[1634] in linux-security and linux-alert archive

home help back first fref pref prev next nref lref last post

[linux-alert] Re: [linux-security] rlogin authentication bug

daemon@ATHENA.MIT.EDU (Andrew G. Morgan)
Thu Oct 2 06:38:36 1997

From: "Andrew G. Morgan" <morgan@parc.power.net>
To: linux-security@redhat.com
Date: Wed, 1 Oct 1997 22:50:27 -0700 (PDT)
Cc: langford@karman.tam.uiuc.edu
In-Reply-To: <199709301603.LAA19618@karman.tam.uiuc.edu> from "Jacob A. Langford" at Sep 30, 97 11:03:05 am
Resent-From: linux-alert@redhat.com
Reply-To: linux-alert@redhat.com

Jacob A. Langford wrote:
> I have discovered a bug in the rhost module of Linux-PAM-0.57.  This
> bug leads to a vulnerability in the remote login authentication, with
> the effect that ordinary user accounts may not be password protected.  

The following patch is due to Savochkin Andrey Vladimirovich, it should fix
0.57's pam_rhosts module.  0.58 and 0.59 source is still alpha-code but
Andrey has posted a patch for these to the pam-list already.

Thanks for finding this bug!

Cheers

Andrew

RCS file: RCS/pam_rhosts_auth.c,v
retrieving revision 1.11
diff -u -r1.11 pam_rhosts_auth.c
--- pam_rhosts_auth.c   1997/04/05 06:26:39     1.11
+++ pam_rhosts_auth.c   1997/10/02 05:47:02
@@ -3,6 +3,7 @@
  * Modifications, Cristian Gafton 97/2/8
  * Modifications, Peter Allgeyer 97/3
  * Modifications (netgroups and fixes), Nicolai Langfeldt 97/3/21
+ * Security fix: 97/10/1 - gethostbyname called repeatedly without care
  *----------------------------------------------------------------------
  * Copyright (c) 1983, 1993, 1994
  *     The Regents of the University of California.  All rights reserved.
@@ -524,25 +525,31 @@
 {
     struct hostent *hp;
     int answer = 1;                             /* default to failure */
-    u_long addr;
-    char **ap;
+    u_long *addrs;
+    int n, i;
 
     opts->last_error = (char *) 0;
     hp               = gethostbyname(rhost);         /* identify host */
 
     if (hp != NULL) {
-       ap = hp->h_addr_list;
-       while (*ap) {                     /* loop though address list */
-           memcpy (&addr, *ap, sizeof(addr));
-
-           /* check user on remote host */
-           if (iruserok(pamh, opts, addr, superuser, ruser, luser, rhost)
-               == 0) {
-               answer = 0;                                /* success */
-               break;
-           }
-           ++ap;
-       }
+        /* loop though address list */
+        for (n = 0; hp->h_addr_list[n]; n++);
+        D(("rhosts: %d addresses", n))
+
+        if (n) {
+            addrs = malloc (n * sizeof(*addrs));
+            for (i = 0; i < n; i++)
+                memcpy (addrs+i, hp->h_addr_list[i], sizeof(*addrs));
+
+            for (i = 0; i < n && answer; i++) {
+                D(("rhosts: address %d is %04x", i, addrs[i]))
+                answer = iruserok(pamh, opts, addrs[i], superuser,
+                                  ruser, luser, rhost);
+                         /* answer == 0 means success */
+            }
+
+            free (addrs);
+        }
     }
 
     return answer;


-- 
               Linux-PAM, libpwdb, Orange-Linux and Linux-GSS
                  http://parc.power.net/morgan/index.html


home help back first fref pref prev next nref lref last post