Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Linux :: Apps N-Z :: xinetd~1.htm

xinetd-2.1.8.9pre11-1 possible remote root



Vulnerability

    xinetd

Affected

    xinetd-2.1.8.9pre11-1

Description

    zen-parse found following.  This  does not seem to be  exploitable
    in a default  setup RH 7.0  machine.  However  there may be  other
    distributions/  configutations  that  it  is  used  in where it is
    explotable.

    svc_logprint (in xinetd/log.c)  has a slight  bug which may  allow
    remote root access.

        ...
                len = strx_nprint( buf, bufsize, "%s: %s ", line_id, SVC_ID( sp
        ) ) ;
                va_start( ap, fmt ) ;
        *->    cc = strx_nprintv( &buf[ len ], bufsize, fmt, ap ) ;
                va_end( ap ) ;
        ...
        (bufsize=sizeof(buf) ==  LOGBUF_SIZE = 1024)

    If an  argument to  the marked  line is  longer than (bufsize-len)
    then it will overflow the string.

    The ident feature allows returning 1024 bytes of information,  and
    that information, less the  source,dest: componant and the  \r\n s
    passed to svc_logprint() as an argument.

        1024,21:USERID:AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA...AA\r\n

    such that the string totals 1024 characters for example.

    If a  malicious root  user was  to connect,  he could  set his own
    source port to something like 1, which would gain him another  3-4
    characters.

        1,21:USERID:AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA...AAAAA\r\n

    The string is then truncated at the \r

        (xinetd/ident.c)
        ...
               svc_logprint( SERVER_CONNSERVICE( serp ), USERID_ENTRY, "%s", p )
        ;
        ...

    p   would   then   be   a   string   1010   characters  long.   if
    strlen(line_id)+strlen(SVC_ID( sp  ) )>14  then we  have a  buffer
    overflow.

    With the ftp service we were  only able to get a 1022  byte buffer
    written  but  with  other  services  with  longer  names  that use
    authentication, this could be a serious problem.

    The server is still running as root while this happens.

Solution

    Update to xinetd-2.1.8.9pre15-2 (for redhat ppl).  For Immunix:

        http://download.immunix.org/ImmunixOS/7.0/updates/RPMS/xinetd-2.1.8.9pre15-2_imnx.i386.rpm
        http://download.immunix.org/ImmunixOS/7.0/updates/SRPMS/xinetd-2.1.8.9pre15-2_imnx.src.rpm

    For Conectiva Linux:

        ftp://atualizacoes.conectiva.com.br/6.0/SRPMS/xinetd-2.1.8.9pre16-1U60_1cl.src.rpm
        ftp://atualizacoes.conectiva.com.br/6.0/RPMS/xinetd-2.1.8.9pre16-1U60_1cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/6.0/RPMS/xinetd-devel-2.1.8.9pre16-1U60_1cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/6.0/RPMS/xinetd-devel-static-2.1.8.9pre16-1U60_1cl.i386.rpm

    For Debian Linux:

        http://security.debian.org/dists/stable/updates/main/source/xinetd_2.1.8.8.p3-1.1.diff.gz
        http://security.debian.org/dists/stable/updates/main/source/xinetd_2.1.8.8.p3-1.1.dsc
        http://security.debian.org/dists/stable/updates/main/source/xinetd_2.1.8.8.p3.orig.tar.gz
        http://security.debian.org/dists/stable/updates/main/binary-alpha/xinetd_2.1.8.8.p3-1.1_alpha.deb
        http://security.debian.org/dists/stable/updates/main/binary-arm/xinetd_2.1.8.8.p3-1.1_arm.deb
        http://security.debian.org/dists/stable/updates/main/binary-i386/xinetd_2.1.8.8.p3-1.1_i386.deb
        http://security.debian.org/dists/stable/updates/main/binary-m68k/xinetd_2.1.8.8.p3-1.1_m68k.deb
        http://security.debian.org/dists/stable/updates/main/binary-powerpc/xinetd_2.1.8.8.p3-1.1_powerpc.deb
        http://security.debian.org/dists/stable/updates/main/binary-sparc/xinetd_2.1.8.8.p3-1.1_sparc.deb

    For Immunix OS:

        http://download.immunix.org/ImmunixOS/7.0/updates/RPMS/xinetd-2.3.0-1_imnx.i386.rpm
        http://download.immunix.org/ImmunixOS/7.0/updates/SRPMS/xinetd-2.3.0-1_imnx.src.rpm

    For Mandrake Linux:

        Linux-Mandrake 7.2: 7.2/RPMS/xinetd-2.3.0-1.2mdk.i586.rpm
                            7.2/SRPMS/xinetd-2.3.0-1.2mdk.src.rpm
        Mandrake Linux 8.0: 8.0/RPMS/xinetd-2.3.0-1.1mdk.i586.rpm
                            8.0/RPMS/xinetd-ipv6-2.3.0-1.1mdk.i586.rpm
                            8.0/SRPMS/xinetd-2.3.0-1.1mdk.src.rpm
Single Network Firewall 7.2: snf7.2/RPMS/xinetd-2.3.0-1.2mdk.i586.rpm
                             snf7.2/SRPMS/xinetd-2.3.0-1.2mdk.src.rpm

    For RedHat:

        ftp://updates.redhat.com/7.0/en/os/SRPMS/xinetd-2.3.0-1.71.src.rpm
        ftp://updates.redhat.com/7.0/en/os/alpha/xinetd-2.3.0-1.71.alpha.rpm
        ftp://updates.redhat.com/7.0/en/os/i386/xinetd-2.3.0-1.71.i386.rpm
        ftp://updates.redhat.com/7.1/en/os/SRPMS/xinetd-2.3.0-1.71.src.rpm
        ftp://updates.redhat.com/7.1/en/os/alpha/xinetd-2.3.0-1.71.alpha.rpm
        ftp://updates.redhat.com/7.1/en/os/i386/xinetd-2.3.0-1.71.i386.rpm


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH