[23593] in bugtraq
Re: Linux distributions and /bin/login overflow
daemon@ATHENA.MIT.EDU (pof)
Fri Dec 21 14:41:09 2001
Date: Fri, 21 Dec 2001 18:22:36 +0100
From: pof <pau@eSlack.org>
To: bugtraq@securityfocus.com
Message-Id: <20011221182236.3b3e4e4c.pau@eSlack.org>
In-Reply-To: <Pine.LNX.4.43.0112200541271.29704-100000@dent.suse.de>
Mime-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 8bit
On Thu, 20 Dec 2001 06:21:10 +0100 (MET)
"Roman Drahtmueller" <draht@suse.de> wrote:
>
> > Hello,
>
> Hello, too!
>
Hello again :^)
> [...]
>
> > It seems that while Redhat Linux and Caldera Linux
> > distributions are immune to the recent /bin/login
> > environ overflow, other Linux distributions are not.
> > Several Linux distributions install /bin/login with
> > SysV login options enabled.
> >
> > Slackware 8.0 and lower [tested with 8.0, 4.0, 3.3]
> > has SysV options enabled with /bin/login and is
> > vulnerable.
> >
As Roman said with SuSe, Slackware is also not vulnerable to /bin/login overflow. Explanation follows.
Slackware 8 comes with shadow-19990827 package and a non-pamified authentification scheme.
In shadow-19990827/libmisc/loginprompt.c line 133 you can find this piece of code:
/*
* This is a disaster, at best. The user may have entered extra
* environmental variables at the prompt. There are several ways
* to do this, and I just take the easy way out.
*/
if (*cp != '\0') { /* process new variables */
char *nvar;
int count = 1;
for (envc = 0; envc < MAX_ENV; envc++) {
nvar = strtok(envc ? (char *)0 : cp, " \t,");
if (!nvar)
break;
if (strchr(nvar, '=')) {
envp[envc] = nvar;
} else {
envp[envc] = xmalloc(strlen(nvar) + 32);
sprintf(envp[envc], "L%d=%s", count++, nvar);
}
}
set_env(envc, envp);
}
which does what Roman has explained. So, this time it's not a bug, it *is* a feature ;)
> > SuSE 6.1 has SysV options enabled with /bin/login and
> > is vulnerable. I don't have a newer SuSE release, so
> > others will need to verify. It would seem logical that
> > SuSE 8.3 still includes the SysV login options
> > enabled, and is probably vulnerable as well.
>
>
> While it still may be a bad idea for a whole variety of reasons, the sole
> fact that some implementations of /bin/login allow for environment to be
> passed on to the shell after authentification does not mean that the
> program is vulnerable to the problems as discovered with the SysV derived
> implementations.
>
> To be more precise (grep the source for the word "disaster" to find the
> spot): The login programs in SuSE 6.0 and 6.1 gladly pass on environment
> specified as
>
> silence login: draht variable=value
> Password:
>
> up to a maximum number of 32 variables. If the args to the user name do
> not contain a "=" character, the arguments will show up in the environment
> as $L1, $L2, ... where arguments are seperated by whitespace and ",". An
> overflow does not happen, or please prove me wrong.
>
> For the login programs in SuSE distributions before and including 6.1
> there is no such thing as "SysV login options enabled". Environment
> passing is a non-configurable feature.
> The SuSE Linux distributions 6.0 and 6.1 were the last ones without
> PAM'ified authentification schemes. All newer distributions use PAM
> authentification modules that do not pass on environment as specified on
> the user input prompt (user + password prompting happens beyond the scope
> of the login program).
>
> SuSE Linux users who use a distribution before 6.4 are greatly encouraged
> to upgrade to a new release since distributions before SuSE Linux 6.4 have
> been discontinued a long while ago.
>
>
> > Other distributions should be checked as well. A
> > quick way to check for SysV option capabilities is to
> > type "login", then enter "root testenv1=test" at the
> > login: prompt. Supply your root passwd, and look for
> > "testenv1" in the output of set. If it's set, then
> > your copy of /bin/login supports SysV options.....and
> > is probably vulnerable. Follow similar procedure to
> > find overflow possibility/specifics ;)
> >
> >
> > Regards,
> >
> > Anton Rager
> > a_rager@yahoo.com
>
> Thanks,
> Roman.
> --
> - -
> | Roman Drahtmüller <draht@suse.de> // "You don't need eyes to see, |
> SuSE GmbH - Security Phone: // you need vision!"
> | Nürnberg, Germany +49-911-740530 // Maxi Jazz, Faithless |
> - -
--
===========================================
Name: Pau Oliva - Email: pau@eSlack.org
Linux user: #97195 - BSD user: #BSD050609
WWW: www.eSlack.org - WWW: pof.eSlack.org
===========================================
