(Immunix Issues Supplementary Fix) RedHat's Xinetd Networking Daemon Package May Allow Remote Users to Execute Arbitrary Code as Root and Allow Local Users to Modify System Files
|
|
SecurityTracker Alert ID: 1001882 |
|
SecurityTracker URL: http://securitytracker.com/id/1001882
|
|
CVE Reference:
GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Jun 30 2001
|
Impact:
Execution of arbitrary code via network, Modification of system information
|
Fix Available: Yes Vendor Confirmed: Yes
|
Version(s): prior to 2.1.8.9pre15-2
|
Description:
Red Hat reports a vulnerability in earlier versions of their Xinetd package that allows local users to modify some system files and may allow remote users to execute arbitrary code on the server with root-level privileges.
It is reported that Xinetd runs with umask 0, meaning that applications using the xinetd umask and not setting the permissions themselves will create world writable files, which may not have been intended.
This could allow local users to modify system files, potentially leading to further exploit scenarios.
It is also reported that there is a potential buffer overflow vulnerability that may allow remote users to execute code on the server with root-level privileges (see the Message History for details on this vulnerability).
|
Impact:
A local user can modify some files that were created by applications using Xinetd's umask. A remote user can cause a buffer overflow on the server while the Xinetd service is running with root-level privileges, potentially allowing for remote code execution.
|
Solution:
The vendor has released a fix. See the Source Message for the vendor's supplementary advisory containing directions on how to obtain the appropriate fix. This advisory affects only for Immunix OS 7.0 and is supplementary to the previously released Immunix xinetd advisory (IMNX-2001-70-024-01).
|
Vendor URL: www.redhat.com/ (Links to External Site)
|
Cause:
Access control error
|
Underlying OS:
Linux (Immunix)
|
|
Message History:
This archive entry is a follow-up to the message listed below.
|
Source Message Contents
|
Date: Fri, 29 Jun 2001 14:35:34 -0700
Subject: [Immunix-announce] xinetd update -- Immunix OS 7.0-beta, 7.0
|
--PGNNI9BzQDUtgA2J
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
-----------------------------------------------------------------------
Immunix OS Security Advisory
Packages updated: xinetd
Affected products: Immunix OS 7.0-beta and 7.0
Bugs fixed: immunix/1657
Date: Fri Jun 29 2001
Advisory ID: IMNX-2001-70-029-01
Author: Seth Arnold <sarnold@wirex.com
-----------------------------------------------------------------------
Description:
While researching the previous xinetd problem (announced by zen-parse
and discussed in Immunix OS Advisory IMNX-2001-70-024-01), Sebastian
Krahmer found some improper handling of strings when the length
argument to its own internal string handling functions is less than or
equal to zero. We think this could lead to arbitrary code execution by
remote attackers.
Because the string handling functions are called with arguments both
on the stack and on the heap, StackGuard is only partially effective
at stopping possible attacks.
This advisory is released only for Immunix OS 7.0 because 6.2 used
inetd. This advisory supplements IMNX-2001-70-024-01.
References: http://www.securityfocus.com/archive/1/194213
http://www.securityfocus.com/advisories/3357
Package names and locations:
Precompiled binary packages for Immunix 7.0-beta and 7.0 are available at:
http://download.immunix.org/ImmunixOS/7.0/updates/RPMS/xinetd-2.3.0-1_imnx.i386.rpm
Source package for Immunix 7.0-beta and 7.0 is available at:
http://download.immunix.org/ImmunixOS/7.0/updates/SRPMS/xinetd-2.3.0-1_imnx.src.rpm
Immunix OS 7.0 md5sums:
8d7e57365bb522c484e4e7435ca9eec5 RPMS/xinetd-2.3.0-1_imnx.i386.rpm
294cfb7c6bd84e6ed27e723872179c1e SRPMS/xinetd-2.3.0-1_imnx.src.rpm
GPG verification:
Our public key is available at <http://wirex.com/security/GPG_KEY>.
*** NOTE *** This key is different from the one used in advisories
IMNX-2001-70-020-01 and earlier.
Online version of all Immunix 6.2 updates and advisories:
http://immunix.org/ImmunixOS/6.2/updates/
Online version of all Immunix 7.0-beta updates and advisories:
http://immunix.org/ImmunixOS/7.0-beta/updates/
Online version of all Immunix 7.0 updates and advisories:
http://immunix.org/ImmunixOS/7.0/updates/
NOTE:
Ibiblio is graciously mirroring our updates, so if the links above are
slow, please try:
ftp://ftp.ibiblio.org/pub/Linux/distributions/immunix/
or one of the many mirrors available at:
http://www.ibiblio.org/pub/Linux/MIRRORS.html
Contact information:
To report vulnerabilities, please contact security@wirex.com. WireX
attempts to conform to the RFP vulnerability disclosure protocol
<http://www.wiretrip.net/rfp/policy.html>.
--PGNNI9BzQDUtgA2J
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iEYEARECAAYFAjs89KUACgkQVQcWL60UVMsWRwCfc2q4FYQebUEK7qTgw1v8s9AT
noEAoJLQexSBwpFAzOwm1M5EdTS0dX2y
=7XVM
-----END PGP SIGNATURE-----
--PGNNI9BzQDUtgA2J--
_______________________________________________
Immunix-announce mailing list
Immunix-announce@wirex.com
http://mail.wirex.com/mailman/listinfo/immunix-announce
|
|
