Bugtraq mailing list archives
Re: Linux distributions and /bin/login overflow
From: Roman Drahtmueller <draht () suse de>
Date: Thu, 20 Dec 2001 06:21:10 +0100 (MET)
Hello,
Hello, too! [...]
It seems that while Redhat Linux and Caldera Linux distributions are immune to the recent /bin/login environ overflow, other Linux distributions are not. Several Linux distributions install /bin/login with SysV login options enabled. Slackware 8.0 and lower [tested with 8.0, 4.0, 3.3] has SysV options enabled with /bin/login and is vulnerable. SuSE 6.1 has SysV options enabled with /bin/login and is vulnerable. I don't have a newer SuSE release, so others will need to verify. It would seem logical that SuSE 8.3 still includes the SysV login options enabled, and is probably vulnerable as well.
While it still may be a bad idea for a whole variety of reasons, the sole fact that some implementations of /bin/login allow for environment to be passed on to the shell after authentification does not mean that the program is vulnerable to the problems as discovered with the SysV derived implementations. To be more precise (grep the source for the word "disaster" to find the spot): The login programs in SuSE 6.0 and 6.1 gladly pass on environment specified as silence login: draht variable=value Password: up to a maximum number of 32 variables. If the args to the user name do not contain a "=" character, the arguments will show up in the environment as $L1, $L2, ... where arguments are seperated by whitespace and ",". An overflow does not happen, or please prove me wrong. For the login programs in SuSE distributions before and including 6.1 there is no such thing as "SysV login options enabled". Environment passing is a non-configurable feature. The SuSE Linux distributions 6.0 and 6.1 were the last ones without PAM'ified authentification schemes. All newer distributions use PAM authentification modules that do not pass on environment as specified on the user input prompt (user + password prompting happens beyond the scope of the login program). SuSE Linux users who use a distribution before 6.4 are greatly encouraged to upgrade to a new release since distributions before SuSE Linux 6.4 have been discontinued a long while ago.
Other distributions should be checked as well. A quick way to check for SysV option capabilities is to type "login", then enter "root testenv1=test" at the login: prompt. Supply your root passwd, and look for "testenv1" in the output of set. If it's set, then your copy of /bin/login supports SysV options.....and is probably vulnerable. Follow similar procedure to find overflow possibility/specifics ;) Regards, Anton Rager a_rager () yahoo com
Thanks, Roman. -- - - | Roman Drahtmüller <draht () suse de> // "You don't need eyes to see, | SuSE GmbH - Security Phone: // you need vision!" | Nürnberg, Germany +49-911-740530 // Maxi Jazz, Faithless | - -
Current thread:
- Linux distributions and /bin/login overflow Anton Rager (Dec 19)
- Re: Linux distributions and /bin/login overflow Roman Drahtmueller (Dec 20)
- Re: Linux distributions and /bin/login overflow pof (Dec 21)
- Re: Linux distributions and /bin/login overflow Roman Drahtmueller (Dec 20)