[gentoo-dev] Fwd: xinetd 2.3.0 audit status - gentoo-dev

From:	Ben Lutgens <blutgens@×××××××.com>
To:	gentoo-dev@g.o
Subject:	[gentoo-dev] Fwd: xinetd 2.3.0 audit status
Date:	Thu, 30 Aug 2001 09:09:38
Message-Id:	`20010830101047.A3694@minime.sistina.com`

1

This message I got from bugtraq this morning, I've updated sys-apps/xinetd to 2.3.3

2

this morning at 10:09 CST expect the update to show up on rsync within the hour.

3

I'd advise you all to upgrade once you've read the enclosed mail.

4

5

6

----- Forwarded message from Solar Designer <solar@××××××××.com> -----

7

8

From: Solar Designer <solar@××××××××.com>

9

Message-ID: <20010830054009.A31413@××××××××.com>

10

Date: Thu, 30 Aug 2001 05:40:09 +0400

11

Cc: security-audit@××××××××××××××××.uk

12

To: bugtraq@×××××××××××××.com

13

Subject: xinetd 2.3.0 audit status

14

User-Agent: Mutt/1.2.5i

15

16

Hi,

17

18

As some of you may know, I've performed an audit of the xinetd 2.3.0

19

source code for certain classes of vulnerabilities.  The audit has

20

resulted in a significant number of fixes (many are for non-security

21

issues).  The patch was over 100 KB large and got incorporated into

22

xinetd starting with 2.3.1.  There were, however, certain issues with

23

patch merging, and the version of xinetd which finally has all of the

24

fixes (plus some more, by other people) is 2.3.3.

25

26

It is important to understand that no audit is a complete guarantee,

27

and that the audit I've performed covered only a subset of possible

28

problems as listed in AUDIT (now included with xinetd itself and also

29

at the end of this posting).  The USERID and RECORD features remain

30

dangerous: the code to handle them is overly privileged.  Packagers

31

should make sure these are disabled by default.

32

33

The worst known security problem with 2.3.0 is that it turned out to

34

not fully fix the string handling vulnerability previously discovered

35

by Sebastian Krahmer of SuSE Security Team.  A single NUL byte could

36

still be written beyond the intended area.  This kind of a flaw has

37

previously been shown to be exploitable in at least some cases with

38

the help of frame pointers (Olaf Kirch, 1998, "The poisoned NUL byte").

39

Sebastian's patch didn't have the bug, so the SuSE xinetd updates are

40

likely not affected by this.

41

42

--- xinetd-2.3.*/AUDIT

43

This is the xinetd-2.3.0 audit status.  The audit has been performed

44

in order to make the Owl (http://www.openwall.com/Owl/) xinetd package

45

reasonably secure and of course with the hope that others will find

46

the results and patches useful as well.

47

48

Much of xinetd's logic is left unaudited (other than for generic bug

49

classes listed below).  In particular, this applies to all network

50

access control checks.

51

52

To summarize the results, xinetd may be reasonably safe to use with

53

these patches, but the code remains far from clean and certain bugs

54

are there by design.

55

56

The format of this list is one item per line, with subitems indented.

57

If a line doesn't start with a '+', that item hasn't been completed

58

(audited and/or patched).

59

60

None of the PATCH'es are a part of xinetd-2.3.0; they will be in the

61

Owl package and hopefully will get incorporated into future versions

62

of xinetd.

63

64

--

65

Solar Designer <solar@××××××××.com>

66

67

+BUGS	strx_* functions (danger: don't always NUL-terminate)

68

+PATCH		bug: shouldn't write NUL when len <= 0

69

+PATCH		may overflow with huge precision values (bad for format bugs)

70

+BUGS	strx_* calls: some assume NUL-termination, but none look dangerous

71

+PATCH		__xlog_explain_errno forgets to update size

72

+PATCH		child.c: child_process may not NUL-terminate name

73

+PATCH		init.c: syscall_failed may not NUL-terminate err

74

+PATCH		shutdown.c: safe, but should use print_buf_size-1

75

+PATCH		signals.c: sig_name should use sizeof(signame_buf)-1

76

+OK	str_* calls

77

+OK		none :-)

78

+OK	strcat, strcpy calls (testsuite calls not checked)

