[2938] in bugtraq
Re: identd hole?
daemon@ATHENA.MIT.EDU (Henri Karrenbeld)
Tue Jul 16 14:36:15 1996
Date: Tue, 16 Jul 1996 15:15:38 +0200
Reply-To: Bugtraq List <BUGTRAQ@NETSPACE.ORG>
From: Henri Karrenbeld <H.Karrenbeld@ct.utwente.nl>
To: Multiple recipients of list BUGTRAQ <BUGTRAQ@NETSPACE.ORG>
In-Reply-To: <199607160338.DAA01957@lefty.novasys.com> from "Bugtraq Archiver"
at Jul 16, 96 03:38:50 am
Some time ago Bugtraq Archiver declared:
>
> > Aleph-1 mentioned that it might be a sendmail overrun bug if the connections
> > were to HIS ident port but they were not. All the same this bug is also news
> > to me (I'm fairly new to bugtraq) and I can only assume that this also has
> > been used in the past(?). MY current sendmail on *all* of my machines is
> > 8.7.5 but I'm willing to bet that there are already hacks to that one as
> > well.
>
> its possible that its an atoi() (or more properly strtol()) bug.. Most
> people run identd as root, this means that if someone happens to overflow
> a buffer (which is easily done with atoi()) then you can write on the
> stack and execute things as root (there may have been so many connections
> becuase his exploit was guessing the proper stack offset.. I am not certain
> this is what was done either, its just a guess with the information provided..
>
Hmm, how can I find out what version of auth/identd/pidentd I am running?
I'd like to be able to peek into the source of the particular version that's
running on several Slackware 3.0 machines (all of the vulnerabilities that
I am aware of are fixed on those, but this one is new for me).
'strings' doesn't give any clue, ... I have the source here for pident-2.5.1
and 2.6.1, but I'm totally clueless to which version Slackware uses.
$) Henri
--
I've got nothing to do,... 'cept hang around and get screwed up on you...
--- Therapy?, "Screamager", SHORTSHARPSHOCK EP (1993)
