COMMAND

    ident

SYSTEMS AFFECTED

    SuSE Linux 6.x 7.0

PROBLEM

    Niels  Heinen  found  following.   This  advisory details a buffer
    overflow  vulnerability  under  SuSE  Linux  that  can  enable   a
    malicious user to  cause Identification Protocol  (Ident) handling
    to crash.  Due to the overflow, the system will no longer be  able
    to establish certain connections which use Ident, for example  IRC
    (Internet Relay  Chat) connections.   If the  Ident daemon  is not
    running, users wishing  to connect to  IRC will not  be allowed to
    make a connection.   In the this  case the vulnerability  could be
    used in a denial of service attack to keep a person of irc.   It's
    not clear at  this present time  whether this vulnerability  could
    be exploited in such  a way that arbitrary  code is executed.   If
    so, this will happen with  the privileges of the user  "nobody" in
    a default installation.

    This  vulnerability  has  been  tested  on  SuSE  version  6.x and
    version 7.0.   Previous versions  may also  be affected.   Further
    testing  will  reveal  whether   other  Linux  distributions   are
    vulnerable.

    By sending  longer than  expected strings  to the  identd port,  a
    remote attacker can crash the  daemon.  The daemon will  also fail
    to leave  any log  message given  the right  length of  he string.
    Seeing the following in the logfile (/var/log/messages)

        date: suse-machine in.identd[xxx]: s_snprintf(...) = ?: buffer overrun

    is  a  clear  indication  of  being  attacked  by a message length
    producing log  entries.   Some other  Linux distributions  are not
    vulnerable  in  the  same  way,  but  have  to  be  looked  at for
    suspicious  log  entries.   Another  test  machine running Red Hat
    issued here a "Full buffer closing connection" error.

SOLUTION

    If you don't need the Ident, you can keep risk lowest by disabling
    the ident  deamon.   This can  be done  by editing /etc/rc.config.
    Look for a line like below:

        START_INDENTD="yes"

    Change the yes value into no  and save the file.  After  that type
    as root killall -9 in.identd to stop the ident deamon.

    It turned out that the daemon dies because of a  misinterpretation
    of the return value of vsnprintf() (which was subject to a  change
    in glibc2.1).   Upon detecting  that the  buffer is  too short  to
    keep the data, the daemon decides to "int *p = (int *) NULL; *p  =
    4711;", or, in other words, segfault and commit suicide.  This  is
    bright because a return address on the stack that might have  been
    overwritten is not  used (An actual  buffer overflow doesn't  take
    place,  though.).   OTOH,  it's  not  very  bright  since the auth
    service is denied as a  consequence of the daemon shooting  itself
    in  the  foot.   The  risk  imposed  by  the  crashed  daemon   is
    considerably low.