79

+OK	strn* calls

80

+PATCH		some inefficient, but correct

81

+BUGS	memcpy, memmove, bcopy calls

82

+PATCH		addr.c: addrlist_dump() copies ipv6 address into ipv4 struct

83

+PATCH		addr.c: host_addr() trusts hep->h_length from gethostbyname()

84

+PATCH		parsers.c: redir_parser() wouldn't build/work when NO_INET_ATON

85

+PATCH		parsers.c: redir_parser() wrongly relies on sizeof(he->h_addr)

86

+PATCH		parsers.c: bind_parser() same as the above

87

		the use of sizeof() is inconsistent (not always of dst arg)

88

+PATCH		should change bcopy to memcpy/memmove as appropriate

89

+BUGS	sio_memcopy calls

90

+OK		sio.c

91

+BUGS		siosup.c is too complicated in its handling of data sizes

92

+OK			expand() is only called with old_size < new_size

93

+?			buffer_setup() isn't obviously correct, but is safe

94

+OK			__sio_extend_buffer is correct

95

+PATCH				comment to sio.h: aux buffer is right below buf

96

+PATCH			__sio_get_events may cause bufentries < 0 (->overflow)

97

+OK	conn_setaddr calls: safe, but could use sizeof((cp)->co_remote_address)

98

+OK	sprintf calls

99

+BUGS	sscanf calls

100

+PATCH		addr.c: explicit_mask() has single-byte overflow of saddr[]

101

+BUGS	formats

102

+OK		fprintf, sprintf, fscanf, sscanf

103

+OK		syslog (but relies on %.*s for non-NUL-terminated buffers)

104

+OK		strx_*

105

+OK		svc_logprint, prepare_buffer

106

+BUGS		msg, parsemsg

107

+PATCH			intcommon.c: int_init() passes fmt as wrong arg

108

+PATCH			(non-security) should never have '\n' in format

109

+OK		tabprint

110

+OK		Sprint

111

+OK		ostimer.c: terminate

112

+PATCH		xlog_write() is called on untrusted input w/o XLOG_NO_ERRNO

113

+OK	ident -- looks mostly safe

114

+OK		SIGALRM + longjmp() used safely:

115

+OK			no static accesses, no stdio between START/STOP_TIMER

116

+OK			immediate return on timeout (-> no clobbering issues)

117

+OK			signal mask after longjmp() is unimportant

118

+PATCH			could be safer to also reset SIGALRM handler

119

+PATCH		verify_line() modifies buf, which is then logged on error

120

		will log control chars from remote

121

+BUGS	builtins

122

+OK		time, daytime, sensor: NO_FORK && stream (safe: FNDELAY)

123

+PATCH		accept() return value never checked

124

+PATCH		bad_port_check(): should deny all <1024 (53/udp is just as bad)

125

+PATCH		stream_daytime writes to wrong fd when wait = yes (gets EPIPE)

126

+PATCH		*_time sends sizeof(time_t): wrong on at least linux-alpha

127

		xadmin_handler(): the command parser is unreliable (use sio?)

128

+BUGS	record (shutdown.c)

129

		connect_back may be used for portscanning of own machine

130

		write() return values not checked

131

+PATCH		will only handle traditional (obsolete) crypt(3) hashes

132

		special.c: stream_shutdown() will log control chars from remote

133

	intercept (int[.c]*, {tcp,udp}int.c) -- checked for generic bugs ONLY

134

		tcpint.c: si_exit() may leave open fd from accept()

135

+BUGS	signal races, longjmp clobbering

136

+BUGS		__ostimer_interrupt:

137

+PATCH			call_level should be volatile

138

+PATCH			should use &ret_env, not (char *)ret_env (may differ)

139

+BUGS			ret_env modified non-atomically (with 2 TIMER_LONGJMP's)

140

+PATCH				should set have_env before and make it volatile

141

+PATCH			may leave an altered signal mask on longjmp()

142

				should fallback to plain longjmp in configure

143

+OK			__ostimer_{add,remove} only called with signals blocked

144

+OK			timer_s fields not volatile, safe due to block _calls_

145

+BUGS		check uses of TIMER_LONGJMP flag

146

+BUGS			confparse.c: get_conf() may jump out of malloc(), etc

147

				no other uses, perhaps just disable CONF_TIMEOUT

148

+OK		ident.c: mostly safe (see above)

