Date: Fri, 25 May 2001 05:33:49 -0700 (PDT) From: Jeremy Chadwick <jdc@parodius.com> To: FreeBSD-gnats-submit@freebsd.org Subject: bin/27636: inetd's internal "auth" service exploits possible bug Message-ID: <200105251233.f4PCXnR85086@parodius.com>
next in thread | raw e-mail | index | archive | help
>Number: 27636 >Category: bin >Synopsis: inetd's internal "auth" service exploits possible bug >Confidential: no >Severity: serious >Priority: medium >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Fri May 25 05:40:01 PDT 2001 >Closed-Date: >Last-Modified: >Originator: Jeremy Chadwick >Release: FreeBSD 4.3-STABLE i386 >Organization: Parodius Networking >Environment: System: FreeBSD pentarou.parodius.com 4.3-STABLE FreeBSD 4.3-STABLE #0: Sat May 19 19:55:39 PDT 2001 root@pentarou.parodius.com:/usr/obj/usr/src/sys/PARODIUS-SMP i386 >Description: inetd's internal "auth" service seems to exploit (or itself contain) a bug relating to username lookups. The entry in inetd.conf is: auth stream tcp nowait root internal auth -r -t 45 When a pair of unused ports are provided on port 113 (i.e. "1,1" or "0,2"), the daemon returns the error "No such file or directory" (taken from strerror()). I managed to track the error down to the sysctlbyname() call within builtins.c. sysctlbyname(), in this case, returns -1 and sets errno to ENOENT. sysctlbyname() is being called against a "mysterious" sysctl variable, "net.inet.tcp.getcred." I use the word "mysterious" because the entry is 1. undocumented, 2. returns ENOENT, and 3. ENOENT is not listed in the sysctlbyname(3) manpage as a valid error code (but the kernel **DOES** return ENOENT!). Could someone please 1. fix this issue, 2. explain why ENOENT was chosen as a return value for the kernel (when it doesn't seem to be interacting with any files in this case), and 3. fix the manpage so that it contains proper updated information? It should be noted that the pidentd daemon in ports/security/pidentd does not exhibit this behaviour, yet does the exact same sysctlbyname() call. >How-To-Repeat: $ telnet localhost auth Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. 1,1 1 , 1 : ERROR : No such file or directory Connection closed by foreign host. >Fix: None that I know of. >Release-Note: >Audit-Trail: >Unformatted: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200105251233.f4PCXnR85086>