OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: zen-parsegmx.net
Date: Fri Jun 08 2001 - 09:10:41 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    ***************************************************************
     Potential remote overflow fixed in patched version of xinetd
    ***************************************************************

    ***************************************************************
     Problem: potential buffer overflow in xinetd-2.1.8.9pre11-1
    ***************************************************************

    ***************************************************************
        Fix: update to xinetd-2.1.8.9pre15-2 (for redhat ppl)
    ***************************************************************

    Please note: This does not seem to be exploitable in a default
    setup RH 7.0 machine. However There may be other distributions/
    configutations that it is used in where it is explotable.

    ***************************************************************
                       Details of the problem
    ***************************************************************

    svc_logprint (in xinetd/log.c) has a slight bug which may allow remote
    root access.

    ...
            len = strx_nprint( buf, bufsize, "%s: %s ", line_id, SVC_ID( sp
    ) ) ;
            va_start( ap, fmt ) ;
    *-> cc = strx_nprintv( &buf[ len ], bufsize, fmt, ap ) ;
            va_end( ap ) ;
    ...
    (bufsize=sizeof(buf) == LOGBUF_SIZE = 1024)

    If an argument to the marked line is longer than (bufsize-len) then it
    will overflow the string.

    The ident feature allows returning 1024 bytes of information, and that
    information, less the
    source,dest: componant and the \r\n s passed to svc_logprint() as an
    argument.
    1024,21:USERID:AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA...AA\r\n
    such that the string totals 1024 characters for example.

    If a malicious root user was to connect, he could set his own source
    port to something like 1,
    which would gain him another 3-4 characters.
    1,21:USERID:AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA...AAAAA\r\n

    The string is then truncated at the \r

    (xinetd/ident.c)
    ...
           svc_logprint( SERVER_CONNSERVICE( serp ), USERID_ENTRY, "%s", p )
    ;
    ...

    p would then be a string 1010 characters long.
    if strlen(line_id)+strlen(SVC_ID( sp ) )>14 then we have a buffer
    overflow.

    With the ftp service I was only able to get a 1022 byte buffer written
    but with other services
    with longer names that use authentication, this could be a serious
    problem.

    The server is still running as root while this happens.

    --zen-parse