SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com





Category:   Application (Generic)  >   Xinetd Vendors:   Red Hat
(EnGarde Releases Fix) Re: RedHat's Xinetd Networking Daemon Package May Allow Remote Users to Execute Arbitrary Code as Root and Allow Local Users to Modify System Files
SecurityTracker Alert ID:  1001880
SecurityTracker URL:  http://securitytracker.com/id/1001880
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Jun 29 2001
Impact:   Execution of arbitrary code via network, Modification of system information
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): prior to 2.1.8.9pre15-2
Description:   Red Hat reports a vulnerability in earlier versions of their Xinetd package that allows local users to modify some system files and may allow remote users to execute arbitrary code on the server with root-level privileges.

It is reported that Xinetd runs with umask 0, meaning that applications using the xinetd umask and not setting the permissions themselves will create world writable files, which may not have been intended.

This could allow local users to modify system files, potentially leading to further exploit scenarios.

It is also reported that there is a potential buffer overflow vulnerability that may allow remote users to execute code on the server with root-level privileges (see the Message History for details on this vulnerability).
Impact:   A local user can modify some files that were created by applications using Xinetd's umask. A remote user can cause a buffer overflow on the server while the Xinetd service is running with root-level privileges, potentially allowing for remote code execution.
Solution:   EnGarde has released a fix. See the Source Message for ugrade instructions.
Vendor URL:  www.redhat.com/ (Links to External Site)
Cause:   Access control error
Underlying OS:   Linux (EnGarde)

Message History:   This archive entry is a follow-up to the message listed below.
Jun 6 2001 RedHat's Xinetd Networking Daemon Package May Allow Remote Users to Execute Arbitrary Code as Root and Allow Local Users to Modify System Files


 Source Message Contents
Date:  Fri, 29 Jun 2001 09:59:31 -0400 (EDT)
Subject:  [ESA-20010621-01] xinetd updates


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


+------------------------------------------------------------------------+
| EnGarde Secure Linux Security Advisory                   June 21, 2001 |
| http://www.engardelinux.org/                           ESA-20010621-01 |
|                                                                        |
| Package:  xinetd                                                       |
| Summary:  There are various bugs and security issues in the version of |
|           xinetd that shipped with EnGarde Secure Linux 1.0.1.         |
+------------------------------------------------------------------------+

  EnGarde Secure Linux is a secure distribution of Linux that features
  improved access control, host and network intrusion detection, Web
  based secure remote management, complete e-commerce using AllCommerce,
  and integrated open source security tools.


OVERVIEW
- --------
  There are bugs (both security and non-security) in xinetd.  The
  non-security bug causes xinetd to fail after the first connection
  attempt and the security bug can potentially lead to a root comprimise
  via a buffer overflow.


DETAIL
- ------
  The first bug is a non-security one.  There were several reports on the
  engarde-users mailing list of vsftpd only accepting the first connection
  and dropping all subsequent ones.  The users had a "Bad address" entry
  from xinetd in their logs.  Rob Braun explains this problem:

    "The specific bug is in libs/src/misc/env.c, in the environment
     handling.  The grow() function does a realloc() to extend the
     existing memory.  The memory returned by realloc() is in an undefined
     state, and that's what is causing the bad address." 

  This bug was fixed by upgrading to version 2.1.8.9pre15.

  The other bugs are as follows:

    1) xinetd was setting its umask to 0.  Thus, any children of xinetd
       would inherit this umask.  This is not much of a security issue
       because the only service that is run out of xinetd is vsftpd, which
       sets its own umask (027 by default).

    2) There was a buffer overflow in the logging code that could
       potentially allow a remote attacker to obtain root privileges by
       sending a very long username string in response to an ident
       request.  This bug was found by zen-parse@gmx.net.

  Both of these bugs were fixed by upgrading to version 2.1.8.9pre16.

  Additionally, this version disables ident checking by default in
  xinetd.conf.  If you would like to disable ident checking completely
  (which is recommended), you should remove the "USERID" option from the
  "log_on_success" and "log_on_failure" lines of /etc/xinetd.d/ftp.


SOLUTION
- --------
  All users should upgrade to the most recent version, as outlined in
  this advisory.  All updates can be found at:

    ftp://ftp.engardelinux.org/pub/engarde/stable/updates/
    http://ftp.engardelinux.org/pub/engarde/stable/updates/
    http://ftp.ibiblio.org/pub/linux/distributions/engarde/stable/updates/

  Before upgrading the package, the machine must either:

    a) be booted into a "standard" kernel; or
    b) have LIDS disabled.

  To disable LIDS, execute the command:

    # /sbin/lidsadm -S -- -LIDS_GLOBAL

  To install the updated package, execute the command:

    # rpm -Uvh <filename>

  Once the updated package is installed, you need to restart xinetd:

    # /etc/init.d/xinetd restart

  To re-enable LIDS (if it was disabled), execute the command:

    # /sbin/lidsadm -S -- +LIDS_GLOBAL

  To verify the signature of the updated packages, execute the command:

    # rpm -Kv <filename>


UPDATED PACKAGES
- ----------------
  These updated packages are for EnGarde Secure Linux 1.0.1 (Finestra).

  Source Packages:

    SRPMS/xinetd-2.1.8.9pre16-1.0.17.src.rpm
      MD5 Sum:  118787db019ca76f44dc00cdca67c36e

  Binary Packages:

    i386/xinetd-2.1.8.9pre16-1.0.17.i386.rpm
      MD5 Sum:  a48c022c82055db97f415f3f18bdefcf

    i686/xinetd-2.1.8.9pre16-1.0.17.i686.rpm
      MD5 Sum:  cc3e2a218918a1ff2c107b68d7cbe8b2



REFERENCES
- ----------

  Guardian Digital's public key:
    http://ftp.engardelinux.org/pub/engarde/ENGARDE-GPG-KEY

  xinetd's Official Web Site:
    http://www.xinetd.org/


- --------------------------------------------------------------------------
$Id: ESA-20010621-01-xinetd,v 1.2 2001/06/29 13:56:38 rwm Exp $
- --------------------------------------------------------------------------
Author: Ryan W. Maple, <ryan@guardiandigital.com> 
Copyright 2001, Guardian Digital, Inc.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE7PInLHD5cqd57fu0RAgkGAJ0ReyjI3b+hz9tQBJWFedmkd+u1GgCfcFVh
K2dMdDUDg2TQaPr3sHkRR/E=
=3Xm5
-----END PGP SIGNATURE-----


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us

Copyright 2012, SecurityGlobal.net LLC