[914] in linux-security and linux-alert archive

home help back first fref pref prev next nref lref last post

[linux-security] Re: identd hole?

daemon@ATHENA.MIT.EDU (Alexander O. Yuriev)
Tue Jul 16 06:04:02 1996

To: blh@nol.net, linux-security@tarsier.cv.nrao.edu
Cc: juphoff@tarsier.cv.nrao.edu
In-reply-to: Your message of "Mon, 15 Jul 1996 17:57:36 CDT."
             <Pine.GSO.3.94.960715174751.15407A-100000@dazed.nol.net> 
Date: Mon, 15 Jul 1996 19:43:25 -0400
From: "Alexander O. Yuriev" <alex@bach.cis.temple.edu>

[Mod: The message that Alex is following up to appeared on Bugtraq,
where a discussion on this subject has just started.  Exactly what's
going on/being exploited is still uncertain at this point.  --Jeff.]

Your message dated: Mon, 15 Jul 1996 17:57:36 CDT
> Lately I've heard rumours about this 'identd' hole in RFC1413, we've seen
> this abused on IRC several times in recent days. Then today I had someone
> claim they had the root password on my machine at home. So I telnetted in,
> changed it and waited since he claimed he was going to hack it. Apparently
> he did because I caught him with a login proccess which I promptly killed,
> then being rather peeved I /kill'd him on irc. This apparently pissed him
> off even more so he re-hacked my machine and brought it down, at this time
> I'm not even sure if it's reviveable as I've not had a chance to check it,
> all I know is that its dead in the water currently. Right after that I did a
> netstat -n on the machine I was on at work. Voila.. there were about two
> dozen connections from his IP (I checked) to my identd port (113). Now I'm
> guessing that Solaris 2.5x86 doesn't have the same bug or I caught it in
> time since I saw no adverse effects on that machine. The machine effected
> (and killed) was a linux 2.0.0 machine, but I have heard of many other
> machines of random type being effected in such a manner.

The attack is a quite standard 'buffer overrun'. The identd from a remote
machine returns a string which overruns buffer usually allocated on stack.
Then depending on the intention of the attacker he can either pop up a shell
or just do something such as "dd if=/dev/zero of=/dev/sda1"

Best wishes,
Alex

home help back first fref pref prev next nref lref last post