COMMAND
xinetd
SYSTEMS AFFECTED
xinetd-2.1.8.9pre11-1
PROBLEM
zen-parse found following. This does not seem to be exploitable
in a default setup RH 7.0 machine. However there may be other
distributions/ configutations that it is used in where it is
explotable.
svc_logprint (in xinetd/log.c) has a slight bug which may allow
remote root access.
...
len = strx_nprint( buf, bufsize, "%s: %s ", line_id, SVC_ID( sp
) ) ;
va_start( ap, fmt ) ;
*-> cc = strx_nprintv( &buf[ len ], bufsize, fmt, ap ) ;
va_end( ap ) ;
...
(bufsize=sizeof(buf) == LOGBUF_SIZE = 1024)
If an argument to the marked line is longer than (bufsize-len)
then it will overflow the string.
The ident feature allows returning 1024 bytes of information, and
that information, less the source,dest: componant and the \r\n s
passed to svc_logprint() as an argument.
1024,21:USERID:AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA...AA\r\n
such that the string totals 1024 characters for example.
If a malicious root user was to connect, he could set his own
source port to something like 1, which would gain him another 3-4
characters.
1,21:USERID:AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA...AAAAA\r\n
The string is then truncated at the \r
(xinetd/ident.c)
...
svc_logprint( SERVER_CONNSERVICE( serp ), USERID_ENTRY, "%s", p )
;
...
p would then be a string 1010 characters long. if
strlen(line_id)+strlen(SVC_ID( sp ) )>14 then we have a buffer
overflow.
With the ftp service we were only able to get a 1022 byte buffer
written but with other services with longer names that use
authentication, this could be a serious problem.
The server is still running as root while this happens.
SOLUTION
Update to xinetd-2.1.8.9pre15-2 (for redhat ppl). For Immunix:
http://download.immunix.org/ImmunixOS/7.0/updates/RPMS/xinetd-2.1.8.9pre15-2_imnx.i386.rpm
http://download.immunix.org/ImmunixOS/7.0/updates/SRPMS/xinetd-2.1.8.9pre15-2_imnx.src.rpm
For Conectiva Linux:
ftp://atualizacoes.conectiva.com.br/6.0/SRPMS/xinetd-2.1.8.9pre16-1U60_1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/6.0/RPMS/xinetd-2.1.8.9pre16-1U60_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/6.0/RPMS/xinetd-devel-2.1.8.9pre16-1U60_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/6.0/RPMS/xinetd-devel-static-2.1.8.9pre16-1U60_1cl.i386.rpm
For Debian Linux:
http://security.debian.org/dists/stable/updates/main/source/xinetd_2.1.8.8.p3-1.1.diff.gz
http://security.debian.org/dists/stable/updates/main/source/xinetd_2.1.8.8.p3-1.1.dsc
http://security.debian.org/dists/stable/updates/main/source/xinetd_2.1.8.8.p3.orig.tar.gz
http://security.debian.org/dists/stable/updates/main/binary-alpha/xinetd_2.1.8.8.p3-1.1_alpha.deb
http://security.debian.org/dists/stable/updates/main/binary-arm/xinetd_2.1.8.8.p3-1.1_arm.deb
http://security.debian.org/dists/stable/updates/main/binary-i386/xinetd_2.1.8.8.p3-1.1_i386.deb
http://security.debian.org/dists/stable/updates/main/binary-m68k/xinetd_2.1.8.8.p3-1.1_m68k.deb
http://security.debian.org/dists/stable/updates/main/binary-powerpc/xinetd_2.1.8.8.p3-1.1_powerpc.deb
http://security.debian.org/dists/stable/updates/main/binary-sparc/xinetd_2.1.8.8.p3-1.1_sparc.deb
For Immunix OS:
http://download.immunix.org/ImmunixOS/7.0/updates/RPMS/xinetd-2.3.0-1_imnx.i386.rpm
http://download.immunix.org/ImmunixOS/7.0/updates/SRPMS/xinetd-2.3.0-1_imnx.src.rpm
For Mandrake Linux:
Linux-Mandrake 7.2: 7.2/RPMS/xinetd-2.3.0-1.2mdk.i586.rpm
7.2/SRPMS/xinetd-2.3.0-1.2mdk.src.rpm
Mandrake Linux 8.0: 8.0/RPMS/xinetd-2.3.0-1.1mdk.i586.rpm
8.0/RPMS/xinetd-ipv6-2.3.0-1.1mdk.i586.rpm
8.0/SRPMS/xinetd-2.3.0-1.1mdk.src.rpm
Single Network Firewall 7.2: snf7.2/RPMS/xinetd-2.3.0-1.2mdk.i586.rpm
snf7.2/SRPMS/xinetd-2.3.0-1.2mdk.src.rpm
For RedHat:
ftp://updates.redhat.com/7.0/en/os/SRPMS/xinetd-2.3.0-1.71.src.rpm
ftp://updates.redhat.com/7.0/en/os/alpha/xinetd-2.3.0-1.71.alpha.rpm
ftp://updates.redhat.com/7.0/en/os/i386/xinetd-2.3.0-1.71.i386.rpm
ftp://updates.redhat.com/7.1/en/os/SRPMS/xinetd-2.3.0-1.71.src.rpm
ftp://updates.redhat.com/7.1/en/os/alpha/xinetd-2.3.0-1.71.alpha.rpm
ftp://updates.redhat.com/7.1/en/os/i386/xinetd-2.3.0-1.71.i386.rpm