Debian Bug report logs - #324678
xinetd: CVE-2013-4342: tcpmux does not change the uid of server proccess

version graph

Package: xinetd; Maintainer for xinetd is Salvo 'LtWorf' Tomaselli <tiposchi@tiscali.it>; Source for xinetd is src:xinetd.

Reported by: Philipp Grau <phgrau@zedat.fu-berlin.de>

Date: Tue, 23 Aug 2005 13:03:04 UTC

Severity: important

Tags: security, unreproducible

Found in version xinetd/1:2.3.13-3

Fixed in versions xinetd/1:2.3.15-2, xinetd/1:2.3.14-7.1+deb7u1

Done: Salvo 'LtWorf' Tomaselli <tiposchi@tiscali.it>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Thomas Seyrat <tomasera@debian.org>:
Bug#324678; Package xinetd. Full text and rfc822 format available.

Acknowledgement sent to Philipp Grau <phgrau@zedat.fu-berlin.de>:
New Bug report received and forwarded. Copy sent to Thomas Seyrat <tomasera@debian.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Philipp Grau <phgrau@zedat.fu-berlin.de>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: xinetd: tcpmux does not change the uid of server proccess
Date: Tue, 23 Aug 2005 14:50:16 +0200
Package: xinetd
Version: 1:2.3.13-3
Severity: important


Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
From: Philipp Grau <phgrau@zedat.fu-berlin.de>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: xinetd: tcpmux does not change the uid of server proccess
X-Reportbug-Version: 3.8

Package: xinetd
Version: 1:2.3.13-3
Severity: important

Using the TCPMUXPLUS internal service of xinetd does not work as
expected. xinetd does not change the uid of a server proccess if the
service is called via TCPMUX(PLUS). The configuration attribute "user"
does not take any effect. 

Example to reproduce the error:

Using the following configuration:

----------8<--------snipp---------8<-------------------------
# cut'n'paste from xinetd.conf(5) 
service tcpmux                    
{                    
 disable         = no                    
 type            = INTERNAL                            
 id              = tcpmux           
 socket_type     = stream          
 protocol        = tcp    
 user            = root
 wait		 = no                                                                 
}

# test example
service test_server
{
 disable             = no
 type                = TCPMUXPLUS
 socket_type         = stream
 protocol            = tcp
 wait 		     = no
 user                = testuser
 server              = /usr/bin/id
}
----------8<--------snipp---------8<-------------------------

Using the above configuration we get the following result:

$ telnet 127.0.0. 1
Trying 127.0.0.1...
test_server
+Go
uid=0(root) gid=0(root) groups=0(root)
Connection closed by foreign host.

The expected result would have been:

$ telnet 127.0.0. 1
Trying 127.0.0.1...
test_server
+Go
uid=1000(testuser) gid=1000(testuser) groups=1000(testuser)
Connection closed by foreign host.

Futher hints:

After looking through the sources, it seems like there is something
missing in the TCPMUX implementation. The sub-service is called by
exec_server() and then an execve() is called to start the external
program. No setuid() before the execve(). 

A setuid() call is only made for child_process() in set_credentials().
So it is possible to run TCPMUX under a different uid, but not the
sub-service.                                                     

-- System Information:
Debian Release: 3.1
Architecture: i386 (i686)
Kernel: Linux 2.6.11.10.20050519
Locale: LANG=C, LC_CTYPE=de_DE.ISO8859-1 (charmap=ISO-8859-1)

Versions of packages xinetd depends on:
ii  libc6                       2.3.2.ds1-22 GNU C Library: Shared libraries an
ii  libwrap0                    7.6.dbs-8    Wietse Venema's TCP wrappers libra
hi  netbase                     4.19         Basic TCP/IP networking system

-- no debconf information



Tags added: unreproducible Request was from Thomas Seyrat <tomasera@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Salvo 'LtWorf' Tomaselli <tiposchi@tiscali.it>:
Bug#324678; Package xinetd. (Thu, 03 Oct 2013 08:30:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Salvo 'LtWorf' Tomaselli <tiposchi@tiscali.it>. (Thu, 03 Oct 2013 08:30:04 GMT) Full text and rfc822 format available.

Message #12 received at 324678@bugs.debian.org (full text, mbox):

From: Salvatore Bonaccorso <carnil@debian.org>
To: Philipp Grau <phgrau@zedat.fu-berlin.de>, 324678@bugs.debian.org
Subject: Re: Bug#324678: xinetd: tcpmux does not change the uid of server proccess
Date: Thu, 3 Oct 2013 10:26:09 +0200
Control: tags + security
Control: xinetd: CVE-2013-4342: tcpmux does not change the uid of server proccess

Hi

It looks this issue was reported also on RedHat bugtracker, and
CVE-2013-4342 assigned to it.