149

+BUGS		signals.c: bad_signal(): only on crashes, so not a big issue

150

+PATCH			*count should be volatile to really avoid looping

151

			does calls which may cause another SIGSEGV w/o a bug

152

+PATCH			may leave an altered signal mask on longjmp()

153

+BUGS		signals.c: general_handler()

154

			sio and non-reentrant libc calls on unexpected signal

155

+BUGS		signals.c: handle_signal(), my_handler(): events may be lost

156

			my_handler may be re-entered, but M_SET isn't atomic:

157

				should split ps.flags into int-per-flag

158

+OK		main.c: main(): setjmp() placed in a way avoiding clobbering

159

+BUGS		access.c: parent_access_control(), alrm_ena() (cps feature)

160

			alrm_ena() may cause re-entry into syslog(), etc

161

			SIGALRM handler may be never reset, or --

162

			the handler and/or alarm may be reset for other needs

163

				should use the timer queues, not OS timers

164

+BUGS		int.c: int_sighandler(), intcommon.c: int_init()

165

			int_sighandler() may cause re-entry into msg(), etc

166

				installed for multiple signals, doesn't block

167

				may interrupt msg() in main and cause re-entry

168

+PATCH		redirect.c: redir_sigpipe() should use _exit(2), not exit(3)

169

+BUGS	fd_set overflows

170

		intcommon.c: sets INT_REMOTE(ip) w/o fd_set size check

171

			{tcp,udp}int.c: si_mux(), di_mux() FD_SET w/o fd check

172

		internals.c: socket_mask_copy w/o fd checks

173

		main_loop(): select() on read_mask w/o fd checks

174

		service.c: svc_activate(): could check ps.rws.mask_max here

175

		(many files) all references to ps.rws.socket_mask are unchecked

176

		redirect.c: redir_handler() no checks for rdfd, msfd

177

		should use fd_grow similarly to OpenBSD inetd

178

+PATCH		workaround: reduce RLIMIT_NOFILE to FD_SETSIZE

179

+BUGS	__sio_descriptors overflows

180

+PATCH		sio functions forget to check fd against n_descriptors

181

+BUGS	get_fd_limit(), Smorefds()

182

+PATCH		assume RLIMIT_NOFILE is small (not RLIM_INFINITY)

183

+OK		orig_max_descriptors and max_descriptors are rlim_t, not int

184

+BUGS	potential fd leaks to services

185

+PATCH		init.c: setup_file_descriptors() relies on the rlimit only

186

		returns from close() never checked -- fixed the worst one

187

+BUGS	child.c: set_credentials()

188

+PATCH		should fail if !ps.ros.is_superuser && user/group requested

189

+OK		is otherwise fail-close and resets groups (fixed long ago)

190

+BUGS	gethostby*, getaddrinfo (some are common with memcpy bugs)

191

+PATCH		addr.c: host_addr() trusts hep->h_length from gethostbyname()

192

		addr.c: host_addr() INET6 doesn't check res->ai_family

193

		parsers.c: {redir,bind}_parser() don't check res->ai_family

194

+PATCH		parsers.c: redir_parser() wrongly relies on sizeof(he->h_addr)

195

+PATCH		parsers.c: bind_parser() same as the above

196

+PATCH	getpwnam unnecessarily leaves password hashes in address space on BSD

197

---

198

+PATCH	gcc format attributes

199

+	build with gcc -Wall -Wcast-align (x86, alpha) -- mostly clean

200

+PATCH		many unused vars with ipv6

201

+PATCH		parsers.c, inet.c: stores strtol() to int, then needs long

202

+PATCH		several format strings don't match arguments

203

+	build with ccc -msg_enable level4 or higher

204

+PATCH		CC= from configure doesn't get into Makefile's

205

		lots of warnings (250 KB of output), the code is just not clean

206

+PATCH			some really need fixing

207

-	use wrapper functions around either strx_* or vsnprintf()?

