Title: Xinetd Buffer Overflow Vulnerability
Severity: CRITICAL
Description:
The possibility for a buffer overflow condition exists in the xinetd daemon.
Xinetd provides the ability to log via identd the user-identities of clients connecting to specific services if the clients host supports it. When connecting to a service, xinetd can contact the identd daemon on the clients host and request the username of the client process.
During this process, a subtle opportunity exists for a buffer overflow condition in xinetd. Xinetd accepts as a response 1024 bytes of data from identd servers. In a response, xinetd expects the source port, destination port, the string 'USERID' and the username. The latter is logged along with the service name. The log string, which includes the username and the service name, is copied into a 1024 byte internal buffer without bounds checking.
It is possible, through careful manipulation of the identd response, to cause a buffer overflow to occur. It is possible to expand the size of the username that is to be copied.
The service name is resolved from the port number to which the client is connected. On many unix systems, various ports are mapped to service names in '/etc/services'. This service name is included in the log string along with the identd-provided username. An attacker can increase the size of the string to be logged by connecting to a service which has a long service name.
In addition to this, the attacker can maximize the amount of data in the username by connecting to and from ports which are represented by as few numerals as possible.
If the identd response, in total (ports, username, constant string) exceed 1024 bytes, it will be truncated. Therefore, the attacker must create a valid identd response which allows for as many username characters as possible.
By maximizing data in the username field and taking advantage of the inclusion of service name in the log string, it may be possible to have logged a string that exceeds 1024 bytes. This oversized string would exploit the unbounded string copy and may allow for stack frame corruption, possibly leading to execution of arbitrary code.
If successfully exploited, an attacker would gain root privileges on the affected host. It may also be possible for attackers to crash xinetd, which would result in a denial of service for all services started by inetd (telnet, ftp, etc).
Affected Products:
- Conectiva Linux 6.0.0
- MandrakeSoft Linux Mandrake 7.2.0
- MandrakeSoft Linux Mandrake 8.0.0
- MandrakeSoft Single Network Firewall 7.2.0
- RedHat Linux 7.0.0
- RedHat Linux 7.1.0
- RedHat xinetd-2.1.8.9pre14-6.i386.rpm 0.0.0
- RedHat xinetd-2.1.8.9pre9-6.i386.rpm 0.0.0
- Xinetd Xinetd 2.1.8.8
- Xinetd Xinetd 2.1.8.8pre3
- Xinetd Xinetd 2.1.8.9pre1
- Xinetd Xinetd 2.1.8.9pre10
- Xinetd Xinetd 2.1.8.9pre11
- Xinetd Xinetd 2.1.8.9pre12
- Xinetd Xinetd 2.1.8.9pre13
- Xinetd Xinetd 2.1.8.9pre14
- Xinetd Xinetd 2.1.8.9pre2
- Xinetd Xinetd 2.1.8.9pre3
- Xinetd Xinetd 2.1.8.9pre4
- Xinetd Xinetd 2.1.8.9pre5
- Xinetd Xinetd 2.1.8.9pre6
- Xinetd Xinetd 2.1.8.9pre7
- Xinetd Xinetd 2.1.8.9pre8
- Xinetd Xinetd 2.1.8.9pre9
References:
- Xinetd: Xinetd Homepage
Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.
