SuSE Linux 6.x 7.0 Ident buffer overflowNov 28, 2000, 23:03 (0 Talkback[s])
(Other stories by Niels Heinen)
Date: Tue, 28 Nov 2000 17:20:11 +0100
Subject: Ident buffer overflow
Impact of the vulnerability:
This advisory details a buffer overflow vulnerability under SuSE Linux that can enable a malicious user to cause Identification Protocol (Ident) handling to crash. Due to the overflow, the system will no longer be able to establish certain connections which use Ident, for example IRC (Internet Relay Chat) connections. If the Ident daemon is not running, users wishing to connect to IRC will not be allowed to make a connection. In the this case the vulnerability could be used in a denial of service attack to keep a person of irc. It's not clear at this present time whether this vulnerability could be exploited in such a way that arbitrary code is executed. If so, this will happen with the privileges of the user "nobody" in a default installation.
Who's vulnerable ?
This vulnerability has been tested on SuSE version 6.x and version 7.0. Previous versions may also be affected. Further testing will reveal whether other Linux distributions are vulnerable.
By sending longer than expected strings to the identd port, a remote
attacker can crash the daemon. The daemon will also fail to leave any log message given the right length of he string. Seeing the following in the logfile (/var/log/messages)
date: suse-machine in.identd[xxx]: s_snprintf(...) = ?: buffer overrun
is a clear indication of being attacked by a message length producing log entries. Some other Linux distributions are not vulnerable in the same way, but have to be looked at for suspicious log entries. Another test machine running Red Hat issued here a "Full buffer closing connection" error.
If you don't need the Ident, you can keep risk lowest by disabling the ident deamon. This can be done by editing /etc/rc.config. Look for a line like below:
Change the yes value into no and save the file. After that type
Bug finder: Niels Heinen (firstname.lastname@example.org)
All documents and services are provided as is. Ubizen expressly disclaims all warranties, express or implied, including without limitation any implied warranties of merchantability or fitness for a particular purpose, and warranties as to accuracy, completeness or adequacy of information. Ubizen cannot be held accountable for any incorrect or erroneous information. By using the provided documents or services, the user assumes all risks.