1 |
This message I got from bugtraq this morning, I've updated sys-apps/xinetd to 2.3.3 |
2 |
this morning at 10:09 CST expect the update to show up on rsync within the hour. |
3 |
I'd advise you all to upgrade once you've read the enclosed mail. |
4 |
|
5 |
|
6 |
----- Forwarded message from Solar Designer <solar@××××××××.com> ----- |
7 |
|
8 |
From: Solar Designer <solar@××××××××.com> |
9 |
Message-ID: <20010830054009.A31413@××××××××.com> |
10 |
Date: Thu, 30 Aug 2001 05:40:09 +0400 |
11 |
Cc: security-audit@××××××××××××××××.uk |
12 |
To: bugtraq@×××××××××××××.com |
13 |
Subject: xinetd 2.3.0 audit status |
14 |
User-Agent: Mutt/1.2.5i |
15 |
|
16 |
Hi, |
17 |
|
18 |
As some of you may know, I've performed an audit of the xinetd 2.3.0 |
19 |
source code for certain classes of vulnerabilities. The audit has |
20 |
resulted in a significant number of fixes (many are for non-security |
21 |
issues). The patch was over 100 KB large and got incorporated into |
22 |
xinetd starting with 2.3.1. There were, however, certain issues with |
23 |
patch merging, and the version of xinetd which finally has all of the |
24 |
fixes (plus some more, by other people) is 2.3.3. |
25 |
|
26 |
It is important to understand that no audit is a complete guarantee, |
27 |
and that the audit I've performed covered only a subset of possible |
28 |
problems as listed in AUDIT (now included with xinetd itself and also |
29 |
at the end of this posting). The USERID and RECORD features remain |
30 |
dangerous: the code to handle them is overly privileged. Packagers |
31 |
should make sure these are disabled by default. |
32 |
|
33 |
The worst known security problem with 2.3.0 is that it turned out to |
34 |
not fully fix the string handling vulnerability previously discovered |
35 |
by Sebastian Krahmer of SuSE Security Team. A single NUL byte could |
36 |
still be written beyond the intended area. This kind of a flaw has |
37 |
previously been shown to be exploitable in at least some cases with |
38 |
the help of frame pointers (Olaf Kirch, 1998, "The poisoned NUL byte"). |
39 |
Sebastian's patch didn't have the bug, so the SuSE xinetd updates are |
40 |
likely not affected by this. |
41 |
|
42 |
--- xinetd-2.3.*/AUDIT |
43 |
This is the xinetd-2.3.0 audit status. The audit has been performed |
44 |
in order to make the Owl (http://www.openwall.com/Owl/) xinetd package |
45 |
reasonably secure and of course with the hope that others will find |
46 |
the results and patches useful as well. |
47 |
|
48 |
Much of xinetd's logic is left unaudited (other than for generic bug |
49 |
classes listed below). In particular, this applies to all network |
50 |
access control checks. |
51 |
|
52 |
To summarize the results, xinetd may be reasonably safe to use with |
53 |
these patches, but the code remains far from clean and certain bugs |
54 |
are there by design. |
55 |
|
56 |
The format of this list is one item per line, with subitems indented. |
57 |
If a line doesn't start with a '+', that item hasn't been completed |
58 |
(audited and/or patched). |
59 |
|
60 |
None of the PATCH'es are a part of xinetd-2.3.0; they will be in the |
61 |
Owl package and hopefully will get incorporated into future versions |
62 |
of xinetd. |
63 |
|
64 |
-- |
65 |
Solar Designer <solar@××××××××.com> |
66 |
|
67 |
+BUGS strx_* functions (danger: don't always NUL-terminate) |
68 |
+PATCH bug: shouldn't write NUL when len <= 0 |
69 |
+PATCH may overflow with huge precision values (bad for format bugs) |
70 |
+BUGS strx_* calls: some assume NUL-termination, but none look dangerous |
71 |
+PATCH __xlog_explain_errno forgets to update size |
72 |
+PATCH child.c: child_process may not NUL-terminate name |
73 |
+PATCH init.c: syscall_failed may not NUL-terminate err |
74 |
+PATCH shutdown.c: safe, but should use print_buf_size-1 |
75 |
+PATCH signals.c: sig_name should use sizeof(signame_buf)-1 |
76 |
+OK str_* calls |
77 |
+OK none :-) |
78 |
+OK strcat, strcpy calls (testsuite calls not checked) |
79 |
+OK strn* calls |
80 |
