5791967 2000-11-28 17:20 +0100  /102 rader/ Niels Heinen <niels.heinen@UBIZEN.COM>
Sänt av: joel@lysator.liu.se
Importerad: 2000-11-28  23:47  av Brevbäraren (som är implementerad i) Python
Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM
Externa svar till: niels.heinen@UBIZEN.COM
Mottagare: Bugtraq (import) <13946>
Ärende: SuSE Linux 6.x 7.0 Ident buffer overflow
------------------------------------------------------------
***************************************************************************

Subject: Ident buffer overflow Platforms: SuSE Linux 6.x 7.0 Risk
Level: High Author: Niels Heinen Vendor Status: Notified patches will
be available today.
***************************************************************************



Impact of the vulnerability:
====================
This advisory details a buffer overflow vulnerability under SuSE Linux
that can enable
a malicious user to cause Identification Protocol (Ident) handling to
crash. Due to the
overflow, the system will no longer be able to establish certain
connections which use
Ident, for example IRC (Internet Relay Chat) connections. If the Ident
daemon is not
running, users wishing to connect to IRC will not be allowed to make a
connection. In
the this case the vulnerability could be used in a denial of service
attack to keep a person
of irc. It's not clear at this present time whether this vulnerability
could be exploited in
such a way that arbitrary code is executed. If so, this will happen with
the privileges of
the user "nobody" in a default installation.


Who's vulnerable ?
==============
This vulnerability has been tested on SuSE version 6.x and version 7.0.
Previous versions
may also be affected. Further testing will reveal whether other Linux
distributions are vulnerable.

Technical description:
================
By sending longer than expected strings to the identd port, a remote
attacker can crash
the daemon. The daemon will also fail to leave any log message given the
right length of
he string. Seeing the following in the logfile (/var/log/messages)

date: suse-machine in.identd[xxx]: s_snprintf(...) = ?: buffer overrun

is a clear indication of being attacked by a message length producing
log entries. Some other
Linux distributions are not vulnerable in the same way, but have to be
looked at for suspicious
log entries. Another test machine running Red Hat issued here a "Full
buffer closing connection" error.

Workarounds:
===========

If you don't need the Ident, you can keep risk lowest by disabling
the ident deamon.  This can be done by editing /etc/rc.config. Look
for a line like below:

START_INDENTD="yes"

Change the yes value into no and save the file. After that type as
root killall -9 in.identd to stop the ident deamon.

More information:
==============
Bug finder: Niels Heinen (niels.heinen@ubizen.com)
Suse web site: http://www.suse.com
Suse security email: security@suse.com
SecurityWatch.com: http://www.securitywatch.com
Ident RFC: http://andrew2.andrew.cmu.edu/rfc/rfc1413.html


The Disclaimer:
=============

***********************************************************************************

All documents and services are provided as is. Ubizen expressly
disclaims all warranties, express or implied, including without
limitation any implied warranties of merchantability or fitness for a
particular purpose, and warranties as to accuracy, completeness or
adequacy of information.  Ubizen cannot be held accountable for any
incorrect or erroneous information. By using the provided documents
or services, the user assumes all risks.
***********************************************************************************
(5791967) --------------------------------(Ombruten)
Bilaga (application/x-pkcs7-signature) i text 5791968
5791968 2000-11-28 17:20 +0100  /15 rader/ Niels Heinen <niels.heinen@UBIZEN.COM>
Bilagans filnamn: "smime.p7s"
Importerad: 2000-11-28  23:47  av Brevbäraren (som är implementerad i) Python
Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM
Externa svar till: niels.heinen@UBIZEN.COM
Mottagare: Bugtraq (import) <13947>
Bilaga (text/plain) till text 5791967
Ärende: Bilaga (smime.p7s) till: SuSE Linux 6.x 7.0 Ident buffer overflow
------------------------------------------------------------
0‚i
*†H†÷

 ‚Z0‚V

10
+0
*†H†÷


 ‚
k0‚o0‚
Ø 

â†Æ0

*†H†÷


0]10	UBE10U
GlobalSign nv-sa10U Class 2
CA10UGlobalSign Class 2
CA0
001030163536Z
011030163536Z0L10
Ube10Uniels
heinen1&0$
*†H†÷



niels.heinen@ubizen.com0Ÿ0

*†H†÷



0‰ï
/kÁu-lòøuÆy"‡
«ôÀ~û6¶ø~¦yžê™Ìé›OÞ-¼m}ÎW¥¾qïaß"ûüô`§›4©äØ!‘1A“Z†œŽ
  Æ1çü;!h
®Œ°ÎlÁsp·Î°òí?/ðÚ[[’ˆÁ|q1OR&hߛÓ

