[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

potential buffer overflow in xinetd- (fwd)

Hi there!
What do you think of this? is vulnerable? I checked the source code
for my potato xinetd and it doesn't  look like it is...
Any opinions?
Miquel Martín

----- Forwarded message from zen-parse@gmx.net -----

Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq@securityfocus.com>
List-Help: <mailto:bugtraq-help@securityfocus.com>
List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
Date: Sat, 9 Jun 2001 02:10:41 +1200 (NZST)
From: <zen-parse@gmx.net>
X-X-Sender:  <zen-parse@clarity.local>
To: <bugtraq@securityfocus.com>
Subject: potential buffer overflow in xinetd-
Resent-To: Administrador del Sistema <admin@casal.upc.es>
Resent-To: Miquel Martín López <miquel@casal.upc.es>

 Potential remote overflow fixed in patched version of xinetd

 Problem:   potential buffer overflow in xinetd-

    Fix:  update to xinetd- (for redhat ppl)

Please note:  This does not seem to be exploitable in a default
setup RH 7.0 machine. However There may be other distributions/
configutations that it is used in where it is explotable.

                   Details of the problem

svc_logprint (in xinetd/log.c) has a slight bug which may allow remote
root access.

        len = strx_nprint( buf, bufsize, "%s: %s ", line_id, SVC_ID( sp
) ) ;
        va_start( ap, fmt ) ;
*->    cc = strx_nprintv( &buf[ len ], bufsize, fmt, ap ) ;
        va_end( ap ) ;
(bufsize=sizeof(buf) ==  LOGBUF_SIZE = 1024)

If an argument to the marked line is longer than (bufsize-len) then it
will overflow the string.

The ident feature allows returning 1024 bytes of information, and that
information, less the
source,dest: componant and the \r\n s passed to svc_logprint() as an
such that the string totals 1024 characters for example.

If a malicious root user was to connect, he could set his own source
port to something like 1,
which would gain him another 3-4 characters.

The string is then truncated at the \r

       svc_logprint( SERVER_CONNSERVICE( serp ), USERID_ENTRY, "%s", p )

p would then be a string 1010 characters long.
if strlen(line_id)+strlen(SVC_ID( sp ) )>14 then we have a buffer

With the ftp service I was only able to get a 1022 byte buffer written
but with other services
with longer names that use authentication, this could be a serious

The server is still running as root while this happens.


----- End forwarded message -----

----- End forwarded message -----

Reply to: