peterIFM.LIU.SE

• Next message: Rob Lee: "Re: Tools to analyze "captured" binaries?"
• Previous message: Pavel Kankovsky: "Re: Tools to analyze "captured" binaries?"
• Next in thread: Del: "(no subject)"
• Maybe reply: Peter Eriksson: "(no subject)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Del Elson writes:

>A client was hacked last week by what looked like a buffer
>overflow through in.identd. This was on a Red Hat 6.0
>box.
>
>RH don't have any current security notices or fixes for
>in.identd on their servers, and I haven't seen other
>boxes hacked through in.identd recently.
...
>Anyone know of any current bug notices, exploits, or
>patches for in.identd?

As the author of the Identd daemon I would *greatly* appreciate
to be told about these issues directly, instead of finding out
about them in second hand...

As far as I know there are *no* buffer overrun bugs in Pidentd.

From the scarce information in the letter I was forwarded it
*looks* like Redhat 6.0 is using Pidentd version 2, which
uses code like this to parse the request from the remote client:

     rcode = fscanf(fp, " %d , %d", &lport, &fport);

(On the data received from the remote client). I'm having
a hard time to see how to get an exploitable buffer overrun
from that code (sans strange bugs in Redhats libc).

(If that indeed is the problem, then Pidentd v3 uses another
method of parsing the data from the user).

Also, on Linux systems you don't have to run Identd as
root (I *think* that Redhat ships with Identd started as
user "nobody" from Inetd, atleast they did that in Redhat 5.0).

- Peter

• Next message: Rob Lee: "Re: Tools to analyze "captured" binaries?"
• Previous message: Pavel Kankovsky: "Re: Tools to analyze "captured" binaries?"
• Next in thread: Del: "(no subject)"
• Maybe reply: Peter Eriksson: "(no subject)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]