£F0D0	`†H
†øB

 0U

ÿð0U#0€nב`ËäWW¨œ€½v3åYQ0
	*†H†÷


È˜
¬7<„/8“áïeˆ1†'UüD(ÈãIüÁ“DõŖ"اdò½ºàg]„VD3+‰iÛ^ø½ÆÚÄÒX$Ë{šy}B¢–ȉ©^­umqÐ]7ß.,Ðú„»g§RÏRê¢?0SuÂâ/J™ ÁøFq•ž•ëiu]0‚D0‚, 
Öxº¢æ0
	*†H†÷


0m10	UBE10U
GlobalSign nv-sa10UPrimary Class 2 CA1&0$UGlobalSign Primary Class 2 CA0
990128120001Z
040128120000Z0]10	UBE10U
GlobalSign nv-sa10U
Class 2 CA10UGlobalSign Class 2 CA0Ÿ0
	*†H†÷



0‰ØQ[“ÇI`wQŽãuuɅLv¤îz+üƒǜš¾ŽN
@¬2‰ÓÁyüùDчSÏÛÓ»-_)¹úºûT¢ÛÆÓæµÀˆ/µN‡Ü˛yö¿Ý4zÞ3…Zè2uÏCaE
ãȇ;G¡åß-lGùNØûö„žÃ

£y0w0U

ÿ0Unב`ËäWW¨œ€½v3åYQ0U#0€|ç²±,Þ±§kévá£ýNlǹö0	`†H
†øB

0U

ÿ0

ÿ
0
	*†H†÷


‚

CäºÀ¤l$9ËB©,3ïüH§nG·µZ¸•±-%Îv’pnڎÇüÉ2­ŠU!ÙÇV÷òoÐâ{Á•EæÉw5LòsLp@ø<¦°""—tó¾aùŽàT4jo”H|®úWøô˜tԓõì™Lc·ééaÑÔHв#¢¼¨8
8ü[ÅÞ£b2ÊvðÙn6Á@&‡GQ/œø^b½ö26Œ¦Gbú]Å¢ÚYPÒ`¿DO=ÑtÁ×|ãf\îE	©߈$Þv |ÍݍZ³V¾ œÜvZ¿‚Rüò¼3DVÓ6ªWA½Ñ…q°ÃÜs0‚¬0‚” 
Öx¸0
	*†H†÷


0W10	UBE10U
GlobalSign nv-sa10URoot CA10UGlobalSign Root CA0
990128120000Z
090128120000Z0m10	UBE10U
GlobalSign nv-sa10UPrimary Class 2 CA1&0$UGlobalSign Primary Class 2 CA0‚
"0
	*†H†÷



‚
0‚

‚

’ŒþïôEŽAnüØ¿!o«RÁ,?Ž…¸J½ c*ÊI'®Z‚ôtâU’ÿÂѪy¢¶ú՝‚OƲÆ^c§:ºØîëŠoŸ¶»(AÀ"ûNH’׿×Ϲٽ8O;
DnUAþü	ÛØ¿óŽ!ñèµö¥ÓÆL“"°ÿîĨkOuhVèÜ(P÷¨$.$9û	Þå£dI!Ðh~q0‘±`à9ôPøzM˜k|yºNÎJâº6·Å6•œdBê_ĺõ@¾á:Y½„§¸ÞMSPÎÑÒQÓï
læçmË]|?|ÌìOƒ'%ÿpPöƒYu„fX,މ¦Iù¥Cw

£c0a0U

ÿ0U|ç²±,Þ±§kévá£ýNlǹö0U#0€`{fE
—ʉP/}Í4¨ÿüýK0U

ÿ0

ÿ0
	*†H†÷


‚

cÝYΊyª˜Nʼnd7~Š“g/êo'Íwmò\V”i`0F]òmE<Ž5—|/¸Qâ艽ˆÏ'4\ˆÁh$ۑ…äÏûûCè%
Ä÷BH†$XZŒòkG,h‘±iBý
É&撆¦dn’ÅÎ><}qã#¤«ÇÕ¨©ß‚§;è†ÕÃOãDÐàÜóÅh.þ¥/„È~GBSk‡Jþ2ÿ^>pŒ·¨ÌÂÿFìÐì-´n(©ù@éëÔf—S©iUÀ©ª².ÍÑiô¾ø»|iîT¦ÛžûZ¦>þšï”QKuîØÔášñV‰§B‹–‹……¾&®«¦™¼"ñsßB1‚
Æ0‚
Â

0l0]10	UBE10U
GlobalSign nv-sa10U Class 2
CA10UGlobalSign Class 2
CA
â†Æ0
+ ±0
*†H†÷


