Linux Today: Linux News On Internet Time.

SuSE Linux 6.x 7.0 Ident buffer overflow

Nov 28, 2000, 23:03 (0 Talkback[s])
(Other stories by Niels Heinen)

Date: Tue, 28 Nov 2000 17:20:11 +0100
From: Niels Heinen niels.heinen@UBIZEN.COM
Subject: SuSE Linux 6.x 7.0 Ident buffer overflow

Subject: Ident buffer overflow
Platforms: SuSE Linux 6.x 7.0
Risk Level: High
Author: Niels Heinen
Vendor Status: Notified patches will be available today.

Impact of the vulnerability:

This advisory details a buffer overflow vulnerability under SuSE Linux that can enable a malicious user to cause Identification Protocol (Ident) handling to crash. Due to the overflow, the system will no longer be able to establish certain connections which use Ident, for example IRC (Internet Relay Chat) connections. If the Ident daemon is not running, users wishing to connect to IRC will not be allowed to make a connection. In the this case the vulnerability could be used in a denial of service attack to keep a person of irc. It's not clear at this present time whether this vulnerability could be exploited in such a way that arbitrary code is executed. If so, this will happen with the privileges of the user "nobody" in a default installation.

Who's vulnerable ?

This vulnerability has been tested on SuSE version 6.x and version 7.0. Previous versions may also be affected. Further testing will reveal whether other Linux distributions are vulnerable.

Technical description:

By sending longer than expected strings to the identd port, a remote

attacker can crash the daemon. The daemon will also fail to leave any log message given the right length of he string. Seeing the following in the logfile (/var/log/messages)

date: suse-machine in.identd[xxx]: s_snprintf(...) = ?: buffer overrun

is a clear indication of being attacked by a message length producing log entries. Some other Linux distributions are not vulnerable in the same way, but have to be looked at for suspicious log entries. Another test machine running Red Hat issued here a "Full buffer closing connection" error.


If you don't need the Ident, you can keep risk lowest by disabling the ident deamon. This can be done by editing /etc/rc.config. Look for a line like below:


Change the yes value into no and save the file. After that type as root
killall -9 in.identd
to stop the ident deamon.

More information:

Bug finder: Niels Heinen (niels.heinen@ubizen.com)

Suse web site:
Suse security email: security@suse.com
SecurityWatch.com: http://www.securitywatch.com
Ident RFC: http://andrew2.andrew.cmu.edu/rfc/rfc1413.html

The Disclaimer:

All documents and services are provided as is. Ubizen expressly disclaims all warranties, express or implied, including without limitation any implied warranties of merchantability or fitness for a particular purpose, and warranties as to accuracy, completeness or adequacy of information. Ubizen cannot be held accountable for any incorrect or erroneous information. By using the provided documents or services, the user assumes all risks.