This advisory details a buffer overflow vulnerability under SuSE Linux that can enable a malicious user to cause the Identification Protocol (Ident) daemon to crash.
Credit:
The information has been provided by Niels Heinen.
Vulnerable systems:
SuSE version 6.x
SuSE version 7.0
By sending longer than expected strings to the identd port, a remote attacker can crash the daemon.
Following the buffer overflow attack, the system will no longer be able to establish certain connections that use Ident, for example IRC (Internet Relay Chat) connections. If the Ident daemon is not running, users wishing to connect to IRC will not be allowed to make a connection. In this case, the vulnerability could be used in a Denial of Service attack to keep a person off the IRC. It's not clear at this present time whether this vulnerability could be exploited in such a way that arbitrary code is executed. If so, this will happen with the privileges of the user "nobody" in a default installation.
The daemon will also fail to leave any log message given the right length of he string. Seeing the following in the log file (/var/log/messages):
This is a clear indication of being attacked by a message length producing log entries. Some other Linux distributions are not vulnerable in the same way, but have to be looked at for suspicious log entries. Another test machine running Red Hat issued here a "Full buffer closing connection" error.
Workarounds:
If you don't need Ident, you can keep risk lowest by disabling the ident daemon. This can be done by editing /etc/rc.config. Look for a line like below:
START_INDENTD="yes"
Change the yes value into no and save the file. After that type as root killall -9 in.identd to stop the ident daemon.