Regards,
Salvatore



Information forwarded to debian-bugs-dist@lists.debian.org, Salvo 'LtWorf' Tomaselli <tiposchi@tiscali.it>:
Bug#324678; Package xinetd. (Thu, 03 Oct 2013 10:30:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Salvo Tomaselli <tiposchi@tiscali.it>:
Extra info received and forwarded to list. Copy sent to Salvo 'LtWorf' Tomaselli <tiposchi@tiscali.it>. (Thu, 03 Oct 2013 10:30:04 GMT) Full text and rfc822 format available.

Message #17 received at 324678@bugs.debian.org (full text, mbox):

From: Salvo Tomaselli <tiposchi@tiscali.it>
To: Salvatore Bonaccorso <carnil@debian.org>, 324678@bugs.debian.org
Cc: Philipp Grau <phgrau@zedat.fu-berlin.de>
Subject: Re: Bug#324678: xinetd: tcpmux does not change the uid of server proccess
Date: Thu, 03 Oct 2013 12:28:10 +0200
[Message part 1 (text/plain, inline)]
A patch to that was published this morning on github.
I haven't checked it yet, and github seems down at the moment.



In data giovedì 03 ottobre 2013 10.26.09, Salvatore Bonaccorso ha scritto:
> Control: tags + security
> Control: xinetd: CVE-2013-4342: tcpmux does not change the uid of server
> proccess
> 
> Hi
> 
> It looks this issue was reported also on RedHat bugtracker, and
> CVE-2013-4342 assigned to it.
> 
> Regards,
> Salvatore
-- 
Salvo Tomaselli

http://ltworf.github.io/ltworf/
[signature.asc (application/pgp-signature, inline)]

Added tag(s) security. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Thu, 03 Oct 2013 11:21:09 GMT) Full text and rfc822 format available.

Changed Bug title to 'xinetd: CVE-2013-4342: tcpmux does not change the uid of server proccess' from 'xinetd: tcpmux does not change the uid of server proccess' Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Thu, 03 Oct 2013 11:21:09 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Salvo 'LtWorf' Tomaselli <tiposchi@tiscali.it>:
Bug#324678; Package xinetd. (Thu, 03 Oct 2013 14:39:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Salvo Tomaselli <tiposchi@tiscali.it>:
Extra info received and forwarded to list. Copy sent to Salvo 'LtWorf' Tomaselli <tiposchi@tiscali.it>. (Thu, 03 Oct 2013 14:39:04 GMT) Full text and rfc822 format available.

Message #26 received at 324678@bugs.debian.org (full text, mbox):

From: Salvo Tomaselli <tiposchi@tiscali.it>
To: 324678@bugs.debian.org
Subject: unreproducible
Date: Thu, 03 Oct 2013 16:35:59 +0200
[Message part 1 (text/plain, inline)]
It was unreproducible because the service needs to have type:

type = TCPMUXPLUS UNLISTED


-- 
Salvo Tomaselli

http://ltworf.github.io/ltworf/
[signature.asc (application/pgp-signature, inline)]

Reply sent to Salvo 'LtWorf' Tomaselli <tiposchi@tiscali.it>:
You have taken responsibility. (Fri, 04 Oct 2013 11:36:04 GMT) Full text and rfc822 format available.

Notification sent to Philipp Grau <phgrau@zedat.fu-berlin.de>:
Bug acknowledged by developer. (Fri, 04 Oct 2013 11:36:05 GMT) Full text and rfc822 format available.

Message #31 received at 324678-close@bugs.debian.org (full text, mbox):

From: Salvo 'LtWorf' Tomaselli <tiposchi@tiscali.it>
To: 324678-close@bugs.debian.org
Subject: Bug#324678: fixed in xinetd 1:2.3.15-2
Date: Fri, 04 Oct 2013 11:33:30 +0000
Source: xinetd
Source-Version: 1:2.3.15-2

