[163] in linux-security and linux-alert archive
Hey, I have a big one.
daemon@ATHENA.MIT.EDU (Alvaro M. Echevarria)
Tue Mar 14 06:22:44 1995
Date: Tue, 14 Mar 1995 09:28:42 +0100
From: "Alvaro M. Echevarria" <mtl94033@oasis.dit.upm.es>
To: linux-security@tarsier.cv.nrao.edu
Cc: mtl94033@oasis.dit.upm.es
[mod: This glitch is still present in libc-4.6.27. The NYS library seems
to check for it, though. --okir]
Hi. A while ago I discovered a really big security hole affecting the
libraries and yellow pages. Although it is a problem of the libraries,
it actually makes dangerous login and su. This is the problem: to
get yellow pages to work, the standard says you need to have a +::0:0:::
or a +:*:0:0::: at the end of the /etc/passwd file (I know in linux that
is not necessary, but I think most system administrators still do it
that way). The problem is that library functions getpwnam, etc, consider
'+' as a normal user, so if you have +::0:0::: in /etc/passwd, what you
really have is a passwdless root. So, as login/su don't test wether a
username begins with a +, guess what it happens?
I contacted with the author of login (Peter Orbaek, poe@daimi.aau.dk),
and he has released a new version, that tests for usernames starting with
+. However I have not been able to report the bug to gnu (responsible for
su) nor the maintainers of the libraries. So here goes the patch for su.c:
270a271,276
> /* If username starts with +, it is not valid, as it is the anchor for
> yellow pages. Otherwise, we have a gigantic security hole. This is just
> a dirty hack to fix it, as this should be fixed in the libraries instead
> of programs. Feb 95. <alvaro@etsit.upm.es> */
> if (new_user[0]=='+')
> error (1, 0, "user %s does not exist", new_user);
By the way, I sent a report to root@cert.org a month ago, and I haven't
received a single word from there. I don't know if I used the correct
address, but anyway, I suspect that someone deleted my message after
reading "linux" on the subject... :-) who cares.
Regards.
Alvaro Martinez Echevarria
MADRID---------------SPAIN
mtl94033@oasis.dit.upm.es
alvaro@etsit.upm.es
