[7951] in bugtraq
Re: ANNOUNCE: secure identd v0.3
daemon@ATHENA.MIT.EDU (Wietse Venema)
Wed Sep 16 13:37:43 1998
Date: Tue, 15 Sep 1998 13:17:33 -0400
Reply-To: Wietse Venema <wietse@PORCUPINE.ORG>
From: Wietse Venema <wietse@PORCUPINE.ORG>
X-To: pb@INSECURITY.NET
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <19980914231907.A17597@boehm.org> from Paul Boehm at "Sep 14,
98 11:19:07 pm"
Paul Boehm:
> Umh,
>
> all those mails about identd security scared me.. so i wrote a small perl
> identd server called sidentd which does the basic portpair to uid mapping
> (of course only by hosts involved in the connection) and allows users to set
> fake ident replys by editing /var/identd/their_numerical_uid... That's it...
> it doesn't execute external programs, it can't be overflowed(perl, remember).
local $in = <STDIN>;
This will not overflow, but in return for that, it will cause the
program to consume arbitrary amounts of memory. How many sident
processes does it take to run the machine out of swap space? On
some systems one sident process will suffice, on others as many as
swap/rlimit.
Suggested fix: read a fixed-size read buffer from the network. No
reasonable ident query needs to be longer than a couple bytes for
the two port numbers. When used in the right place, fixed-size
buffers are beneficial to security.
Wietse
