[1634] in linux-security and linux-alert archive
[linux-alert] Re: [linux-security] rlogin authentication bug
daemon@ATHENA.MIT.EDU (Andrew G. Morgan)
Thu Oct 2 06:38:36 1997
From: "Andrew G. Morgan" <morgan@parc.power.net>
To: linux-security@redhat.com
Date: Wed, 1 Oct 1997 22:50:27 -0700 (PDT)
Cc: langford@karman.tam.uiuc.edu
In-Reply-To: <199709301603.LAA19618@karman.tam.uiuc.edu> from "Jacob A. Langford" at Sep 30, 97 11:03:05 am
Resent-From: linux-alert@redhat.com
Reply-To: linux-alert@redhat.com
Jacob A. Langford wrote:
> I have discovered a bug in the rhost module of Linux-PAM-0.57. This
> bug leads to a vulnerability in the remote login authentication, with
> the effect that ordinary user accounts may not be password protected.
The following patch is due to Savochkin Andrey Vladimirovich, it should fix
0.57's pam_rhosts module. 0.58 and 0.59 source is still alpha-code but
Andrey has posted a patch for these to the pam-list already.
Thanks for finding this bug!
Cheers
Andrew
RCS file: RCS/pam_rhosts_auth.c,v
retrieving revision 1.11
diff -u -r1.11 pam_rhosts_auth.c
--- pam_rhosts_auth.c 1997/04/05 06:26:39 1.11
+++ pam_rhosts_auth.c 1997/10/02 05:47:02
@@ -3,6 +3,7 @@
* Modifications, Cristian Gafton 97/2/8
* Modifications, Peter Allgeyer 97/3
* Modifications (netgroups and fixes), Nicolai Langfeldt 97/3/21
+ * Security fix: 97/10/1 - gethostbyname called repeatedly without care
*----------------------------------------------------------------------
* Copyright (c) 1983, 1993, 1994
* The Regents of the University of California. All rights reserved.
@@ -524,25 +525,31 @@
{
struct hostent *hp;
int answer = 1; /* default to failure */
- u_long addr;
- char **ap;
+ u_long *addrs;
+ int n, i;
opts->last_error = (char *) 0;
hp = gethostbyname(rhost); /* identify host */
if (hp != NULL) {
- ap = hp->h_addr_list;
- while (*ap) { /* loop though address list */
- memcpy (&addr, *ap, sizeof(addr));
-
- /* check user on remote host */
- if (iruserok(pamh, opts, addr, superuser, ruser, luser, rhost)
- == 0) {
- answer = 0; /* success */
- break;
- }
- ++ap;
- }
+ /* loop though address list */
+ for (n = 0; hp->h_addr_list[n]; n++);
+ D(("rhosts: %d addresses", n))
+
+ if (n) {
+ addrs = malloc (n * sizeof(*addrs));
+ for (i = 0; i < n; i++)
+ memcpy (addrs+i, hp->h_addr_list[i], sizeof(*addrs));
+
+ for (i = 0; i < n && answer; i++) {
+ D(("rhosts: address %d is %04x", i, addrs[i]))
+ answer = iruserok(pamh, opts, addrs[i], superuser,
+ ruser, luser, rhost);
+ /* answer == 0 means success */
+ }
+
+ free (addrs);
+ }
}
return answer;
--
Linux-PAM, libpwdb, Orange-Linux and Linux-GSS
http://parc.power.net/morgan/index.html