[prev in list] [next in list] [prev in thread] [next in thread] 

List:       linux-security-audit
Subject:    Audited: xinetd "ident" code
From:       Chris Evans <chris () ferret ! lmh ! ox ! ac ! uk>
Date:       2000-11-14 20:16:08
[Download RAW message or body]


Hi,

Had a quick look at a _critical_ piece of code in xinetd. xinetd will, if
configured to do so, perform a remote identd connect and lookup on
incoming connections.

Unfortunately, RedHat7.0 contains this option, "USERID", in several
default config service files, including wu-ftpd and telnetd.

Obviously, any flaw in xinetd's ident response parsing code is good for a
remote vulnerability. I audited it and it looks OK, which is thankful :)

Comments

- It looks like a process is forked specifically to do the ident lookup
and log the result. If possible, this subprocess should drop root privs,
for safety (if it doesn't already). Going to a chroot() jail might be
feasible.
- Bad ident responses get stuffed straight into the syslog.
That's OK I guess, and I checked the syslog() calls for format string
vulnerabilities - passed.
- If the remote ident response contains a "%m", it gets expanded before it
gets logged. No vulnerability, just a curiousity.


Obviously, more eyes on this would be appreciated. Any lurker care to
check the code out? It's not a large lump.

Cheers
Chris

[prev in list] [next in list] [prev in thread] [next in thread]