[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Full-Disclosure] rident.pl 0.9 file "deletion" and PID files modification

To: full-disclosure@xxxxxxxxxxxxxxxx
Subject: [Full-Disclosure] rident.pl 0.9 file "deletion" and PID files modification
From: Martin <broadcast@xxxxxxxxxxxxxxxx>
Date: Wed, 24 Mar 2004 11:16:38 -0300

Advisory attached.
Future advisories may be found at http://broadcast.ptraced.net

rident.pl 0.9.1b file "deletion" and PID files modification.

Martin (broadcast@xxxxxxxxxxxxxxxx)

-------------------
Program Description
-------------------

Random Ident server (ridentd)

"This server application is meant for the totally paranoid that need 
access
to servers that require ident and don't want to give any information
about local users to the remote server or its other users.

...

The really paranoid may wish to start ridentd a few times a day 
from their cron in order to reseed both the random set of dictionary 
words
and the port modulo. When using in the cron it is adviced to use the 
'SILENT' option."

-----------------------------------
Problem Description and Explotation
-----------------------------------

$ ./ridentd.pl 

***** Random Ident Server 0.9.0b *****
* Using file /usr/lib/ispell/britishmed+.hash
* Counting usable words
* Generating random selection of 1184 from 38642
* Generating insertion table    
* Aquiring names
* 1184 words fetched             
  (local ports belonging to each uniq modulus of 1184 get
   a dictionary word assigned to them)
Need to be root to bind to the ident port

$ ls -l /tmp

lrwxrwxrwx    1 broadcast broadcast        4 2004-03-21 20:52 rident.pid -> sexy
-rw-r--r--    1 broadcast broadcast        4 2004-03-21 20:52 sexy

$ cat sexy
123

$ su -
Password: 

# ./rident.pl

***** Random Ident Server 0.9.0b *****
* Using file /usr/lib/ispell/britishmed+.hash
* Counting usable words
* Generating random selection of 2212 from 38642
* Generating insertion table    
* Aquiring names
* 2212 words fetched             
  (local ports belonging to each uniq modulus of 2212 get
   a dictionary word assigned to them)
* PID file found
* Checking for process with pid 123
* pid file apears to be old
* Binding to port 113
* Forking to background
* BG Process active
* BG Process seting uid/gid to nobody 65534/65534
* Looking if we can do socketpair lookups : Yep: LINUX

# cat /tmp/sexy
20199 

# exit

PID Files modification. Any user could link /tmp/rident.pid to any PID 
file. In fact, any user could link it to a file that only contains 
numerical characters. 

  unless ($opid =~ /^\d+$/)
  {
    print "HEY, SOMEONE F*CKED UP MY PIDFILE /tmp/rident.pid\n";
    exit;
  }

Potty mouth. Censored.
That's the starting point of the race, which ends in:

if ($pid)
{
  open(PID,">/tmp/rident.pid");
  print PID "$pid\n";
  close(PID);
  exit;
}

Winning the race will make the daemon write the PID number of the 
process into any file.

------------------
Possible Solutions
------------------

Discontinuing use of LSD may help with the paranoia.
Add a real check when opening /tmp/rident.pid instead of a regexp.
Discontinue the use of foul language.
Add another real check when reopening /tmp/rident.pid.

----------------
Vendor Contacted
----------------

Not yet.

------------
Official Fix
------------

None yet.

-------------
Related Links
-------------

http://www.securityfocus.com/tools/1935
http://www.xs4all.nl/~rmeijer/rident.html

Prev by Date: Re: [Full-Disclosure] Microsoft Coding / National Security Risk
Next by Date: [Full-Disclosure] Possible Comprimised IIS 5 on Win2k help
Previous by thread: [Full-Disclosure] Re: TrendMicro (not Macro) Interscan Viruswall Directory Traversal
Next by thread: [Full-Disclosure] Possible Comprimised IIS 5 on Win2k help
Index(es):
- Date
- Thread