Date: Tue, 28 Nov 2000 17:20:11 +0100 From: Niels Heinen <niels.heinen@UBIZEN.COM> Subject: SuSE Linux 6.x 7.0 Ident buffer overflow To: BUGTRAQ@SECURITYFOCUS.COM This is a cryptographically signed message in MIME format. --------------msA27DAF27A12C1470E6450032 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit *************************************************************************** Subject: Ident buffer overflow Platforms: SuSE Linux 6.x 7.0 Risk Level: High Author: Niels Heinen Vendor Status: Notified patches will be available today. *************************************************************************** Impact of the vulnerability: ==================== This advisory details a buffer overflow vulnerability under SuSE Linux that can enable a malicious user to cause Identification Protocol (Ident) handling to crash. Due to the overflow, the system will no longer be able to establish certain connections which use Ident, for example IRC (Internet Relay Chat) connections. If the Ident daemon is not running, users wishing to connect to IRC will not be allowed to make a connection. In the this case the vulnerability could be used in a denial of service attack to keep a person of irc. It's not clear at this present time whether this vulnerability could be exploited in such a way that arbitrary code is executed. If so, this will happen with the privileges of the user "nobody" in a default installation. Who's vulnerable ? ============== This vulnerability has been tested on SuSE version 6.x and version 7.0. Previous versions may also be affected. Further testing will reveal whether other Linux distributions are vulnerable. Technical description: ================ By sending longer than expected strings to the identd port, a remote attacker can crash the daemon. The daemon will also fail to leave any log message given the right length of he string. Seeing the following in the logfile (/var/log/messages) date: suse-machine in.identd[xxx]: s_snprintf(...) = ?: buffer overrun is a clear indication of being attacked by a message length producing log entries. Some other Linux distributions are not vulnerable in the same way, but have to be looked at for suspicious log entries. Another test machine running Red Hat issued here a "Full buffer closing connection" error. Workarounds: =========== If you don't need the Ident, you can keep risk lowest by disabling the ident deamon. This can be done by editing /etc/rc.config. Look for a line like below: START_INDENTD="yes" Change the yes value into no and save the file. After that type as root killall -9 