We believe that the bug you reported is fixed in the latest version of
xinetd, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 324678@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Salvo 'LtWorf' Tomaselli <tiposchi@tiscali.it> (supplier of updated xinetd package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Thu, 03 Oct 2013 16:13:32 +0200
Source: xinetd
Binary: xinetd
Architecture: source amd64
Version: 1:2.3.15-2
Distribution: unstable
Urgency: high
Maintainer: Salvo 'LtWorf' Tomaselli <tiposchi@tiscali.it>
Changed-By: Salvo 'LtWorf' Tomaselli <tiposchi@tiscali.it>
Description: 
 xinetd     - replacement for inetd with many enhancements
Closes: 324678
Changes: 
 xinetd (1:2.3.15-2) unstable; urgency=high
 .
   * Fix CVE-2013-4342 making TCPMUX services change the uid.
     (Closes: #324678)
Checksums-Sha1: 
 621d85c952d349366c8c255b291c248199553c15 1852 xinetd_2.3.15-2.dsc
 cb0ec628521eaf2c3b16c20fc8b7f0c08910fb66 25751 xinetd_2.3.15-2.debian.tar.gz
 d29d1d6531329895b30e3ce08632ceb475cf96ee 129530 xinetd_2.3.15-2_amd64.deb
Checksums-Sha256: 
 fe5838ef3fa606f79f0d4169ecaaef03af4da761f723cddbae1d8ed9e5597fd9 1852 xinetd_2.3.15-2.dsc
 748278ffb6a042577b728d06fd5e8d9cbbc67c10505abd73edf67e9bea1d9a52 25751 xinetd_2.3.15-2.debian.tar.gz
 7ba9febb019c2354a9c46d565425bb9bf20521a08ff8abe15c9ee0e7299a02e0 129530 xinetd_2.3.15-2_amd64.deb
Files: 
 376ad52871e489d36fa49257bcd01b2a 1852 net extra xinetd_2.3.15-2.dsc
 84210f0f6213a32ff27ca82f7a3a677a 25751 net extra xinetd_2.3.15-2.debian.tar.gz
 b6114127246668986d32b0b6b7f3bfc0 129530 net extra xinetd_2.3.15-2_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (GNU/Linux)

iQIcBAEBCgAGBQJSTqM6AAoJEHidbwV/2GP+Go8P/2kaD2wUuH/IPqchLJQdj+sp
xuvHU3NA7RjwprmnBusqxFYDD+CpLQXu5L7EtuQ5MYjTOGF8NG3FR4lLMoDIWtdW
5dDoHSW+Y4li7Pity5ebSxoQXErObZzhdsMZZIooyOmIFH+9yDxCmiFry2VLwwuD
edTkpeukggruAw2sJrTW/uTw4f6IJNgqIqIPIdQltvTXMnJa/hdGem1ghf/naudJ
1C3rP+4P927Fm4BjQdAYmb4Fe4wnUZ5k2KAzLaM2VphJMqkNmoya+LQmtHB4lxJ1
cd6bA+DNX6JvyO3Az4ZRqtiYIKE66O65i3og5AOANVFrRCuodZ3e7+7SzJ6ee1M8
CHchI3DajSRZvjUsE5XjoippJZb4V0HKIN4SneSsoW52iKMawonl50UVqM+qMZ+U
nD8cSpsK5RE5DmZL+a5ce/CaeLsPWO0FszQNZrPgJRfv7dupUFNQ4Mc5Kmgp1eL5
MB7qfKtpwQ4MaPHAcjd3rUSAK/LS243xfx7Bs7d7LJEeF9AIdl8G4ywmEh0zixD4
iho5V3brINLAm3oCkMcJB6rgpFuSXnISXeVfGdYeEQ9wHcDnFhG1LNzepvbhQU9B
2TeUNrvJqqhvntchw5qp9k15YpR/ZKD/XQvBINUXdb3Rhmlj/AKNhV1oPdRE5DWA
65ghSmnPrDZJWuJ/hAy+
=X921
-----END PGP SIGNATURE-----




Reply sent to Salvo 'LtWorf' Tomaselli <tiposchi@tiscali.it>:
You have taken responsibility. (Sun, 06 Oct 2013 15:51:05 GMT) Full text and rfc822 format available.

Notification sent to Philipp Grau <phgrau@zedat.fu-berlin.de>:
Bug acknowledged by developer. (Sun, 06 Oct 2013 15:51:05 GMT) Full text and rfc822 format available.