208

+		not a good idea, tested strx_* against snprintf instead

209

?	define strz_* wrappers around strx_*, which would always NUL-terminate

210

+PATCH	atoi -> strtol with long to int overflow checks

211

---

212

	should limit logging rate (= rate of permitted sessions, popa3d-like)

213

	should drop privileges for ident lookups, builtins, and records

214

	should have options to build --without-{ident,builtins,record,intercept}

215

		should generate manpages accordingly

216

217

----- End forwarded message -----

218

219

--

220

Ben Lutgens		

221

Sistina Software Inc.	

222

223

What's the difference between root and God ?

224

God doesn't think that he is root.

1	This message I got from bugtraq this morning, I've updated sys-apps/xinetd to 2.3.3
2	this morning at 10:09 CST expect the update to show up on rsync within the hour.
3	I'd advise you all to upgrade once you've read the enclosed mail.
4
5
6	----- Forwarded message from Solar Designer <solar@××××××××.com> -----
7
8	From: Solar Designer <solar@××××××××.com>
9	Message-ID: <20010830054009.A31413@××××××××.com>
10	Date: Thu, 30 Aug 2001 05:40:09 +0400
11	Cc: security-audit@××××××××××××××××.uk
12	To: bugtraq@×××××××××××××.com
13	Subject: xinetd 2.3.0 audit status
14	User-Agent: Mutt/1.2.5i
15
16	Hi,
17
18	As some of you may know, I've performed an audit of the xinetd 2.3.0
19	source code for certain classes of vulnerabilities. The audit has
20	resulted in a significant number of fixes (many are for non-security
21	issues). The patch was over 100 KB large and got incorporated into
22	xinetd starting with 2.3.1. There were, however, certain issues with
23	patch merging, and the version of xinetd which finally has all of the
24	fixes (plus some more, by other people) is 2.3.3.
25
26	It is important to understand that no audit is a complete guarantee,
27	and that the audit I've performed covered only a subset of possible
28	problems as listed in AUDIT (now included with xinetd itself and also
29	at the end of this posting). The USERID and RECORD features remain
30	dangerous: the code to handle them is overly privileged. Packagers
31	should make sure these are disabled by default.
32
33	The worst known security problem with 2.3.0 is that it turned out to
34	not fully fix the string handling vulnerability previously discovered
35	by Sebastian Krahmer of SuSE Security Team. A single NUL byte could
36	still be written beyond the intended area. This kind of a flaw has
37	previously been shown to be exploitable in at least some cases with
38	the help of frame pointers (Olaf Kirch, 1998, "The poisoned NUL byte").
39	Sebastian's patch didn't have the bug, so the SuSE xinetd updates are
40	likely not affected by this.
41
42	--- xinetd-2.3.*/AUDIT
43	This is the xinetd-2.3.0 audit status. The audit has been performed
44	in order to make the Owl (http://www.openwall.com/Owl/) xinetd package
45	reasonably secure and of course with the hope that others will find
46	the results and patches useful as well.
47
48	Much of xinetd's logic is left unaudited (other than for generic bug
49	classes listed below). In particular, this applies to all network
50	access control checks.
51
52	To summarize the results, xinetd may be reasonably safe to use with
53	these patches, but the code remains far from clean and certain bugs
54	are there by design.
55
56	The format of this list is one item per line, with subitems indented.
57	If a line doesn't start with a '+', that item hasn't been completed
58	(audited and/or patched).
59
60	None of the PATCH'es are a part of xinetd-2.3.0; they will be in the
61	Owl package and hopefully will get incorporated into future versions
62	of xinetd.
63
64	--
65	Solar Designer <solar@××××××××.com>
66
67	+BUGS strx_* functions (danger: don't always NUL-terminate)
68	+PATCH bug: shouldn't write NUL when len <= 0
69	+PATCH may overflow with huge precision values (bad for format bugs)
70	+BUGS strx_* calls: some assume NUL-termination, but none look dangerous