in.identd to stop the ident deamon. More information: ============== Bug finder: Niels Heinen (niels.heinen@ubizen.com) Suse web site: http://www.suse.com Suse security email: security@suse.com SecurityWatch.com: http://www.securitywatch.com Ident RFC: http://andrew2.andrew.cmu.edu/rfc/rfc1413.html The Disclaimer: ============= *********************************************************************************** All documents and services are provided as is. Ubizen expressly disclaims all warranties, express or implied, including without limitation any implied warranties of merchantability or fitness for a particular purpose, and warranties as to accuracy, completeness or adequacy of information. Ubizen cannot be held accountable for any incorrect or erroneous information. By using the provided documents or services, the user assumes all risks. *********************************************************************************** --------------msA27DAF27A12C1470E6450032 Content-Type: application/x-pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" Content-Description: S/MIME Cryptographic Signature MIILaQYJKoZIhvcNAQcCoIILWjCCC1YCAQExCzAJBgUrDgMCGgUAMAsGCSqGSIb3DQEHAaCC CWswggJvMIIB2KADAgECAgsBAAAAAADihsYRFzANBgkqhkiG9w0BAQQFADBdMQswCQYDVQQG EwJCRTEZMBcGA1UEChMQR2xvYmFsU2lnbiBudi1zYTETMBEGA1UECxMKQ2xhc3MgMiBDQTEe MBwGA1UEAxMVR2xvYmFsU2lnbiBDbGFzcyAyIENBMB4XDTAwMTAzMDE2MzUzNloXDTAxMTAz MDE2MzUzNlowTDELMAkGA1UEBhMCYmUxFTATBgNVBAMTDG5pZWxzIGhlaW5lbjEmMCQGCSqG SIb3DQEJARYXbmllbHMuaGVpbmVuQHViaXplbi5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0A MIGJAoGBAO8JgS9rwXUtbPL4dcZ5IocEjwoDq/TAgX77NrYT+H6meZ7qmczpm0/eLbxtfc5X pb4Mce9/Yd8i+3/89J1gp5s0qeTYIZExgUGTDFqGnI4NIAIgxjHn/BA7IWgKroywzmzBc3AM t86wA/LtPy/w2ltbnZIFiMF8cTFPUiZo35vTAgMBAAGjRjBEMBEGCWCGSAGG+EIBAQQEAwIF oDAOBgNVHQ8BAf8EBAMCBPAwHwYDVR0jBBgwFoAUEW7XkWDLBuRXAFeonIC9djPlWVEwDQYJ KoZIhvcNAQEEBQADgYEAyJgNrDc8hBQvOJPDoe9liDGGJxdV/BBEKMga40n8wZNE9cWWItgD p2TyvbrgZ12EVkQzK4lp2174vcbaxNJYDiTLe5oTeX1CopbIialekK0LdW1x0F033y4sEdD6 hLtnpxhSz1IW6qI/MAJTdcLiL0obmSDB+EZxlZ6V62kVdV0wggNEMIICLKADAgECAgsCAAAA AADWeLqi5jANBgkqhkiG9w0BAQQFADBtMQswCQYDVQQGEwJCRTEZMBcGA1UEChMQR2xvYmFs U2lnbiBudi1zYTEbMBkGA1UECxMSUHJpbWFyeSBDbGFzcyAyIENBMSYwJAYDVQQDEx1HbG9i YWxTaWduIFByaW1hcnkgQ2xhc3MgMiBDQTAeFw05OTAxMjgxMjAwMDFaFw0wNDAxMjgxMjAw MDBaMF0xCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9iYWxTaWduIG52LXNhMRMwEQYDVQQL EwpDbGFzcyAyIENBMR4wHAYDVQQDExVHbG9iYWxTaWduIENsYXNzIDIgQ0EwgZ8wDQYJKoZI hvcNAQEBBQADgY0AMIGJAoGBANhRWw+Tx0lgd1EUjuOddXUeyYUOf0wDGRl2pO56K/yDBgPH nBaavo5OEQpAf6wyidPBefz5RNGHU8/b07stXym5+roR+1Si28bT5rXAiC+1TgKH3MubGXn2 