Bugtraq mailing list archives
Rlogin vulnerabilty
From: zuc () merc iternet it (Gabriele Avosani)
Date: Wed, 28 Aug 1996 21:37:25 +0200
I was wondering about one of the latest linux alert advisory, veridicity. Lemme explain: here follows the complete advisory. ___________________________________________________________________________ This is an official update of the Linux security FAQ, and it is supposed to be signed by one of the following PGP keys: pub 1024/9ED505C5 1995/12/06 Jeffrey A. Uphoff <<juphoff () nrao edu> Jeffrey A. Uphoff <<jeff.uphoff () linux org> 1024/EFE347AD 1995/02/17 Olaf Kirch <<okir () monad swb de> 1024/ADF3EE95 1995/06/08 Linux Security FAQ Primary Key <<Alexander O. Yuriev> Unless you are able to verify at least one of signatures, please be very careful when following instructions. Linux Security WWW: http://bach.cis.temple.edu/linux/linux-security linux-security & linux-alert mailing list archives: ftp://linux.nrao.edu/pub/linux/security/list-archive ============================================================================= ABSTRACT A vulnerability exists in the rlogin program of NetKitB-0.6 This vulnerability affects several widely used Linux distributions, including RedHat Linux 2.0, 2.1 and derived systems including Caldera Network Desktop, Slackware 3.0 and others. This vulnerability is not limited to Linux or any other free UNIX systems. Both the information about this vulnerability and methods of its expolit were made available on the Internet. RISK ASSESMENT Local and remote users could gain super-user priviledges DISTRIBUTION FIXES Red Hat Commercial Linux Red Hat Linux version 2.0 and 2.1 contains vulnerable program unless NetKit-B-0.06-7.i386.rpm was installed. In order to fix the vulnerability install NetKit-B-0.06-7 rpm available from ftp://ftp.redhat.com/pub/redhat/old-releases/redhat-2.1/i386/updates/RPMS/NetKit-B-0.06-7.i386.rpm ftp://bach.cis.temple.edu/pub/Linux/security/DISTRIBUTION-FIXES/RedHat-2.1/NetKit-B-0.06-7.i386.rpm ftp://tarsier.cv.nrao.edu/pub/linux/security/DISTRIBUTION-FIXES/RedHat-2.1/NetKit-B-0.06-7.i386.rpm Please verify the MD5 signature of the RPM prior to installing it. 601c3f6137a6fb15ae61a6b817395040 NetKit-B-0.06-7.i386.rpm Red Hat Linux version 3.0.3 (Picasso) does not contain vulnerable rlogin program. Caldera Network Desktop Version 1 of CND contains the vulnerable program unless NetKit-B-0.06-4c1.i386.rpm was installed. This RPM is available from ftp://ftp.caldera.com/pub/cnd-1.0/updates/NetKit-B-0.06-4c1.i386.rpm ftp://bach.cis.temple.edu/pub/Linux/Security/DISTRIBUTION-FIXES/CND/NetKit-B-0.06-4c1.i386.rpm ftp://tarsier.cv.nrao.edu/pub/linux/security/DISTRIBUTION-FIXES/CND/NetKit-B-0.06-4c1.i386.rpm Please verify the MD5 signature of RPM prior to installing it. aeb2da201477cd3280fdc09836395c35 NetKit-B-0.06-4c1.i386.rpm Version 1 of CND upgraded to RedHat Linux 3.0.3 (Picasso) does not contain a vulnerable program. Debian Debian Project did not either confirm or deny the vulnerability of Debian/GNU Linux 1.1. Debian/GNU Linux systems may be vulnerable if NetKit-B-0.6 is installed. Until the official fix-kit is available for Debian/GNU Linux, system administrators of Debian systems are advised to follow guidelines under Other Linux Distributions section. Slackware The Slackware Linux distribution Version 3.0 is confirmed to be vulnerable unless a NetKit newer than NetKit-B-0.6 is installed. Until the official fix-kit is available for Slackware 3.0, the system administrators are advised to follow the guidelines under Other Linux Distributions section. Yggdrasil Yggdrasil Computing's Plug & Play Linux Fall'95 contains vulnerable rlogin program. Adam J. Richter from Yggdrasil Computing made an unofficial fix-kit available at ftp.yggdrasil.com/pub/support/fall95/rlogin_fix/ We are unable to provide MD5 