71	+PATCH __xlog_explain_errno forgets to update size
72	+PATCH child.c: child_process may not NUL-terminate name
73	+PATCH init.c: syscall_failed may not NUL-terminate err
74	+PATCH shutdown.c: safe, but should use print_buf_size-1
75	+PATCH signals.c: sig_name should use sizeof(signame_buf)-1
76	+OK str_* calls
77	+OK none :-)
78	+OK strcat, strcpy calls (testsuite calls not checked)
79	+OK strn* calls
80	+PATCH some inefficient, but correct
81	+BUGS memcpy, memmove, bcopy calls
82	+PATCH addr.c: addrlist_dump() copies ipv6 address into ipv4 struct
83	+PATCH addr.c: host_addr() trusts hep->h_length from gethostbyname()
84	+PATCH parsers.c: redir_parser() wouldn't build/work when NO_INET_ATON
85	+PATCH parsers.c: redir_parser() wrongly relies on sizeof(he->h_addr)
86	+PATCH parsers.c: bind_parser() same as the above
87	the use of sizeof() is inconsistent (not always of dst arg)
88	+PATCH should change bcopy to memcpy/memmove as appropriate
89	+BUGS sio_memcopy calls
90	+OK sio.c
91	+BUGS siosup.c is too complicated in its handling of data sizes
92	+OK expand() is only called with old_size < new_size
93	+? buffer_setup() isn't obviously correct, but is safe
94	+OK __sio_extend_buffer is correct
95	+PATCH comment to sio.h: aux buffer is right below buf
96	+PATCH __sio_get_events may cause bufentries < 0 (->overflow)
97	+OK conn_setaddr calls: safe, but could use sizeof((cp)->co_remote_address)
98	+OK sprintf calls
99	+BUGS sscanf calls
100	+PATCH addr.c: explicit_mask() has single-byte overflow of saddr[]
101	+BUGS formats
102	+OK fprintf, sprintf, fscanf, sscanf
103	+OK syslog (but relies on %.*s for non-NUL-terminated buffers)
104	+OK strx_*
105	+OK svc_logprint, prepare_buffer
106	+BUGS msg, parsemsg
107	+PATCH intcommon.c: int_init() passes fmt as wrong arg
108	+PATCH (non-security) should never have '\n' in format
109	+OK tabprint
110	+OK Sprint
111	+OK ostimer.c: terminate
112	+PATCH xlog_write() is called on untrusted input w/o XLOG_NO_ERRNO
113	+OK ident -- looks mostly safe
114	+OK SIGALRM + longjmp() used safely:
115	+OK no static accesses, no stdio between START/STOP_TIMER
116	+OK immediate return on timeout (-> no clobbering issues)
117	+OK signal mask after longjmp() is unimportant
118	+PATCH could be safer to also reset SIGALRM handler
119	+PATCH verify_line() modifies buf, which is then logged on error
120	will log control chars from remote
121	+BUGS builtins
122	+OK time, daytime, sensor: NO_FORK && stream (safe: FNDELAY)
123	+PATCH accept() return value never checked
124	+PATCH bad_port_check(): should deny all <1024 (53/udp is just as bad)
125	+PATCH stream_daytime writes to wrong fd when wait = yes (gets EPIPE)
126	+PATCH *_time sends sizeof(time_t): wrong on at least linux-alpha
127	xadmin_handler(): the command parser is unreliable (use sio?)
128	+BUGS record (shutdown.c)
129	connect_back may be used for portscanning of own machine
130	write() return values not checked
131	+PATCH will only handle traditional (obsolete) crypt(3) hashes
132	special.c: stream_shutdown() will log control chars from remote
133	intercept (int[.c]*, {tcp,udp}int.c) -- checked for generic bugs ONLY
134	tcpint.c: si_exit() may leave open fd from accept()
135	+BUGS signal races, longjmp clobbering
136	+BUGS __ostimer_interrupt:
137	+PATCH call_level should be volatile
138	+PATCH should use &ret_env, not (char *)ret_env (may differ)
139	+BUGS ret_env modified non-atomically (with 2 TIMER_LONGJMP's)
140	+PATCH should set have_env before and make it volatile
141	+PATCH may leave an altered signal mask on longjmp()
142	should fallback to plain longjmp in configure
143	+OK __ostimer_{add,remove} only called with signals blocked
144	+OK timer_s fields not volatile, safe due to block _calls_
145	+BUGS check uses of TIMER_LONGJMP flag
146	+BUGS confparse.c: get_conf() may jump out of malloc(), etc
147	no other uses, perhaps just disable CONF_TIMEOUT
148	+OK ident.c: mostly safe (see above)
149	+BUGS signals.c: bad_signal(): only on crashes, so not a big issue
150	+PATCH *count should be volatile to really avoid looping
151	does calls which may cause another SIGSEGV w/o a bug
152	+PATCH may leave an altered signal mask on longjmp()
153	+BUGS signals.c: general_handler()
154	sio and non-reentrant libc calls on unexpected signal
155	+BUGS signals.c: handle_signal(), my_handler(): events may be lost
156	my_handler may be re-entered, but M_SET isn't atomic:
157	should split ps.flags into int-per-flag
158	+OK main.c: main(): setjmp() placed in a way avoiding clobbering
159	+BUGS access.c: parent_access_control(), alrm_ena() (cps feature)
160	alrm_ena() may cause re-entry into syslog(), etc
161	SIGALRM handler may be never reset, or --
162	the handler and/or alarm may be reset for other needs
163	should use the timer queues, not OS timers
164	+BUGS int.c: int_sighandler(), intcommon.c: int_init()
165	int_sighandler() may cause re-entry into msg(), etc
166	installed for multiple signals, doesn't block
167	may interrupt msg() in main and cause re-entry
168	+PATCH redirect.c: redir_sigpipe() should use _exit(2), not exit(3)
169	+BUGS fd_set overflows
170	intcommon.c: sets INT_REMOTE(ip) w/o fd_set size check
171	{tcp,udp}int.c: si_mux(), di_mux() FD_SET w/o fd check
172	internals.c: socket_mask_copy w/o fd checks
173	main_loop(): select() on read_mask w/o fd checks
174	service.c: svc_activate(): could check ps.rws.mask_max here
175	(many files) all references to ps.rws.socket_mask are unchecked
176	redirect.c: redir_handler() no checks for rdfd, msfd
177	should use fd_grow similarly to OpenBSD inetd
178	+PATCH workaround: reduce RLIMIT_NOFILE to FD_SETSIZE
179	+BUGS __sio_descriptors overflows
180	+PATCH sio functions forget to check fd against n_descriptors
181	+BUGS get_fd_limit(), Smorefds()
182	+PATCH assume RLIMIT_NOFILE is small (not RLIM_INFINITY)
183	+OK orig_max_descriptors and max_descriptors are rlim_t, not int
184	+BUGS potential fd leaks to services
185	+PATCH init.c: setup_file_descriptors() relies on the rlimit only
186	returns from close() never checked -- fixed the worst one
187	+BUGS child.c: set_credentials()
188	+PATCH should fail if !ps.ros.is_superuser && user/group requested
189	+OK is otherwise fail-close and resets groups (fixed long ago)
190	+BUGS gethostby*, getaddrinfo (some are common with memcpy bugs)
191	+PATCH addr.c: host_addr() trusts hep->h_length from gethostbyname()
192	addr.c: host_addr() INET6 doesn't check res->ai_family
193	parsers.c: {redir,bind}_parser() don't check res->ai_family
194	+PATCH parsers.c: redir_parser() wrongly relies on sizeof(he->h_addr)
195	+PATCH parsers.c: bind_parser() same as the above
196	+PATCH getpwnam unnecessarily leaves password hashes in address space on BSD
197	---
198	+PATCH gcc format attributes
199	+ build with gcc -Wall -Wcast-align (x86, alpha) -- mostly clean
200	+PATCH many unused vars with ipv6
201	+PATCH parsers.c, inet.c: stores strtol() to int, then needs long
202	+PATCH several format strings don't match arguments
203	+ build with ccc -msg_enable level4 or higher
204	+PATCH CC= from configure doesn't get into Makefile's
205	lots of warnings (250 KB of output), the code is just not clean
206	+PATCH some really need fixing
207	- use wrapper functions around either strx_* or vsnprintf()?
208	+ not a good idea, tested strx_* against snprintf instead
209	? define strz_* wrappers around strx_*, which would always NUL-terminate
210	+PATCH atoi -> strtol with long to int overflow checks
211	---
212	should limit logging rate (= rate of permitted sessions, popa3d-like)
213	should drop privileges for ident lookups, builtins, and records
214	should have options to build --without-{ident,builtins,record,intercept}
215	should generate manpages accordingly
216
217	----- End forwarded message -----
218
219	--
220	Ben Lutgens
221	Sistina Software Inc.
222
223	What's the difference between root and God ?
224	God doesn't think that he is root.

Gentoo Archives: gentoo-dev