1
*†H†÷


0
*†H†÷


1
001128162011Z0#
*†H†÷


1jÖù³Qö*Ø$
þ\¥TM0R	*†H†÷

	1E0C0
*†H†÷
0*†H†÷
€0+0
*†H†÷

@0
*†H†÷

(0

*†H†÷



€èQ2Û0§ƒüØ^Bì (øñÔ£+¢Å²ÓØ)®èÛØä“å0
@˽P½Z5Ñq-ÂV†3“‰–Ñ´¹‹Žv!¼eŽmÛ) ,MÔÎxV€ÑII¼6ß՗<Ä+™²•ÈÊK1”>A‰å˜AÚכdø¢l*C\XÖdî·[q§
(5791968) --------------------------------(Ombruten)
5796321 2000-11-29 05:50 +0100  /84 rader/ Roman Drahtmueller <draht@SUSE.DE>
Sänt av: joel@lysator.liu.se
Importerad: 2000-11-29  19:19  av Brevbäraren (som är implementerad i) Python
Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM
Externa svar till: draht@SUSE.DE
Mottagare: Bugtraq (import) <13957>
Kommentar till text 5791967 av Niels Heinen <niels.heinen@UBIZEN.COM>
Ärende: Re: SuSE Linux 6.x 7.0 Ident buffer overflow
------------------------------------------------------------
From: Roman Drahtmueller <draht@SUSE.DE>
To: BUGTRAQ@SECURITYFOCUS.COM
Message-ID: <Pine.LNX.4.21.0011290514300.2234-100000@dent.suse.de>

> Platforms: SuSE Linux 6.x 7.0
> Risk Level: High
> Author: Niels Heinen
> Vendor Status: Notified patches will be available today.
> ***************************************************************************

First off, we thank Niels Heinen for contacting us at our security
contact address security@suse.de. We have agreed on this date to
release the information about the bug.

> Impact of the vulnerability:
> ====================

> This advisory details a buffer overflow vulnerability under SuSE Linux
> that can enable a malicious user to cause Identification Protocol
> (Ident) handling to crash. Due to the overflow, the system will no
> longer be able to establish certain connections which use Ident, for
> example IRC (Internet Relay Chat) connections. If the Ident daemon is
> not running, users wishing to connect to IRC will not be allowed to
> make a connection. In the this case the vulnerability could be used in
> a denial of service attack to keep a person of irc. It's not clear at
> this present time whether this vulnerability could be exploited in
> such a way that arbitrary code is executed. If so, this will happen
> with the privileges of the user "nobody" in a default installation.

Thomas Biege, Sebastian Krahmer, Adrian Schröter and myself have been
looking at the code, each of us having found a glitch (the
multithreaded implementation makes debugging an interesting
adventure! :-). It turned out that the daemon dies because of a
misinterpretation of the return value of vsnprintf() (which was
subject to a change in glibc2.1).
 Upon detecting that the buffer is too short to keep the data, the
daemon decides to "int *p = (int *) NULL; *p = 4711;", or, in other
words, segfault and commit suicide. This is bright because a return
address on the stack that might have been overwritten is not used (An
actual buffer overflow doesn't take place, though.). OTOH, it's not
very bright since the auth service is denied as a consequence of the
daemon shooting itself in the foot. The risk imposed by the crashed
daemon is considerably low.

Personally, I find that this behaviour suits the necessity and the
usefulness of the protocol itself.

> Who's vulnerable ?
> ==============

> This vulnerability has been tested on SuSE version 6.x and version
> 7.0. Previous versions may also be affected. Further testing will
> reveal whether other Linux distributions are vulnerable.

in.identd in older releases of the SuSE Linux distribution can be
crashed, too. Other vendors ship this daemon, too, and will release
advisories about the issue soon.

With the release of the SuSE-7.0 distribution, the in.identd daemon
is contained in a seperate package - before 7.0, it was included in
the nkitb package. We will provide updates for the 6.x and 7.0
distributions as usual, but it will take another few days since
changes in the nkitb package need thorough testing.

In the meanwhile, you may want to disable the service by changing
START_IDENTD="yes"   # default
to
START_IDENTD="no"
 in /etc/rc.config and by killing the daemon (`killall
in.identd´. Thanks to Niels for pointing this out, too.

If you want to know more about the identd, please install the package
"rfc" that can be found in the documentation series of all SuSE
distributions and read rfc1413.txt, to be found in /usr/doc/rfc or
/usr/share/doc/rfc (SuSE-7.0).

Thanks,
Roman.
--
 -                                                                      -
| Roman Drahtmüller      <draht@suse.de> //          "Caution: Cape does |
  SuSE GmbH - Security           Phone: //       not enable user to fly."
| Nürnberg, Germany     +49-911-740530 // (Batman Costume warning label) |
 -                                                                      -
(5796321) --------------------------------(Ombruten)