signature for the fix kit as we are unable to verify the integrity of the message. Other Linux Distributions System administrators of systems based on other Linux distributions or distributions that do not have official patch-kits available are advised to install newly released NetKit-B-0.7 available from ftp://ftp.uk.linux.org/pub/linux/Networking/base and ftp://sunsite.unc.edu/pub/Linux/Incoming CREDITS This LSF Update is based on the information provided by Alan Cox. The first patch for rlogin program was provided by Marc Ewing of Red Hat Software. Ron Holt of Caldera Inc provided fixed RPM for Caldera Network Desktop within 3 hours after the initial contact. Adam J. Richter provided unofficial information about the unofficial fix-kit for Yggdrasil Plug and Play Linux Fall'95. ____________________________________________________________________________ As everybody can see, no info is given, none at all. So the onliest way is to check the differences between the old version of rlogin.c and the patched one. In the old one, i found this code interesting: rlogin.c: ...... <fontfamily><param>Times New Roman</param><bigger>char *host, *p, *user, term[1024]; </bigger></fontfamily>...... <fontfamily><param>Times New Roman</param><bigger>(void)strcpy(term, (p = getenv("TERM")) ? p : "network"); <<---- always the same old story ??? if (ioctl(0, TIOCGETP, &ttyb) == 0) { (void)strcat(term, "/"); (void)strcat(term, speeds[ttyb.sg_ospeed]); </bigger></fontfamily>...... Well, if this was the onliest check, it should have been easy to hack it, but checking in rlogind.c, i found the following: rlogind.c: <fontfamily><param>Times New Roman</param><bigger>#define ENVSIZE (sizeof("TERM=")-1) /* skip null for concatenation */ static char term[64] = "TERM="; getstr(term+ENVSIZE, sizeof(term)-ENVSIZE, "Terminal type too long"); </bigger></fontfamily> It doesn't seems exploitable to me .. what bugtraq thinks ?? Anyway what follows is the new version of rlogin.c, the patched one: rlogin.c: <fontfamily><param>Times New Roman</param><bigger>p = getenv("TERM"); if (!p) p = "network"; if (tcgetattr(0, &tios) == 0) { speed_t speed = cfgetispeed(&tios); snprintf(term, sizeof(term), "%.256s/%s", p, speeds[speed]); <<----- this is the way it should be done } else snprintf(term, sizeof(term), "%.256s", p); </bigger></fontfamily> So i'm having an headcache into understanding where was the flaw, there was at least a bound check ... Why, the hell, when someone wants to learn, someone other is concealing informations ? ( Rethorical question, sorry ) g.a. Hack-It founder hack-it () mail ibm it
Current thread:
- r00t advisory -- workman vunerability, (continued)
- r00t advisory -- workman vunerability Gregory Hull (Aug 26)
- r00t advisory -- sol2.5 su(1M) vunerability Gregory Hull (Aug 26)
- SGI Security Advisory 19960802-01 - Vulnerability in expreserve SGI Security Coordinator (Aug 26)
- Privileges (was libresolv+ bug) Paul McNabb (Aug 26)
- [BUG] Vulnerability in PINE Sean B. Hamor (Aug 26)
- Tired of /tmp? Here's a proposed solution Igor Chudov @ home (Aug 26)
- Re: Tired of /tmp? Here's a proposed solution Guido M. Witmond (Aug 27)
- Re: Tired of /tmp? Here's a proposed solution Thomas Koenig (Aug 28)
- Re: Tired of /tmp? Here's a proposed solution Sean B. Hamor (Aug 28)
- Re: Tired of /tmp? Here's a proposed solution mdr () vodka sse att com (Aug 28)
- Rlogin vulnerabilty Gabriele Avosani (Aug 28)
- Tired of /tmp? Here's a proposed solution Igor Chudov @ home (Aug 26)
- Re: Tired of /tmp? Here's a proposed solution Matthew J Brown (Aug 28)
- ftpbounce-0.1.tar.gz Rune Braathen (Aug 27)
- Re: [BUG] Vulnerability in PINE Linux Mailing Lists (Aug 28)
- Re: [BUG] Vulnerability in PINE Sean B. Hamor (Aug 28)
- Re: [BUG] Vulnerability in PINE Jason Haar (Aug 29)
- HOLE: Unixware 2.03: crontab -e Hannu Laurila (Aug 29)