Message #36 received at 324678-close@bugs.debian.org (full text, mbox):

From: Salvo 'LtWorf' Tomaselli <tiposchi@tiscali.it>
To: 324678-close@bugs.debian.org
Subject: Bug#324678: fixed in xinetd 1:2.3.14-7.1+deb7u1
Date: Sun, 06 Oct 2013 15:47:05 +0000
Source: xinetd
Source-Version: 1:2.3.14-7.1+deb7u1

We believe that the bug you reported is fixed in the latest version of
xinetd, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 324678@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Salvo 'LtWorf' Tomaselli <tiposchi@tiscali.it> (supplier of updated xinetd package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Fri, 04 Oct 2013 23:01:23 +0200
Source: xinetd
Binary: xinetd
Architecture: source amd64
Version: 1:2.3.14-7.1+deb7u1
Distribution: stable
Urgency: high
Maintainer: Salvo 'LtWorf' Tomaselli <tiposchi@tiscali.it>
Changed-By: Salvo 'LtWorf' Tomaselli <tiposchi@tiscali.it>
Description: 
 xinetd     - replacement for inetd with many enhancements
Closes: 324678
Changes: 
 xinetd (1:2.3.14-7.1+deb7u1) stable; urgency=high
 .
   * Fix CVE-2013-4342 making TCPMUX services change the uid.
     (Closes: #324678)
   * Set myself as maintainer.
Checksums-Sha1: 
 431f3e479195272b9d5f39e7a6db1f253ef5249a 1855 xinetd_2.3.14-7.1+deb7u1.dsc
 f2ddf697e119e794a1843eab3281e41a57091726 79491 xinetd_2.3.14-7.1+deb7u1.diff.gz
 3390e1fd9fcfdbd98112619880c8dc5229faaba7 149436 xinetd_2.3.14-7.1+deb7u1_amd64.deb
Checksums-Sha256: 
 4000df67a97039c9cf46aad4beb8bfbce754a4b52a596c6517b8382a551ed79e 1855 xinetd_2.3.14-7.1+deb7u1.dsc
 0a87fa19ff79cb9643f1b71c296c976f00d97b4e083145bafd4395c4d3576068 79491 xinetd_2.3.14-7.1+deb7u1.diff.gz
 b1fc351a6026efff8c0808928f6511f7f1493642ab6a0c71b78ee64bca2df114 149436 xinetd_2.3.14-7.1+deb7u1_amd64.deb
Files: 
 42efd942d566e1b689e4e4efa5380d1c 1855 net extra xinetd_2.3.14-7.1+deb7u1.dsc
 a5d270d24e2a50f6bc452a7e2bc75ebe 79491 net extra xinetd_2.3.14-7.1+deb7u1.diff.gz
 4acb47436c3c7d48bdf73f685e8f8e75 149436 net extra xinetd_2.3.14-7.1+deb7u1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (GNU/Linux)

iQIcBAEBCgAGBQJSUUrRAAoJEHidbwV/2GP+Dx4P/iWE3yhGKjZMBstrqHJZtuc7
pstfP0xjurBKbBEdpGo31fwkkReGqVKpfAZwffx3mJO3XxEU3mvMVEl1wTK8ePuH
nV7B5O0QVJC0zyKz0f4oG82ISsfracJsrN9lRaU3I/iDSwn/cKM6JrwrESibRRvn
qajlpHRO1ENUzIIyLFUj5XSpUJPZNp+7HBlJjJ8IOuSH8ejJ6e6L6oYNTrrQtULB
Mx0qKLsPN9PiOCE6X8lJLvH2ZnykGXmYZkskEiWurBZSxmRN2CskLwoLbPQX9jlM
ZE3yrn9YXYFc0HQ4Se8zfD4xmIfe9hTNRwNpB2nXYBHfgH+E+chF0/L/nHpJAB9z
4exmd5Oxy0O0BDOxnXXjfKDL+7DKbEAIqKp3IPNwBSsgOiduMkeKo7cRSxqdG2Mf
SBVYej9c5KTZBeek1iTe4OKBYHDpADTE9F4HnpLrLB4Eodzd3GHPucuaQwy++YVc
zDNjjk86q2nK7TvL0naCU8jqo4izjOxPbDLAgW0kxWMl/YirykhOZSr69LI3n27a
67/PXo3ymMJzbsjA4bZivheVjK++f2F0k29YqUmyX8jQwE6mM6d9LR9vR9iczANQ
P34rQNrRf+z1d4C8daLdVqkwRsvGQE+eK4Yi8p4DZgQXWSTDgIILouo87s0Ed7T4
PhZybeJbqVfovUjQNaiA
=79M/
-----END PGP SIGNATURE-----




Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Mon, 04 Nov 2013 07:39:47 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Fri Apr 18 14:13:18 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.