potential buffer overflow in xinetd-2.1.8.9pre11-1

From: zen-parseat_private
Date: Fri Jun 08 2001 - 07:10:41 PDT

Next message: snsadvat_private: "[SNS Advisory No.29] Trend Micro Virus Control System(VCS) Unauthenticated CGI Usage Vulnerability"

Previous message: Stefaan Deman: "RE: security bug Internet Explorer 5"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

***************************************************************
 Potential remote overflow fixed in patched version of xinetd
***************************************************************

***************************************************************
 Problem:   potential buffer overflow in xinetd-2.1.8.9pre11-1
***************************************************************

***************************************************************
    Fix:  update to xinetd-2.1.8.9pre15-2 (for redhat ppl)
***************************************************************

Please note:  This does not seem to be exploitable in a default
setup RH 7.0 machine. However There may be other distributions/
configutations that it is used in where it is explotable.


***************************************************************
                   Details of the problem
***************************************************************

svc_logprint (in xinetd/log.c) has a slight bug which may allow remote
root access.


...
        len = strx_nprint( buf, bufsize, "%s: %s ", line_id, SVC_ID( sp
) ) ;
        va_start( ap, fmt ) ;
*->    cc = strx_nprintv( &buf[ len ], bufsize, fmt, ap ) ;
        va_end( ap ) ;
...
(bufsize=sizeof(buf) ==  LOGBUF_SIZE = 1024)

If an argument to the marked line is longer than (bufsize-len) then it
will overflow the string.

The ident feature allows returning 1024 bytes of information, and that
information, less the
source,dest: componant and the \r\n s passed to svc_logprint() as an
argument.
1024,21:USERID:AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA...AA\r\n
such that the string totals 1024 characters for example.

If a malicious root user was to connect, he could set his own source
port to something like 1,
which would gain him another 3-4 characters.
1,21:USERID:AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA...AAAAA\r\n

The string is then truncated at the \r

(xinetd/ident.c)
...
       svc_logprint( SERVER_CONNSERVICE( serp ), USERID_ENTRY, "%s", p )
;
...

p would then be a string 1010 characters long.
if strlen(line_id)+strlen(SVC_ID( sp ) )>14 then we have a buffer
overflow.

With the ftp service I was only able to get a 1022 byte buffer written
but with other services
with longer names that use authentication, this could be a serious
problem.

The server is still running as root while this happens.


--zen-parse

Next message: snsadvat_private: "[SNS Advisory No.29] Trend Micro Virus Control System(VCS) Unauthenticated CGI Usage Vulnerability"
Previous message: Stefaan Deman: "RE: security bug Internet Explorer 5"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Jun 08 2001 - 08:35:09 PDT