Bugtraq mailing list archives

denial of service attack on login

From: nuno () dux isec pt (NuNO)
Date: Mon, 2 Dec 1996 03:45:06 +0100


 The following denial of service attack seems to work on the above systems
with the standard login application.

        joe$ nvi /var/log/wtmp

        [ Now no-one else can log in ]

This is a problem with advisory locking. The fact that anyone can create an
exclusive lock on a file they can only read!

Affected known Systems (maybe others):
        .Red Hat 3.0.3
        .Debian 1.2


The bug exists through the recently released util-linux-2.6.  Here is
a patch which removes the locking.

--- util-linux-2.6/login-utils/login.c.orig     Thu Nov  7 06:26:15 1996
+++ util-linux-2.6/login-utils/login.c  Fri Nov 29 16:12:24 1996
@@ -628,9 +628,10 @@
                endutent();

                if((wtmp = open(_PATH_WTMP, O_APPEND|O_WRONLY)) >= 0) {
-                       flock(wtmp, LOCK_EX);
+/* Locking wtmp allows for trivial denial of service attack by nvi */
+/*                     flock(wtmp, LOCK_EX); */
                        write(wtmp, (char *)&ut, sizeof(ut));
-                       flock(wtmp, LOCK_UN);
+/*                     flock(wtmp, LOCK_UN); */
                        close(wtmp);
                }
        }

[mod: WARNING: UNTESTED CODE, MANUALLY FABRICATED PATCH AHEAD.
Anybody dare to test the following?:

--- util-linux-2.6/login-utils/login.c.orig     Thu Nov  7 06:26:15 1996
+++ util-linux-2.6/login-utils/login.c  Sat Nov 30 11:22:15 1996
@@ -628,6 +628,8 @@
                endutent();

                if((wtmp = open(_PATH_WTMP, O_APPEND|O_WRONLY)) >= 0) {
+/* Locking wtmp allows for trivial denial of service attack by nvi */
+                       alarm (3);
                        flock(wtmp, LOCK_EX);
                        write(wtmp, (char *)&ut, sizeof(ut));
                        flock(wtmp, LOCK_UN);

This is the simple "force the lock if we can't get it" solution.  If
your wtmp is on an ext2fs, it is pretty unlikely that the solution
"without locking" will corrupt anything. However there are race
conditions in the ext2fs_write_file code that would allow an entry
to get overwritten in special circumstances. -- REW]

                  _ . o O 0 [NuNO] 0 O o . _
 +--------------                              --------------+
 |                                                          |
 | Nuno Andre Henriques Loureiro                            |
 | -=[ http://irc.ualg.pt/~nloureir  ]=-                    |
 |                                                          |
 | Nucleo de Investigacao e Apoio Informatico               |
 | Universidade do Algarve                                  |
 | Campus de Gambelas, Sala C2,                             |
 | 8000 FARO                         [Pager: 0943 124248]   |
 |                                                          |
 +--*'^'~*-,._.,-*~> nloureir () irc ualg pt <~*-,._.,-*~'^'~*-+
  |||                    nuno () dux isec pt                 |||
   |                                                       |

Current thread:

Vulnrability in test-cgi... Apropos of Nothing (Nov 30)
- denial of service attack on login NuNO (Dec 01)
- Re: Vulnrability in test-cgi... Roger Espel Llima (Dec 01)
- Little feature/bug in RedHat Linux Antti Andreimann (Dec 01)
- Users can modify routing in AIX 4.1 Dave Roberts (Dec 02)
  - Re: Users can modify routing in AIX 4.1 Troy Bollinger (Dec 02)
- <Possible follow-ups>
- Re: Vulnrability in test-cgi... Jesus Altuve (Dec 02)
  - Re: Vulnrability in test-cgi... Joe Zbiciak (Dec 02)
  - /bin/ksh sparc code Kichang Yang (Dec 03)
  - AltaVista Firewall for UNIX Sarah Keating (Dec 03)