7700515 2001-12-19 15:04 -0800 /47 rader/ Anton Rager <a_rager@yahoo.com>
Sänt av: joel@lysator.liu.se
Importerad: 2001-12-20 00:34 av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <20218>
Ärende: Linux distributions and /bin/login overflow
------------------------------------------------------------
From: Anton Rager <a_rager@yahoo.com>
To: bugtraq@securityfocus.com
Message-ID: <20011219230459.99414.qmail@web13406.mail.yahoo.com>
Hello,
It seems that while Redhat Linux and Caldera Linux
distributions are immune to the recent /bin/login
environ overflow, other Linux distributions are not.
Several Linux distributions install /bin/login with
SysV login options enabled.
Slackware 8.0 and lower [tested with 8.0, 4.0, 3.3]
has SysV options enabled with /bin/login and is
vulnerable.
SuSE 6.1 has SysV options enabled with /bin/login and
is vulnerable. I don't have a newer SuSE release, so
others will need to verify. It would seem logical that
SuSE 8.3 still includes the SysV login options
enabled, and is probably vulnerable as well.
Other distributions should be checked as well. A
quick way to check for SysV option capabilities is to
type "login", then enter "root testenv1=test" at the
login: prompt. Supply your root passwd, and look for
"testenv1" in the output of set. If it's set, then
your copy of /bin/login supports SysV options.....and
is probably vulnerable. Follow similar procedure to
find overflow possibility/specifics ;)
Regards,
Anton Rager
a_rager@yahoo.com
__________________________________________________
Do You Yahoo!?
Check out Yahoo! Shopping and Yahoo! Auctions for all of
your unique holiday gifts! Buy at http://shopping.yahoo.com
or bid at http://auctions.yahoo.com
(7700515) /Anton Rager <a_rager@yahoo.com>/---------
Kommentar i text 7706245 av Roman Drahtmueller <draht@suse.de>
7706245 2001-12-20 06:21 +0100 /85 rader/ Roman Drahtmueller <draht@suse.de>
Sänt av: joel@lysator.liu.se
Importerad: 2001-12-21 02:39 av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <20239>
Kommentar till text 7700515 av Anton Rager <a_rager@yahoo.com>
Ärende: Re: Linux distributions and /bin/login overflow
------------------------------------------------------------
From: Roman Drahtmueller <draht@suse.de>
To: bugtraq@securityfocus.com
Message-ID: <Pine.LNX.4.43.0112200541271.29704-100000@dent.suse.de>
> Hello,
Hello, too!
[...]
> It seems that while Redhat Linux and Caldera Linux
> distributions are immune to the recent /bin/login
> environ overflow, other Linux distributions are not.
> Several Linux distributions install /bin/login with
> SysV login options enabled.
>
> Slackware 8.0 and lower [tested with 8.0, 4.0, 3.3]
> has SysV options enabled with /bin/login and is
> vulnerable.
>
> SuSE 6.1 has SysV options enabled with /bin/login and
> is vulnerable. I don't have a newer SuSE release, so
> others will need to verify. It would seem logical that
> SuSE 8.3 still includes the SysV login options
> enabled, and is probably vulnerable as well.
While it still may be a bad idea for a whole variety of reasons, the
sole fact that some implementations of /bin/login allow for
environment to be passed on to the shell after authentification does
not mean that the program is vulnerable to the problems as discovered
with the SysV derived implementations.
To be more precise (grep the source for the word "disaster" to find
the spot): The login programs in SuSE 6.0 and 6.1 gladly pass on
environment specified as
silence login: draht variable=value
Password:
up to a maximum number of 32 variables. If the args to the user name
do not contain a "=" character, the arguments will show up in the
environment as $L1, $L2, ... where arguments are seperated by
whitespace and ",". An overflow does not happen, or please prove me
wrong.
For the login programs in SuSE distributions before and including 6.1
there is no such thing as "SysV login options enabled". Environment
passing is a non-configurable feature.
The SuSE Linux distributions 6.0 and 6.1 were the last ones without
PAM'ified authentification schemes. All newer distributions use PAM
authentification modules that do not pass on environment as specified
on the user input prompt (user + password prompting happens beyond
the scope of the login program).
SuSE Linux users who use a distribution before 6.4 are greatly
encouraged to upgrade to a new release since distributions before
SuSE Linux 6.4 have been discontinued a long while ago.
> Other distributions should be checked as well. A
> quick way to check for SysV option capabilities is to
> type "login", then enter "root testenv1=test" at the
> login: prompt. Supply your root passwd, and look for
> "testenv1" in the output of set. If it's set, then
> your copy of /bin/login supports SysV options.....and
> is probably vulnerable. Follow similar procedure to
> find overflow possibility/specifics ;)
>
>
> Regards,
>
> Anton Rager
> a_rager@yahoo.com
Thanks,
Roman.
