Bugtraq mailing list archives

Re: FreeBSD 2.2.5 Security problem

From: eivind () YES NO (Eivind Eklund)
Date: Mon, 4 Jan 1999 00:42:37 +0100


On Sat, Jan 02, 1999 at 04:14:22PM -0600, Missouri FreeNet Administration wrote:

Greetings, how is everyone after the 30 day pig-out? ;-0

We originally posted this problem to the FreeBSD GNATS system on
December 20th, and still haven't heard so much as an acknowledgement
of the report (GNATS#: i386/9141).  I figured with the holidays, they
were all busy, and would [eventually] get to it, but today I checked
and saw that several GNATS reports on either side of this one (some
as recent as today) have been looked at, processed, and even closed!
So...


The PR was misfiled; it was filed as a i386 PR (meaning a bug
in the i386-specific code of FreeBSD).

Apart from this, the PR system is not an effective way of reporting
security problems.  The right way to report a security problem is to
mail security-officer () FreeBSD ORG.

FreeBSD 2.2.5-R (other rev's not tested) fail to log penetration attempts
on quiescent systems properly when using syslog (to any target).  Failed
login attempts (*any* number of them) will not be reported until a user name
which is *different* from the failed name is entered.  For example, I can
attempt to penetrate the root password *all day long* without getting a
syslog report, provided a name other than root is not entered.  The reson
for this is that there is an attempt to de-verbosify syslog reporting in
FBSD which accumulates a counter for events, and then reports a cumulative
total.  In this attempt to save verbiage, they are tallying all the failed
attempts, *rather* than *reporting* them!


Your "*any* number" is incorrect.  The correct answer is "10", unless
you've changed the default for your login class in /etc/login.conf.
After 10 attempted logins, the problem will be logged by the part of
login that check for attacks.

This is (obviously) not going to be an issue on a busy system, as
*someone* other than the target account is likely to log in and flush the
counter report, but on a selected system, such as a name server, this
could be a devastating flaw...


The limit is on a per-login-execution basis.  As long as the attacker
has the tty for that execution of login, it will not matter if
somebody else log in.

However, looking carefully at the code, I do notice that there is a
bug whereby a 'silent attack' could be done (though not at all like
you've stated above).  I think I fixed this problem in rev 1.44 of
login.c:

Index: login.c
===================================================================
RCS file: /home/ncvs/src/usr.bin/login/login.c,v
retrieving revision 1.43
diff -u -r1.43 -r1.44 login.c
--- login.c     1998/11/21 02:22:14     1.43
+++ login.c     1999/01/03 23:22:05
@@ -111,6 +111,9 @@
  */
 u_int  timeout = 300;

+/* Buffer for signal handling of timeout */
+jmp_buf timeout_buf;
+
 struct passwd *pwd;
 int    failures;
 char   *term, *envinit[1], *hostname, *username, *tty;
@@ -132,15 +135,23 @@
        time_t warntime;
        uid_t uid, euid;
        char *domain, *p, *ttyn;
-       char tbuf[MAXPATHLEN + 2], tname[sizeof(_PATH_TTY) + 10];
+       char tbuf[MAXPATHLEN + 2];
+       char tname[sizeof(_PATH_TTY) + 10];
        char localhost[MAXHOSTNAMELEN];
        char *shell = NULL;
        login_cap_t *lc = NULL;

-       (void)signal(SIGALRM, timedout);
-       (void)alarm(timeout);
        (void)signal(SIGQUIT, SIG_IGN);
        (void)signal(SIGINT, SIG_IGN);
+       if (setjmp(timeout_buf)) {
+               if (failures)
+                       badlogin(tbuf);
+               (void)fprintf(stderr,
+                             "Login timed out after %d seconds\n", timeout);
+               exit(0);
+       }
+       (void)signal(SIGALRM, timedout);
+       (void)alarm(timeout);
        (void)setpriority(PRIO_PROCESS, 0, 0);

        openlog("login", LOG_ODELAY, LOG_AUTH);
@@ -250,7 +261,6 @@
                if (failures && strcmp(tbuf, username)) {
                        if (failures > (pwd ? 0 : 1))
                                badlogin(tbuf);
-                       failures = 0;
                }
                (void)strncpy(tbuf, username, sizeof tbuf-1);
                tbuf[sizeof tbuf-1] = '\0';
@@ -769,8 +779,7 @@
 timedout(signo)
        int signo;
 {
-       (void)fprintf(stderr, "Login timed out after %d seconds\n", timeout);
-       exit(0);
+       longjmp(timeout_buf, signo);
 }


@@ -829,6 +838,7 @@
                    "%d LOGIN FAILURE%s ON %s, %s",
                    failures, failures > 1 ? "S" : "", tty, name);
        }
+       failures = 0;
 }

 #undef UNKNOWN


Eivind.

Current thread:

Re: PATH variable in zip-slackware 2.0.35, (continued)
- - - Re: PATH variable in zip-slackware 2.0.35 kay (Jan 02)
    - Re: PATH variable in zip-slackware 2.0.35 Karl Stevens (Jan 05)
    - Re: PATH variable in zip-slackware 2.0.35 kay (Jan 06)
    - l0phtcrack 2.5 released The Forlorn (Jan 04)
  - Re: PATH variable in zip-slackware 2.0.35 kay (Jan 02)
  - SUN almost has a clue! (automountd) Corruptio Optimi Pessima (Jan 04)
    - Re: SUN almost has a clue! (automountd) Casper Dik (Jan 05)
  - January SysAdmin EY script DoS bug. Jan B. Koum (Jan 04)
  - Win95/98 SMB Authentication Vulnerability (fwd) Weld Pond (Jan 04)
- FreeBSD 2.2.5 Security problem Missouri FreeNet Administration (Jan 02)
  - Re: FreeBSD 2.2.5 Security problem Eivind Eklund (Jan 03)
  - Re: FreeBSD 2.2.5 Security problem User NEAL (Jan 03)
- Re: Comparison of THC-SCAN v2.0 with Sandstorm PhoneSweep 1.02 vh (Jan 02)