Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
Subject: SuSE Linux 6.x 7.0 Ident buffer overflow
From: Niels Heinen (niels.heinenUBIZEN.COM)
Date: Tue Nov 28 2000 - 10:20:11 CST


Subject: Ident buffer overflow
Platforms: SuSE Linux 6.x 7.0
Risk Level: High
Author: Niels Heinen
Vendor Status: Notified patches will be available today.

Impact of the vulnerability:
This advisory details a buffer overflow vulnerability under SuSE Linux
that can enable
a malicious user to cause Identification Protocol (Ident) handling to
crash. Due to the
overflow, the system will no longer be able to establish certain
connections which use
Ident, for example IRC (Internet Relay Chat) connections. If the Ident
daemon is not
running, users wishing to connect to IRC will not be allowed to make a
connection. In
the this case the vulnerability could be used in a denial of service
attack to keep a person
of irc. It's not clear at this present time whether this vulnerability
could be exploited in
such a way that arbitrary code is executed. If so, this will happen with
the privileges of
the user "nobody" in a default installation.

Who's vulnerable ?
This vulnerability has been tested on SuSE version 6.x and version 7.0.
Previous versions
may also be affected. Further testing will reveal whether other Linux
distributions are vulnerable.

Technical description:
By sending longer than expected strings to the identd port, a remote
attacker can crash
the daemon. The daemon will also fail to leave any log message given the
right length of
he string. Seeing the following in the logfile (/var/log/messages)

date: suse-machine in.identd[xxx]: s_snprintf(...) = ?: buffer overrun

is a clear indication of being attacked by a message length producing
log entries. Some other
Linux distributions are not vulnerable in the same way, but have to be
looked at for suspicious
log entries. Another test machine running Red Hat issued here a "Full
buffer closing connection" error.


If you don't need the Ident, you can keep risk lowest by disabling the
ident deamon.
This can be done by editing /etc/rc.config. Look for a line like below:


Change the yes value into no and save the file. After that type as root
killall -9 in.identd
to stop the ident deamon.

More information:
Bug finder: Niels Heinen (niels.heinenubizen.com)
Suse web site: http://www.suse.com
Suse security email: securitysuse.com
SecurityWatch.com: http://www.securitywatch.com
Ident RFC: http://andrew2.andrew.cmu.edu/rfc/rfc1413.html

The Disclaimer:


All documents and services are provided as is. Ubizen expressly
disclaims all warranties, express
or implied, including without limitation any implied warranties of
merchantability or fitness for a
particular purpose, and warranties as to accuracy, completeness or
adequacy of information.
Ubizen cannot be held accountable for any incorrect or erroneous
information. By using the
provided documents or services, the user assumes all risks.