Date: Wed, 29 Nov 2000 05:50:05 +0100 From: Roman Drahtmueller <draht@SUSE.DE> Subject: Re: SuSE Linux 6.x 7.0 Ident buffer overflow To: BUGTRAQ@SECURITYFOCUS.COM > Platforms: SuSE Linux 6.x 7.0 > Risk Level: High > Author: Niels Heinen > Vendor Status: Notified patches will be available today. > *************************************************************************** First off, we thank Niels Heinen for contacting us at our security contact address security@suse.de. We have agreed on this date to release the information about the bug. > Impact of the vulnerability: > ==================== > This advisory details a buffer overflow vulnerability under SuSE Linux > that can enable a malicious user to cause Identification Protocol > (Ident) handling to crash. Due to the overflow, the system will no > longer be able to establish certain connections which use Ident, for > example IRC (Internet Relay Chat) connections. If the Ident daemon is > not running, users wishing to connect to IRC will not be allowed to > make a connection. In the this case the vulnerability could be used in > a denial of service attack to keep a person of irc. It's not clear at > this present time whether this vulnerability could be exploited in > such a way that arbitrary code is executed. If so, this will happen > with the privileges of the user "nobody" in a default installation. Thomas Biege, Sebastian Krahmer, Adrian Schröter and myself have been looking at the code, each of us having found a glitch (the multithreaded implementation makes debugging an interesting adventure! :-). It turned out that the daemon dies because of a misinterpretation of the return value of vsnprintf() (which was subject to a change in glibc2.1). Upon detecting that the buffer is too short to keep the data, the daemon decides to "int *p = (int *) NULL; *p = 4711;", or, in other words, segfault and commit suicide. This is bright because a return address on the stack that might have been overwritten is not used (An actual buffer overflow doesn't take place, though.). OTOH, it's not very bright since the auth service is denied as a consequence of the daemon shooting itself in the foot. The risk imposed by the crashed daemon is considerably low. Personally, I find that this behaviour suits the necessity and the usefulness of the protocol itself. > Who's vulnerable ? > ============== > This vulnerability has been tested on SuSE version 6.x and version > 7.0. Previous versions may also be affected. Further testing will > reveal whether other Linux distributions are vulnerable. in.identd in older releases of the SuSE Linux distribution can be crashed, too. Other vendors ship this daemon, too, and will release advisories about the issue soon. With the release of the SuSE-7.0 distribution, the in.identd daemon is contained in a seperate package - before 7.0, it was included in the nkitb package. We will provide updates for the 6.x and 7.0 distributions as usual, but it will take another few days since changes in the nkitb package need thorough testing. In the meanwhile, you may want to disable the service by changing START_IDENTD="yes" # default to START_IDENTD="no" in /etc/rc.config and by killing the daemon (`killall in.identd´. Thanks to Niels for pointing this out, too. If you want to know more about the identd, please install the package "rfc" that can be found in the documentation series of all SuSE distributions and read rfc1413.txt, to be found in /usr/doc/rfc or /usr/share/doc/rfc (SuSE-7.0). Thanks, Roman. -- - - | Roman Drahtmüller <draht@suse.de> // "Caution: Cape does | SuSE GmbH - Security Phone: // not enable user to fly." | Nürnberg, Germany +49-911-740530 // (Batman Costume warning label) | - -