[prev in list] [next in list] [prev in thread] [next in thread]
List: linux-security-audit
Subject: Audited: xinetd "ident" code
From: Chris Evans <chris () ferret ! lmh ! ox ! ac ! uk>
Date: 2000-11-14 20:16:08
[Download RAW message or body]
Hi,
Had a quick look at a _critical_ piece of code in xinetd. xinetd will, if
configured to do so, perform a remote identd connect and lookup on
incoming connections.
Unfortunately, RedHat7.0 contains this option, "USERID", in several
default config service files, including wu-ftpd and telnetd.
Obviously, any flaw in xinetd's ident response parsing code is good for a
remote vulnerability. I audited it and it looks OK, which is thankful :)
Comments
- It looks like a process is forked specifically to do the ident lookup
and log the result. If possible, this subprocess should drop root privs,
for safety (if it doesn't already). Going to a chroot() jail might be
feasible.
- Bad ident responses get stuffed straight into the syslog.
That's OK I guess, and I checked the syslog() calls for format string
vulnerabilities - passed.
- If the remote ident response contains a "%m", it gets expanded before it
gets logged. No vulnerability, just a curiousity.
Obviously, more eyes on this would be appreciated. Any lurker care to
check the code out? It's not a large lump.
Cheers
Chris
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic