[EMAIL PROTECTED] wrote:
> On Mon, 16 Mar 1998, Dave G. wrote:
>
> >
> >> So, someone has a program that connects to the 'auth' port and overflows
> >> some buffer to gain a root shell. This exploit is either in inetd or
> >> identd (I am thinking it is in inetd, because identd is run as
> >> 'nobody'). If anyone would like to check out inetd for any holes,
> >> please do so as I am doing. Another clue in this is that one of the
> >> environment variables set was:
> >>
> >
> >Did you actually watch them exploit a vulnerability in identd? They
> >easily could have broken in via another means, and then patched
> >inetd, identd or even tcp wrappers to execute a shell given specific
> >input( i.e. a backdoor or a trojan ).
> >
> >> dummy=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
> >>
> >> Which means the hole may exist in the environment variables system.
> >>
> >
> >Did they do anything with this variable? like possibly execute another
> >command with $dummy as a command line argument?
> >
>
> In any case I would recommend that you more strictly control access to you
> inetd services that you require using tcpwrapper which come standard with
> RedHat. Tcp wrappers will also increase your logging capability for these
> type of exploits...
>
> You can then set up your /etc/hosts.allow to only allow those machine to
> which you are certain are okay to access those services which may be
> exploited.
>
> eg. identd, time services, old version of imapd, and pop3d etc.
>
> For info on tcpwrappers see the man pages on
> tcpd
> hosts.allow
>
> I good place to watch for thse types of standard exploits and what to do
> about them can be found on the Linux-Security mail list and the more
> general BugTraq mail list.
>
> http://www.redhat.com/ (For linux-security)
> http://www.geek-girl.com/bugtraq/ (For Bugtraq mail list and archives)
>
> In fact Bugtraq is one of the best lists I have ever lurked on.
>
>
Yes I've searched everywhere for reports of this bug, but I haven't found anything.
What I've decided to do is run in.identd through tcpd (for some reason redhat comes
with it NOT running through the wrapper) and I upgraded to the latest version of
pidentd, 2.8.1
I will update on whether this guy gets in again.
> Hope this helps
>
> Regards
> Terrence
>
> --
> PLEASE read the Red Hat FAQ, Tips, Errata and the MAILING LIST ARCHIVES!
> http://www.redhat.com/RedHat-FAQ /RedHat-Errata /RedHat-Tips /mailing-lists
> To unsubscribe: mail [EMAIL PROTECTED] with
> "unsubscribe" as the Subject.
--
PLEASE read the Red Hat FAQ, Tips, Errata and the MAILING LIST ARCHIVES!
http://www.redhat.com/RedHat-FAQ /RedHat-Errata /RedHat-Tips /mailing-lists
To unsubscribe: mail [EMAIL PROTECTED] with
"unsubscribe" as the Subject.
