(Immunix Has Released a Fix) Re: RedHat's Xinetd Networking Daemon Package May Allow Remote Users to Execute Arbitrary Code as Root and Allow Local Users to Modify System Files
|
|
SecurityTracker Alert ID: 1001740 |
|
SecurityTracker URL: http://securitytracker.com/id/1001740
|
|
CVE Reference:
GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Jun 13 2001
|
Impact:
Execution of arbitrary code via network, Modification of system information
|
Fix Available: Yes Vendor Confirmed: Yes
|
Version(s): prior to 2.1.8.9pre15-2
|
Description:
Red Hat reports a vulnerability in earlier versions of their Xinetd package that allows local users to modify some system files and may allow remote users to execute arbitrary code on the server with root-level privileges.
It is reported that Xinetd runs with umask 0, meaning that applications using the xinetd umask and not setting the permissions themselves will create world writable files, which may not have been intended.
This could allow local users to modify system files, potentially leading to further exploit scenarios.
It is also reported that there is a potential buffer overflow vulnerability that may allow remote users to execute code on the server with root-level privileges (see the Message History for details on this vulnerability).
|
Impact:
A local user can modify some files that were created by applications using Xinetd's umask. A remote user can cause a buffer overflow on the server while the Xinetd service is running with root-level privileges, potentially allowing for remote code execution.
|
Solution:
Immunix has released a fix. See the Source Message for details.
|
Vendor URL: www.redhat.com/ (Links to External Site)
|
Cause:
Access control error
|
Underlying OS:
Linux (Immunix)
|
|
Message History:
This archive entry is a follow-up to the message listed below.
|
Source Message Contents
|
Date: Tue, 12 Jun 2001 17:00:42 -0700
Subject: [Immunix-announce] xinetd update -- Immunix OS 7.0
|
--1UWUbFP1cBYEclgG
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
-----------------------------------------------------------------------
Immunix OS Security Advisory
Packages updated: xinetd
Affected products: Immunix OS 7.0-beta and 7.0
Bugs fixed: immunix/1614
Date: Mon Jun 11 2001
Advisory ID: IMNX-2001-70-024-01
Author: Seth Arnold <sarnold@wirex.com>
-----------------------------------------------------------------------
Description:
xinetd in the base Immunix OS 7.0 initially set its umask value to 0.
This allows any services started via xinetd to create files that are
world-writable unless the service changes its umask before creating
files or specifies file modes when creating files. There is also a
buffer overflow; StackGuard prevents this from being used to gain
privileges, though an attacker could remotely kill the xinetd daemon.
The default configuration of Immunix OS 7.0 has only wu-ftpd enabled;
wu-ftpd appears to be careful when creating files to set the modes
more restrictively, though we have not conducted an extensive audit.
Users who have enabled other services may be at higher risk. A service
known to be vulnerable is Samba's SWAT tool.
Immunix OS 6.2 used inetd rather than xinetd and is not vulnerable.
Everyone is encouraged to upgrade xinetd; those who have enabled other
services or used identd logging should upgrade xinetd quickly and
examine their systems for world-writable files.
References: http://www.securityfocus.com/archive/1/189621
http://www.securityfocus.com/archive/1/188847
Thanks to Andrew Tridgell and zen-parse for finding these problems.
Package names and locations:
Precompiled binary packages for Immunix 7.0-beta and 7.0 are available at:
http://download.immunix.org/ImmunixOS/7.0/updates/RPMS/xinetd-2.1.8.9pre15-2_imnx.i386.rpm
Source package for Immunix 7.0-beta and 7.0 is available at:
http://download.immunix.org/ImmunixOS/7.0/updates/SRPMS/xinetd-2.1.8.9pre15-2_imnx.src.rpm
md5sums of the packages:
8841c6a1d15a063ca1bb16ba132e0f7d RPMS/xinetd-2.1.8.9pre15-2_imnx.i386.rpm
da497d94349ab3d1b2e0713be4595875 SRPMS/xinetd-2.1.8.9pre15-2_imnx.src.rpm
GPG verification:
Our public key is available at <http://wirex.com/security/GPG_KEY>.
*** NOTE *** This key is different from the one used in advisories
IMNX-2001-70-020-01 and earlier.
Online version of all Immunix 6.2 updates and advisories:
http://immunix.org/ImmunixOS/6.2/updates/
Online version of all Immunix 7.0-beta updates and advisories:
http://immunix.org/ImmunixOS/7.0-beta/updates/
Online version of all Immunix 7.0 updates and advisories:
http://immunix.org/ImmunixOS/7.0/updates/
NOTE:
Ibiblio is graciously mirroring our updates, so if the links above are
slow, please try:
ftp://ftp.ibiblio.org/pub/Linux/distributions/immunix/
or one of the many mirrors available at:
http://www.ibiblio.org/pub/Linux/MIRRORS.html
Contact information:
To report vulnerabilities, please contact security@wirex.com. WireX
attempts to conform to the RFP vulnerability disclosure protocol
<http://www.wiretrip.net/rfp/policy.html>.
--1UWUbFP1cBYEclgG
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iEYEARECAAYFAjsmrSoACgkQVQcWL60UVMsw3ACcDA1gCwHjebDPB9xYQjNldoYQ
2PwAnRzFory41RVKWOe2gC+r6FvkqR28
=mbrJ
-----END PGP SIGNATURE-----
--1UWUbFP1cBYEclgG--
_______________________________________________
Immunix-announce mailing list
Immunix-announce@wirex.com
http://mail.wirex.com/mailman/listinfo/immunix-announce
|
|
