![[LWN Logo]](/images/lwn.banner.gif)
Date: Wed, 22 Dec 1999 22:18:51 -0500 (EST) From: Jacques Gelinas <jack@solucorp.qc.ca> To: Linux Weekly News <lwn@rdnzl.eklektix.com> Subject: Re: [Elias Levy <aleph1@SECURITYFOCUS.COM>] (Possible) Linuxconf On 22 Dec 1999, Linux Weekly News wrote: > > > Jacques, > > Has this security discussion regarding linuxconf been brought > to your attention? I would like to report on it for the Linux Weekly News > (LWN.net), but word from the package maintainer either confirming/denying > or providing workarounds or solutions is always best to have. Yes I am aware of this claim. I have the code that is supposed to do the exploit. Here is what I know so far. -The bug is related to the web interface. By default, linuxconf listen on port 98 using inetd. The service is enabled by default in inetd. -Inside linuxconf (networking/misc/linuxconf network access), you can configure which network/host may access the service. The list is empty by default. Further, there is a check-box to enable the whole thing and it is disabled by default. Said differently, if you have linuxconf and don't know anything about this dialog, then the exploit is not possible. Linuxconf checks the flag and later valid the origin before it tries any parsing of the input buffer. -If the exploit is possible, it must occur from a host or network who has already access to linuxconf. Note that the access requires a user/password pair. But the exploit only relies on Linuxconf trying to parse the http request. -So far, I have not been able to do anything useful with the "linexp" exploit code. The code looks experimental and you must tweak with one offset to make it effective. I have tried all possible offset and was not able to produce any invalid behavior. Linuxconf did not crashed. It simply send the greating page or does nothing and or for further input. The original poster who found the linexp program did not succeed either. -I have reviewed the code and can't find anything wrong. All input buffer are manipulated cleanly. So this could be a false alarm, but, many people have reported that service 98 is scanned, so I would guess that there a reason for that. If the exploit is possible, the solution is to disable "linuxconf network access" using the supplied check-box. Default linuxconf installation are safe. I am still trying to prove if the exploit is possible. So far, I have not crashed linuxconf using the exploit. But The posted linexp is buggy. As is, it has at least two flaws. This may prove that this version is not the "official" one but a work in progress. The flaws are -it send a http header for a POST command. A POST command requires an empty line between the header and the variable values. This line is missing. I have tried to fix the code to see if it "perform" better. -There is a "shell" static variable at the start of the code. This variable contains some cryptic sequence which looks like a normal buffer overflow exploit (as far as I can tell, no expert on this stuff). -The main function also define a local "shell" variable which shadow the static one. Further, the local one is not even initialised, but used. To make it short -we have no proof that the exploit is possible -we know that port 98 has been probed. -no one has reported a crack that might be related to linuxconf Note that in june 1998, this code (the http parser) was reviewed and was fixed to make it more robust/secure. the code has not been changed since (in this area). Prior to linuxconf 1.11 (spring 1998 if I recall), the default behavior for the web mode was different. it was on by default, but connection were only allowed from the loopback and from the local network (network connected directly to eth0). So we are investigating. I would suggest to anyone using a very old copy of linuxconf to either update or comment out the line in /etc/inetd.conf. Maybe the attack is targeting these old copies. This is all I know. I will continue to investigate, trying to at least segfault linuxconf from an input on port 98. --------------------------------------------------------- Jacques Gelinas <jack@solucorp.qc.ca> All kind of open-source goodies: linuxconf, virtualfs, xterminals toolkit http://www.solucorp.qc.ca/