SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   rinetd Vendors:   Boutell.com
'rinetd' Buffer Management Flaw Lets Remote Users Crash the Service
SecurityTracker Alert ID:  1006594
SecurityTracker URL:  http://securitytracker.com/id/1006594
CVE Reference:   CVE-2003-0212   (Links to External Site)
Date:  Apr 17 2003
Impact:   Denial of service via network, Execution of arbitrary code via network, Root access via network, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): prior to 0.62
Description:   A vulnerability was reported in the 'rinetd' TCP redirection tool. A remote user can cause the service to crash and may be able to execute arbitrary code.

It is reported that when the server's connection list is full (with 64 connections) and an additional 65th connection arrives, the software incorrectly resizes the list. The flaw resides in the handleAccept() function in the rinetd.c file.

A remote user can send a series of connections requests to the server to trigger the flaw, causing the service to crash, hang, or refuse any additional connections. It may also be possible to execute arbitrary code.

The vendor credits Sam Hocevar with reporting this flaw.

Impact:   A remote user can cause the service to crash or stop accepting connections. A remote user may also be able to execute arbitrary code with the privileges of rinetd.
Solution:   The vendor has released a fixed version (0.62), available at:

http://www.boutell.com/rinetd/http/rinetd.tar.gz

A patch is also available in the Source Message.

Vendor URL:  www.boutell.com/rinetd/ (Links to External Site)
Cause:   Boundary error
Underlying OS:  Linux (Any), UNIX (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
(Debian Issues Fix) 'rinetd' Buffer Management Flaw Lets Remote Users Crash the Service
Debian has released a fix.



 Source Message Contents

Subject:  Vulnerability in rinetd


Sam Hocevar discovered a security problem in rinetd, an IP connection
redirection server.  When the server maintains 64 connections and the
connection list is full, rinetd resizes the list in order to store the
new incoming connection.  However, this is done improperly, resulting
in a denial of service (rinetd may crash, hang or simply refuse new
connections) and potentially execution of arbitrary code.

The bug is triggered when 64 connections are active and a 65th is opened.

In rinetd.c:handleAccept(), when the connection list is full, rinetd
resizes it in order to store the current incoming connection.  There
are two problems in the code that performs the resizing:

  - one table (coClosing) is not resized.

  - after the resizing is done, the new index is set to a bad value
    that is outside the tables.

The bugfix is attached below.

Thomas Boutell released version 0.62 with this bugfix.

This problem is referenced as CAN-2003-0212 at the Common
Vulnerabilities and Exposures project.

--- rinetd.c.orig	2003-04-11 19:41:16.000000000 +0200
+++ rinetd.c	2003-04-11 19:41:08.000000000 +0200
@@ -1071,6 +1071,11 @@
 		{
 			goto shortage;
 		}
+		if (!SAFE_REALLOC(&coClosing, sizeof(int) * o, 
+			sizeof(int) * coTotal)) 
+		{
+			goto shortage;
+		}
 		if (!SAFE_REALLOC(&reClosed, sizeof(int) * o, 
 			sizeof(int) * coTotal)) 
 		{
@@ -1140,7 +1145,7 @@
 				goto shortage;
 			}
 		}
-		index = coTotal;
+		index = o;
 	}
 	coInputRPos[index] = 0;
 	coInputWPos[index] = 0;



Regards,

	Joey
	Debian Security

-- 
Let's call it an accidental feature.  -- Larry Wall

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC