Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!

TUCoPS :: Linux :: Apps N-Z :: xinetd~1.htm

xinetd- possible remote root





    zen-parse found following.  This  does not seem to be  exploitable
    in a default  setup RH 7.0  machine.  However  there may be  other
    distributions/  configutations  that  it  is  used  in where it is

    svc_logprint (in xinetd/log.c)  has a slight  bug which may  allow
    remote root access.

                len = strx_nprint( buf, bufsize, "%s: %s ", line_id, SVC_ID( sp
        ) ) ;
                va_start( ap, fmt ) ;
        *->    cc = strx_nprintv( &buf[ len ], bufsize, fmt, ap ) ;
                va_end( ap ) ;
        (bufsize=sizeof(buf) ==  LOGBUF_SIZE = 1024)

    If an  argument to  the marked  line is  longer than (bufsize-len)
    then it will overflow the string.

    The ident feature allows returning 1024 bytes of information,  and
    that information, less the  source,dest: componant and the  \r\n s
    passed to svc_logprint() as an argument.


    such that the string totals 1024 characters for example.

    If a  malicious root  user was  to connect,  he could  set his own
    source port to something like 1, which would gain him another  3-4


    The string is then truncated at the \r

               svc_logprint( SERVER_CONNSERVICE( serp ), USERID_ENTRY, "%s", p )

    p   would   then   be   a   string   1010   characters  long.   if
    strlen(line_id)+strlen(SVC_ID( sp  ) )>14  then we  have a  buffer

    With the ftp service we were  only able to get a 1022  byte buffer
    written  but  with  other  services  with  longer  names  that use
    authentication, this could be a serious problem.

    The server is still running as root while this happens.


    Update to xinetd- (for redhat ppl).  For Immunix:

    For Conectiva Linux:

    For Debian Linux:

    For Immunix OS:

    For Mandrake Linux:

        Linux-Mandrake 7.2: 7.2/RPMS/xinetd-2.3.0-1.2mdk.i586.rpm
        Mandrake Linux 8.0: 8.0/RPMS/xinetd-2.3.0-1.1mdk.i586.rpm
Single Network Firewall 7.2: snf7.2/RPMS/xinetd-2.3.0-1.2mdk.i586.rpm

    For RedHat:

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2015 AOH