Hi there! What do you think of this? is 2.1.8.8 vulnerable? I checked the source code for my potato xinetd and it doesn't look like it is... Any opinions? Miquel Martín
----- Forwarded message from [EMAIL PROTECTED] ----- Mailing-List: contact [EMAIL PROTECTED]; run by ezmlm List-Id: <bugtraq.list-id.securityfocus.com> List-Post: <mailto:bugtraq@securityfocus.com> List-Help: <mailto:[EMAIL PROTECTED]> List-Unsubscribe: <mailto:[EMAIL PROTECTED]> List-Subscribe: <mailto:[EMAIL PROTECTED]> Date: Sat, 9 Jun 2001 02:10:41 +1200 (NZST) From: <[EMAIL PROTECTED]> X-X-Sender: <[EMAIL PROTECTED]> To: <bugtraq@securityfocus.com> Subject: potential buffer overflow in xinetd-2.1.8.9pre11-1 Resent-To: Administrador del Sistema <[EMAIL PROTECTED]> Resent-To: Miquel Martín López <[EMAIL PROTECTED]> *************************************************************** Potential remote overflow fixed in patched version of xinetd *************************************************************** *************************************************************** Problem: potential buffer overflow in xinetd-2.1.8.9pre11-1 *************************************************************** *************************************************************** Fix: update to xinetd-2.1.8.9pre15-2 (for redhat ppl) *************************************************************** Please note: This does not seem to be exploitable in a default setup RH 7.0 machine. However There may be other distributions/ configutations that it is used in where it is explotable. *************************************************************** Details of the problem *************************************************************** svc_logprint (in xinetd/log.c) has a slight bug which may allow remote root access. ... len = strx_nprint( buf, bufsize, "%s: %s ", line_id, SVC_ID( sp ) ) ; va_start( ap, fmt ) ; *-> cc = strx_nprintv( &buf[ len ], bufsize, fmt, ap ) ; va_end( ap ) ; ... (bufsize=sizeof(buf) == LOGBUF_SIZE = 1024) If an argument to the marked line is longer than (bufsize-len) then it will overflow the string. The ident feature allows returning 1024 bytes of information, and that information, less the source,dest: componant and the \r\n s passed to svc_logprint() as an argument. 1024,21:USERID:AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA...AA\r\n such that the string totals 1024 characters for example. If a malicious root user was to connect, he could set his own source port to something like 1, which would gain him another 3-4 characters. 1,21:USERID:AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA...AAAAA\r\n The string is then truncated at the \r (xinetd/ident.c) ... svc_logprint( SERVER_CONNSERVICE( serp ), USERID_ENTRY, "%s", p ) ; ... p would then be a string 1010 characters long. if strlen(line_id)+strlen(SVC_ID( sp ) )>14 then we have a buffer overflow. With the ftp service I was only able to get a 1022 byte buffer written but with other services with longer names that use authentication, this could be a serious problem. The server is still running as root while this happens. --zen-parse ----- End forwarded message ----- ----- End forwarded message -----