÇV÷òoÐâ{ÁEæÉw5LòsLp@ø<¦°""tó¾aùàT4joH|®úWøôtÔõìLc·ééaÑÔHв#¢¼¨8 8ü[ÅÞ£b2ÊvðÙn6Á@&GQ/ø^b½ö26¦Gbú]Å¢ÚYPÒ`¿DO=ÑtÁ×|ãf\îE ©ß$Þv |ÍÝZ³V¾ ÜvZ¿Rüò¼3DVÓ6ªWA½Ñ q°ÃÜs0¬0 Öx¸0 *H÷ 0W10 UBE10U GlobalSign nv-sa10URoot CA10UGlobalSign Root CA0 990128120000Z 090128120000Z0m10 UBE10U GlobalSign nv-sa10UPrimary Class 2 CA1&0$UGlobalSign Primary Class 2 CA0"0 *H÷ 0 þïôEAnüØ¿!o«RÁ, ? ¸J½ c*ÊI'®ZôtâUÿÂѪy¢¶úÕOƲÆ^c§:ºØîëo¶»(AÀ"ûNH׿×Ϲٽ8O; DnUAþü ÛØ¿ó!ñèµö¥ÓÆL"°ÿîĨkOuhVèÜ(P÷¨$.$9û Þå£dI!Ðh~q0±`à9ôPøzM k|yºNÎJâº6·Å6dBê_ĺõ@¾á:Y½§¸ÞMSPÎÑÒQÓï læçmË]|?|ÌìO'%ÿpPöYufX,Þ ¦Iù¥Cw £c0a0Uÿ 0U|ç²±,Þ±§kévá£ýNlǹö0U#0`{fE ÊP/}Í4¨ÿüýK0Uÿ0ÿ0 *H÷ cÝYÎyªNÅd7~g/êo'Ãwmò\Vi`0F]òmE<5|/¸Qâè½Ï'4\Áh$Û äÏûûCè%Ä÷ BH$XZòkG,h±iBý É&æ¦dnÅÎ><}qã#¤«ÇÕ¨©ß§;èÕÃOãDÐàÜóÅh.þ¥/È~GBSkJþ2ÿ^>p·¨ÌÂÿFìÐì-´n(©ù@éëÔfS©iUÀ©ª².ÍÑiô¾ø»|iîT¦ÛûZ¦>þïQKuîØÔáñV§B ¾&®«¦¼"ñsßB1Æ0Â0l0]10 UBE10U GlobalSign nv-sa10U Class 2 CA10UGlobalSign Class 2 CA âÆ0 + ±0 *H÷ 1 *H÷ 0 *H÷ 1 001128162011Z0# *H÷ 1jÖù³Qö*Ø $þ\¥TM0R *H÷ 1E0C0 *H÷ 0*H÷ 0+0 *H÷ @0 *H÷ (0 *H÷ èQ2Û0§üØ^Bì (øñÔ£+¢Å²ÓØ)®èÛØäå0@˽P½Z5Ñq-ÂV3Ñ´¹v!¼emÛ) ,MÔÎxVÑII¼6ßÕ<Ä+²ÈÊK1>AåAÚ×dø¢l*C\XÖdî·[q§ (5791968) --------------------------------(Ombruten) 5796321 2000-11-29 05:50 +0100 /84 rader/ Roman Drahtmueller <draht@SUSE.DE> Sänt av: joel@lysator.liu.se Importerad: 2000-11-29 19:19 av Brevbäraren (som är implementerad i) Python Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM Externa svar till: draht@SUSE.DE Mottagare: Bugtraq (import) <13957> Kommentar till text 5791967 av Niels Heinen <niels.heinen@UBIZEN.COM> Ärende: Re: SuSE Linux 6.x 7.0 Ident buffer overflow ------------------------------------------------------------ From: Roman Drahtmueller <draht@SUSE.DE> To: BUGTRAQ@SECURITYFOCUS.COM Message-ID: <Pine.LNX.4.21.0011290514300.2234-100000@dent.suse.de> > Platforms: SuSE Linux 6.x 7.0 > Risk Level: High > Author: Niels Heinen > Vendor Status: Notified patches will be available today. > *************************************************************************** First off, we thank Niels Heinen for contacting us at our security contact address security@suse.de. We have agreed on this date to release the information about the bug. > Impact of the vulnerability: > ==================== > This advisory details a buffer overflow vulnerability under SuSE Linux > that can enable a malicious user to cause Identification Protocol > (Ident) handling to crash. Due to the overflow, the system will no > longer be able to establish certain connections which use Ident, for > example IRC (Internet Relay Chat) connections. If the Ident daemon is > not running, users wishing to connect to IRC will not be allowed to > make a connection. In the this case the vulnerability could be used in > a denial of service attack to keep a person of irc. It's not clear at > this present time whether this vulnerability could be exploited in > such a way that arbitrary code is executed. If so, this will happen > with the privileges of the user "nobody" in a default installation. Thomas Biege, Sebastian Krahmer, Adrian Schröter and myself have been looking at the code, each of us having found a glitch (the multithreaded implementation makes debugging an interesting adventure! :-). It turned out that the daemon dies because of a misinterpretation of the return value of vsnprintf() (which was subject to a change in glibc2.1). Upon detecting that the buffer is too short to keep the data, the daemon decides to "int *p = (int *) NULL; *p = 4711;", or, in other words, segfault and commit suicide. This is bright because a return address on the stack that might have been overwritten is not used (An actual buffer overflow doesn't take place, though.). OTOH, it's not very bright since the auth service is denied as a consequence of the daemon shooting itself in the foot. The risk imposed by the crashed daemon is considerably low. Personally, I find that this behaviour suits the necessity and the usefulness of the protocol itself. > Who's vulnerable ? > ============== > This vulnerability has been tested on SuSE version 6.x and version > 7.0. Previous versions may also be affected. Further testing will > reveal whether other Linux distributions are vulnerable. in.identd in older releases of the SuSE Linux distribution can be crashed, too. Other vendors ship this daemon, too, and will release advisories about the issue soon. With the release of the SuSE-7.0 distribution, the in.identd daemon is contained in a seperate package - before 7.0, it was included in the nkitb package. We will provide updates for the 6.x and 7.0 distributions as usual, but it will take another few days since changes in the nkitb package need thorough testing. In the meanwhile, you may want to disable the service by changing START_IDENTD="yes" # default to START_IDENTD="no" in /etc/rc.config and by killing the daemon (`killall in.identd´. Thanks to Niels for pointing this out, too. If you want to know more about the identd, please install the package "rfc" that can be found in the documentation series of all SuSE distributions and read rfc1413.txt, to be found in /usr/doc/rfc or /usr/share/doc/rfc (SuSE-7.0). Thanks, Roman. -- - - | Roman Drahtmüller <draht@suse.de> // "Caution: Cape does | SuSE GmbH - Security Phone: // not enable user to fly." | Nürnberg, Germany +49-911-740530 // (Batman Costume warning label) | - - (5796321) --------------------------------(Ombruten)