[585] in linux-security and linux-alert archive
Re: Shadow /bin/login security hole
daemon@ATHENA.MIT.EDU (JF Haugh)
Mon Jan 29 19:31:16 1996
From: jfh@austin.ibm.com (JF Haugh)
To: marekm@i17linuxb.ists.pwr.wroc.pl (Marek Michalkiewicz)
Date: Mon, 29 Jan 1996 13:09:14 -0600 (CST)
Cc: linux-security@tarsier.cv.nrao.edu, shadow-list@neptune.cin.net,
big-linux@netspace.org, jfh@austin.ibm.com
In-Reply-To: <199601291638.RAA23321@i17linuxb.ists.pwr.wroc.pl> from "Marek Michalkiewicz" at Jan 29, 96 05:38:41 pm
> Probably all versions of the Shadow Password Suite, as used on many
> Linux systems, have a serious security hole in the login program. It
> is possible to overwrite the stack by entering a long user name at
> the login prompt. This potentially allows remote users to gain root
> privileges. No prior access to the vulnerable system is necessary.
I'd honestly like to know if anyone has heard a report of this occuring,
in part because isgraph() call in the conditional part of the for() loop.
I realize you can certainly trash the stack (maybe that explains some
mystery core dumps ...), but I'm wondering how many op-codes or return
address locations you can jump to if you can't enter non-printable
characters at the prompt ...
Feel free to send your response to me directly either here or at home,
jfh@rpp386.cactus.org.
--
JF Haugh | GCS s++: C++++$ UBLAVOC*++++(on)$
Open Interface Development | P+@ L++>$ E--- W>$ N>$ K+++ w+ O$@
PSP Division, IBM/Austin, Texas | V-- PS+++ PE++ PGP@ tv@ b++@ d a o
Bldg 903/2D017, 512-823-8817 (Tie 793) | DI++++ G e++ h----$ r+++ z++++ t+