+PATCH some inefficient, but correct |
81 |
+BUGS memcpy, memmove, bcopy calls |
82 |
+PATCH addr.c: addrlist_dump() copies ipv6 address into ipv4 struct |
83 |
+PATCH addr.c: host_addr() trusts hep->h_length from gethostbyname() |
84 |
+PATCH parsers.c: redir_parser() wouldn't build/work when NO_INET_ATON |
85 |
+PATCH parsers.c: redir_parser() wrongly relies on sizeof(he->h_addr) |
86 |
+PATCH parsers.c: bind_parser() same as the above |
87 |
the use of sizeof() is inconsistent (not always of dst arg) |
88 |
+PATCH should change bcopy to memcpy/memmove as appropriate |
89 |
+BUGS sio_memcopy calls |
90 |
+OK sio.c |
91 |
+BUGS siosup.c is too complicated in its handling of data sizes |
92 |
+OK expand() is only called with old_size < new_size |
93 |
+? buffer_setup() isn't obviously correct, but is safe |
94 |
+OK __sio_extend_buffer is correct |
95 |
+PATCH comment to sio.h: aux buffer is right below buf |
96 |
+PATCH __sio_get_events may cause bufentries < 0 (->overflow) |
97 |
+OK conn_setaddr calls: safe, but could use sizeof((cp)->co_remote_address) |
98 |
+OK sprintf calls |
99 |
+BUGS sscanf calls |
100 |
+PATCH addr.c: explicit_mask() has single-byte overflow of saddr[] |
101 |
+BUGS formats |
102 |
+OK fprintf, sprintf, fscanf, sscanf |
103 |
+OK syslog (but relies on %.*s for non-NUL-terminated buffers) |
104 |
+OK strx_* |
105 |
+OK svc_logprint, prepare_buffer |
106 |
+BUGS msg, parsemsg |
107 |
+PATCH intcommon.c: int_init() passes fmt as wrong arg |
108 |
+PATCH (non-security) should never have '\n' in format |
109 |
+OK tabprint |
110 |
+OK Sprint |
111 |
+OK ostimer.c: terminate |
112 |
+PATCH xlog_write() is called on untrusted input w/o XLOG_NO_ERRNO |
113 |
+OK ident -- looks mostly safe |
114 |
+OK SIGALRM + longjmp() used safely: |
115 |
+OK no static accesses, no stdio between START/STOP_TIMER |
116 |
+OK immediate return on timeout (-> no clobbering issues) |
117 |
+OK signal mask after longjmp() is unimportant |
118 |
+PATCH could be safer to also reset SIGALRM handler |
119 |
+PATCH verify_line() modifies buf, which is then logged on error |
120 |
will log control chars from remote |
121 |
+BUGS builtins |
122 |
+OK time, daytime, sensor: NO_FORK && stream (safe: FNDELAY) |
123 |
+PATCH accept() return value never checked |
124 |
+PATCH bad_port_check(): should deny all <1024 (53/udp is just as bad) |
125 |
+PATCH stream_daytime writes to wrong fd when wait = yes (gets EPIPE) |
126 |
+PATCH *_time sends sizeof(time_t): wrong on at least linux-alpha |
127 |
xadmin_handler(): the command parser is unreliable (use sio?) |
128 |
+BUGS record (shutdown.c) |
129 |
connect_back may be used for portscanning of own machine |
130 |
write() return values not checked |
131 |
+PATCH will only handle traditional (obsolete) crypt(3) hashes |
132 |
special.c: stream_shutdown() will log control chars from remote |
133 |
intercept (int[.c]*, {tcp,udp}int.c) -- checked for generic bugs ONLY |
134 |
tcpint.c: si_exit() may leave open fd from accept() |
135 |
+BUGS signal races, longjmp clobbering |
136 |
+BUGS __ostimer_interrupt: |
137 |
+PATCH call_level should be volatile |
138 |
+PATCH should use &ret_env, not (char *)ret_env (may differ) |
139 |
+BUGS ret_env modified non-atomically (with 2 TIMER_LONGJMP's) |
140 |
+PATCH should set have_env before and make it volatile |
141 |
+PATCH may leave an altered signal mask on longjmp() |
142 |
should fallback to plain longjmp in configure |
143 |
+OK __ostimer_{add,remove} only called with signals blocked |
144 |
+OK timer_s fields not volatile, safe due to block _calls_ |
145 |
+BUGS check uses of TIMER_LONGJMP flag |
146 |
+BUGS confparse.c: get_conf() may jump out of malloc(), etc |
147 |
no other uses, perhaps just disable CONF_TIMEOUT |
148 |
+OK ident.c: mostly safe (see above) |
149 |
+BUGS signals.c: bad_signal(): only on crashes, so not a big issue |
150 |
+PATCH *count should be volatile to really avoid looping |
151 |
does calls which may cause another SIGSEGV w/o a bug |
152 |
+PATCH may leave an altered signal mask on longjmp() |
