Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
|
|
|
|
|
|
|
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
|
|
|
|
Become a Partner and License Our Database or Notification Service
|
|
|
|
|
|
|
|
|
|
|
|
|
(Details Provided) Re: RedHat's Xinetd Networking Daemon Package May Allow Remote Users to Execute Arbitrary Code as Root and Allow Local Users to Modify System Files
|
|
SecurityTracker Alert ID: 1001704 |
|
SecurityTracker URL: http://securitytracker.com/id/1001704
|
|
CVE Reference:
GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Jun 8 2001
|
Impact:
Execution of arbitrary code via network, Modification of system information
|
Exploit Included: Yes
|
Version(s): prior to 2.1.8.9pre15-2
|
Description:
Red Hat reports a vulnerability in earlier versions of their Xinetd package that allows local users to modify some system files and may allow remote users to execute arbitrary code on the server with root-level privileges.
It is reported that there is a potential buffer overflow in xinetd-2.1.8.9pre11-1 that does not seem to be exploitable in a default Red Hat RH 7.0 configuration. However, there may be other distributions and/or configutations where it is exploitable.
The vulnerability is due to a bug in the following section of the svc_logprint() function (in xinetd/log.c) that may allow a remote user to obtain root-level access:
...
len = strx_nprint( buf, bufsize, "%s: %s ", line_id, SVC_ID( sp
) ) ;
va_start( ap, fmt ) ;
*-> cc = strx_nprintv( &buf[ len ], bufsize, fmt, ap ) ;
va_end( ap ) ;
...
(bufsize=sizeof(buf) == LOGBUF_SIZE = 1024)
If an argument to the marked line above ("*.>") is longer than (bufsize-len), the vulnerability will be triggered.
The ident feature allows returning 1024 bytes of information, and that information, less the "source,dest" component and less the "\r\n" characters are passed to the svc_logprint() function as an argument. An example is: "1024,21:USERID:AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA...AA\r\n", where the string is 1024 characters.
(xinetd/ident.c)
...
svc_logprint( SERVER_CONNSERVICE( serp ), USERID_ENTRY, "%s", p )
;
...
If strlen(line_id)+strlen(SVC_ID( sp ) )>14 then the buffer overflow will occur. The server is still running as root while this happens.
|
Impact:
A local user can modify some files that were created by applications using Xinetd's umask. A remote user can cause a buffer overflow on the server while the Xinetd service is running with root-level privileges, potentially allowing for remote code execution.
|
Solution:
The vendor has released updated packages (2.1.8.9pre15-2). See the Message History for the vendor's advisory.
|
Vendor URL: www.redhat.com/ (Links to External Site)
|
Cause:
Access control error
|
Underlying OS:
Linux (Red Hat Linux)
|
|
Message History:
This archive entry is a follow-up to the message listed below.
|
Source Message Contents
|
Date: Sat, 9 Jun 2001 02:10:41 +1200 (NZST)
Subject: potential buffer overflow in xinetd-2.1.8.9pre11-1
|
***************************************************************
Potential remote overflow fixed in patched version of xinetd
***************************************************************
***************************************************************
Problem: potential buffer overflow in xinetd-2.1.8.9pre11-1
***************************************************************
***************************************************************
Fix: update to xinetd-2.1.8.9pre15-2 (for redhat ppl)
***************************************************************
Please note: This does not seem to be exploitable in a default
setup RH 7.0 machine. However There may be other distributions/
configutations that it is used in where it is explotable.
***************************************************************
Details of the problem
***************************************************************
svc_logprint (in xinetd/log.c) has a slight bug which may allow remote
root access.
...
len = strx_nprint( buf, bufsize, "%s: %s ", line_id, SVC_ID( sp
) ) ;
va_start( ap, fmt ) ;
*-> cc = strx_nprintv( &buf[ len ], bufsize, fmt, ap ) ;
va_end( ap ) ;
...
(bufsize=sizeof(buf) == LOGBUF_SIZE = 1024)
If an argument to the marked line is longer than (bufsize-len) then it
will overflow the string.
The ident feature allows returning 1024 bytes of information, and that
information, less the
source,dest: componant and the \r\n s passed to svc_logprint() as an
argument.
1024,21:USERID:AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA...AA\r\n
such that the string totals 1024 characters for example.
If a malicious root user was to connect, he could set his own source
port to something like 1,
which would gain him another 3-4 characters.
1,21:USERID:AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA...AAAAA\r\n
The string is then truncated at the \r
(xinetd/ident.c)
...
svc_logprint( SERVER_CONNSERVICE( serp ), USERID_ENTRY, "%s", p )
;
...
p would then be a string 1010 characters long.
if strlen(line_id)+strlen(SVC_ID( sp ) )>14 then we have a buffer
overflow.
With the ftp service I was only able to get a 1022 byte buffer written
but with other services
with longer names that use authentication, this could be a serious
problem.
The server is still running as root while this happens.
--zen-parse
|
|
Go to the Top of This SecurityTracker Archive Page
|