v900et4zhVroMnXPQ2FFDePIhztHEKHl3y1sBwZH+U7Y+/aEngzDAgMBAAGjeTB3MA4GA1Ud DwEB/wQEAwIABjAdBgNVHQ4EFgQUEW7XkWDLBuRXAFeonIC9djPlWVEwHwYDVR0jBBgwFoAU fOeysSzesadr6XYM4aP9TmzHufYwEQYJYIZIAYb4QgEBBAQDAgAGMBIGA1UdEwEB/wQIMAYB Af8CAQAwDQYJKoZIhvcNAQEEBQADggEBAARDHuS6wKQebCQDOctCH6ksMwzv/BsHSKduR7cI tVq4lbEtJc4CdpJwbtqOEMf8HckyrYpVIdnHVgT38m/Q4nvBlUXmyXcfNUwQB/JzAkwPcED4 PBumsCIil3Sd875h+Y7gVBY0am+USHyuBQX6V/j0mHTUk/XsEJlMY7fp6RFh0dRI0LIjohG8 qDgYDRA4/FvF3qNiMsp28AbZbgw2wUAmh0dRL5z4XmK99jI2jBSmR2L6XcWi2lkZUNJgHb9E Ek890XTB13zjZlzuRQsJqRzfiCQQ3nYgfM0U3Y1as1a+IJzcDHZav4JS/PK8FjNEVgfTFTaq V0G90YWQcbDD3HMwggOsMIIClKADAgECAgsCAAAAAADWeLiNjTANBgkqhkiG9w0BAQQFADBX MQswCQYDVQQGEwJCRTEZMBcGA1UEChMQR2xvYmFsU2lnbiBudi1zYTEQMA4GA1UECxMHUm9v dCBDQTEbMBkGA1UEAxMSR2xvYmFsU2lnbiBSb290IENBMB4XDTk5MDEyODEyMDAwMFoXDTA5 MDEyODEyMDAwMFowbTELMAkGA1UEBhMCQkUxGTAXBgNVBAoTEEdsb2JhbFNpZ24gbnYtc2Ex GzAZBgNVBAsTElByaW1hcnkgQ2xhc3MgMiBDQTEmMCQGA1UEAxMdR2xvYmFsU2lnbiBQcmlt YXJ5IENsYXNzIDIgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCSjP7v9EWO F0Fu/Ni/IW+rBp1SwSwAnT+Ohbh/So+9oGMqykknrlqC9HTiVZL/wtGqeaK2+tWdggRPxrLG XmOnOrrY7uuKb5+2uyhBwCL7TkgaBpLXv9fPudm9OE87DURuVUH+/Anb2L/zjiHx6BK19hOl 08ZMkyKwAv/uHQzEqGtPdWhW6NwoElD3qCSdLiQ5+wkF3uWjZEkh0Gh+cTCRsWDgOfRQ+HpN mABrfHm6Ts5K4ro2HbfFNhWVnGRC6l/EuvVABb7hOlm9hKcZuN5NU1DOB9HSUdPvDYFs5udt y118P3zM7E+DJyX/cFD2g1l1hAZmWCzeiY0Apkn5pUN3AgMBAAGjYzBhMA4GA1UdDwEB/wQE AwIABjAdBgNVHQ4EFgQUfOeysSzesadr6XYM4aP9TmzHufYwHwYDVR0jBBgwFoAUYHtmGkUN l8qJUC99BM00qP/8/UswDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQQFAAOCAQEAY91Z zop5qpidTsWJZDd+ipNnLxDqbyfDjXdt8lxWlBkaaWAwRl2P8m1FPI41l3wvuFHi6Im9iM8n HAg0XIjBaCTbkYXkz/v7Q43oJQEbxA73AEJIhh8kCFhajI3ya0csaJGxaUL9DY3JJuaShqZk bpLFzj48fXHjI6Srx9Woqd+CpzvohtXDTxjjRNDg3PPFaC7+pS8FhMh+R0JTa4dK/jL/Xj5w jLeoFcwXwv9G7NDsLbRuEiip+UDp69Rml1OpaVXAqaqyLs3RafS++Lt8ae5Uptue+1qmPv6a 75RRS3Xu2NThmvECVhOJDqdCi5aLhQwbhb4mrqummbwi8XPfQjGCAcYwggHCAgEBMGwwXTEL MAkGA1UEBhMCQkUxGTAXBgNVBAoTEEdsb2JhbFNpZ24gbnYtc2ExEzARBgNVBAsTCkNsYXNz IDIgQ0ExHjAcBgNVBAMTFUdsb2JhbFNpZ24gQ2xhc3MgMiBDQQILAQAAAAAA4obGERcwCQYF Kw4DAhoFAKCBsTAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0w MDExMjgxNjIwMTFaMCMGCSqGSIb3DQEJBDEWBBRq1vmzUfYq2AAkHQEe/lylVH8UTTBSBgkq hkiG9w0BCQ8xRTBDMAoGCCqGSIb3DQMHMA4GCCqGSIb3DQMCAgIAgDAHBgUrDgMCBzANBggq hkiG9w0DAgIBQDANBggqhkiG9w0DAgIBKDANBgkqhkiG9w0BAQEFAASBgOhRMtswp4P82BRe QuygKPgW8dSjKxGixbLT2CkVrujbGNjkk+USMAFAy71QvVo10XEtwlaGM5OJHZbRtLmLGY52 Ibxljm3bKaALLE3UznhWgNFJSbw239WXPBXEKxmZshOVyMpLMZQ+QYnlmEHa15tk+KJsKgRD XFjWZO63W3Gn --------------msA27DAF27A12C1470E6450032--