153 |
+BUGS signals.c: general_handler() |
154 |
sio and non-reentrant libc calls on unexpected signal |
155 |
+BUGS signals.c: handle_signal(), my_handler(): events may be lost |
156 |
my_handler may be re-entered, but M_SET isn't atomic: |
157 |
should split ps.flags into int-per-flag |
158 |
+OK main.c: main(): setjmp() placed in a way avoiding clobbering |
159 |
+BUGS access.c: parent_access_control(), alrm_ena() (cps feature) |
160 |
alrm_ena() may cause re-entry into syslog(), etc |
161 |
SIGALRM handler may be never reset, or -- |
162 |
the handler and/or alarm may be reset for other needs |
163 |
should use the timer queues, not OS timers |
164 |
+BUGS int.c: int_sighandler(), intcommon.c: int_init() |
165 |
int_sighandler() may cause re-entry into msg(), etc |
166 |
installed for multiple signals, doesn't block |
167 |
may interrupt msg() in main and cause re-entry |
168 |
+PATCH redirect.c: redir_sigpipe() should use _exit(2), not exit(3) |
169 |
+BUGS fd_set overflows |
170 |
intcommon.c: sets INT_REMOTE(ip) w/o fd_set size check |
171 |
{tcp,udp}int.c: si_mux(), di_mux() FD_SET w/o fd check |
172 |
internals.c: socket_mask_copy w/o fd checks |
173 |
main_loop(): select() on read_mask w/o fd checks |
174 |
service.c: svc_activate(): could check ps.rws.mask_max here |
175 |
(many files) all references to ps.rws.socket_mask are unchecked |
176 |
redirect.c: redir_handler() no checks for rdfd, msfd |
177 |
should use fd_grow similarly to OpenBSD inetd |
178 |
+PATCH workaround: reduce RLIMIT_NOFILE to FD_SETSIZE |
179 |
+BUGS __sio_descriptors overflows |
180 |
+PATCH sio functions forget to check fd against n_descriptors |
181 |
+BUGS get_fd_limit(), Smorefds() |
182 |
+PATCH assume RLIMIT_NOFILE is small (not RLIM_INFINITY) |
183 |
+OK orig_max_descriptors and max_descriptors are rlim_t, not int |
184 |
+BUGS potential fd leaks to services |
185 |
+PATCH init.c: setup_file_descriptors() relies on the rlimit only |
186 |
returns from close() never checked -- fixed the worst one |
187 |
+BUGS child.c: set_credentials() |
188 |
+PATCH should fail if !ps.ros.is_superuser && user/group requested |
189 |
+OK is otherwise fail-close and resets groups (fixed long ago) |
190 |
+BUGS gethostby*, getaddrinfo (some are common with memcpy bugs) |
191 |
+PATCH addr.c: host_addr() trusts hep->h_length from gethostbyname() |
192 |
addr.c: host_addr() INET6 doesn't check res->ai_family |
193 |
parsers.c: {redir,bind}_parser() don't check res->ai_family |
194 |
+PATCH parsers.c: redir_parser() wrongly relies on sizeof(he->h_addr) |
195 |
+PATCH parsers.c: bind_parser() same as the above |
196 |
+PATCH getpwnam unnecessarily leaves password hashes in address space on BSD |
197 |
--- |
198 |
+PATCH gcc format attributes |
199 |
+ build with gcc -Wall -Wcast-align (x86, alpha) -- mostly clean |
200 |
+PATCH many unused vars with ipv6 |
201 |
+PATCH parsers.c, inet.c: stores strtol() to int, then needs long |
202 |
+PATCH several format strings don't match arguments |
203 |
+ build with ccc -msg_enable level4 or higher |
204 |
+PATCH CC= from configure doesn't get into Makefile's |
205 |
lots of warnings (250 KB of output), the code is just not clean |
206 |
+PATCH some really need fixing |
207 |
- use wrapper functions around either strx_* or vsnprintf()? |
208 |
+ not a good idea, tested strx_* against snprintf instead |
209 |
? define strz_* wrappers around strx_*, which would always NUL-terminate |
210 |
+PATCH atoi -> strtol with long to int overflow checks |
211 |
--- |
212 |
should limit logging rate (= rate of permitted sessions, popa3d-like) |
213 |
should drop privileges for ident lookups, builtins, and records |
214 |
should have options to build --without-{ident,builtins,record,intercept} |
215 |
should generate manpages accordingly |
216 |
|
217 |
----- End forwarded message ----- |
218 |
|
219 |
-- |
220 |
Ben Lutgens |
221 |
Sistina Software Inc. |
222 |
|
223 |
What's the difference between root and God ? |
224 |
God doesn't think that he is root. |