--
- -
| Roman Drahtmüller <draht@suse.de> // "You don't need eyes to see, |
SuSE GmbH - Security Phone: // you need vision!"
| Nürnberg, Germany +49-911-740530 // Maxi Jazz, Faithless |
- -
(7706245) /Roman Drahtmueller <draht@suse.de>/(Ombruten)
Kommentar i text 7709315 av pof <pau@eSlack.org>
7709315 2001-12-21 18:22 +0100 /132 rader/ pof <pau@eSlack.org>
Sänt av: joel@lysator.liu.se
Importerad: 2001-12-21 20:43 av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <20251>
Kommentar till text 7706245 av Roman Drahtmueller <draht@suse.de>
Ärende: Re: Linux distributions and /bin/login overflow
------------------------------------------------------------
From: pof <pau@eSlack.org>
To: bugtraq@securityfocus.com
Message-ID: <20011221182236.3b3e4e4c.pau@eSlack.org>
On Thu, 20 Dec 2001 06:21:10 +0100 (MET)
"Roman Drahtmueller" <draht@suse.de> wrote:
>
> > Hello,
>
> Hello, too!
>
Hello again :^)
> [...]
>
> > It seems that while Redhat Linux and Caldera Linux
> > distributions are immune to the recent /bin/login
> > environ overflow, other Linux distributions are not.
> > Several Linux distributions install /bin/login with
> > SysV login options enabled.
> >
> > Slackware 8.0 and lower [tested with 8.0, 4.0, 3.3]
> > has SysV options enabled with /bin/login and is
> > vulnerable.
> >
As Roman said with SuSe, Slackware is also not vulnerable to
/bin/login overflow. Explanation follows.
Slackware 8 comes with shadow-19990827 package and a non-pamified
authentification scheme. In shadow-19990827/libmisc/loginprompt.c
line 133 you can find this piece of code:
/*
* This is a disaster, at best. The user may have entered extra
* environmental variables at the prompt. There are several ways
* to do this, and I just take the easy way out.
*/
if (*cp != '\0') { /* process new variables */
char *nvar;
int count = 1;
for (envc = 0; envc < MAX_ENV; envc++) {
nvar = strtok(envc ? (char *)0 : cp, " \t,");
if (!nvar)
break;
if (strchr(nvar, '=')) {
envp[envc] = nvar;
} else {
envp[envc] = xmalloc(strlen(nvar) + 32);
sprintf(envp[envc], "L%d=%s", count++, nvar);
}
}
set_env(envc, envp);
}
which does what Roman has explained. So, this time it's not a bug, it
*is* a feature ;)
> > SuSE 6.1 has SysV options enabled with /bin/login and
> > is vulnerable. I don't have a newer SuSE release, so
> > others will need to verify. It would seem logical that
> > SuSE 8.3 still includes the SysV login options
> > enabled, and is probably vulnerable as well.
>
>
> While it still may be a bad idea for a whole variety of reasons, the sole
> fact that some implementations of /bin/login allow for environment to be
> passed on to the shell after authentification does not mean that the
> program is vulnerable to the problems as discovered with the SysV derived
> implementations.
>
> To be more precise (grep the source for the word "disaster" to find the
> spot): The login programs in SuSE 6.0 and 6.1 gladly pass on environment
> specified as
>
> silence login: draht variable=value
> Password:
>
> up to a maximum number of 32 variables. If the args to the user name do
> not contain a "=" character, the arguments will show up in the environment
> as $L1, $L2, ... where arguments are seperated by whitespace and ",". An
> overflow does not happen, or please prove me wrong.
>
> For the login programs in SuSE distributions before and including 6.1
> there is no such thing as "SysV login options enabled". Environment
> passing is a non-configurable feature.
> The SuSE Linux distributions 6.0 and 6.1 were the last ones without
> PAM'ified authentification schemes. All newer distributions use PAM
> authentification modules that do not pass on environment as specified on
> the user input prompt (user + password prompting happens beyond the scope
> of the login program).
>
> SuSE Linux users who use a distribution before 6.4 are greatly encouraged
> to upgrade to a new release since distributions before SuSE Linux 6.4 have
> been discontinued a long while ago.
>
>
> > Other distributions should be checked as well. A
> > quick way to check for SysV option capabilities is to
> > type "login", then enter "root testenv1=test" at the
> > login: prompt. Supply your root passwd, and look for
> > "testenv1" in the output of set. If it's set, then
> > your copy of /bin/login supports SysV options.....and
> > is probably vulnerable. Follow similar procedure to
> > find overflow possibility/specifics ;)
> >
> >
> > Regards,
> >
> > Anton Rager
> > a_rager@yahoo.com
>
> Thanks,
> Roman.
> --
> - -
> | Roman Drahtmüller <draht@suse.de> // "You don't need eyes to see, |
> SuSE GmbH - Security Phone: // you need vision!"
> | Nürnberg, Germany +49-911-740530 // Maxi Jazz, Faithless |
> - -
--
===========================================
Name: Pau Oliva - Email: pau@eSlack.org
Linux user: #97195 - BSD user: #BSD050609
WWW: www.eSlack.org - WWW: pof.eSlack.org
===========================================
(7709315) /pof <pau@eSlack.org>/----------(Ombruten)