[3774] in bugtraq
Re: denial of service attack on login
daemon@ATHENA.MIT.EDU (Bettina Fink)
Tue Dec 10 14:10:06 1996
Date: Tue, 10 Dec 1996 15:21:03 +0100
Reply-To: Bettina Fink <laura@sobolev.rhein.de>
From: Bettina Fink <laura@sobolev.rhein.de>
To: Multiple recipients of list BUGTRAQ <BUGTRAQ@netspace.org>
In article <2.2.32.19961202024506.0098e6a0@dux.isec.pt>, NuNO <nuno@dux.isec.pt> wrote:
> The following denial of service attack seems to work on the above systems
> with the standard login application.
>
> joe$ nvi /var/log/wtmp
>
> [ Now no-one else can log in ]
>
> This is a problem with advisory locking. The fact that anyone can create an
> exclusive lock on a file they can only read!
The problem with locking of /var/log/wtmp by nvi affects not only "login".
This also works on agetty and mingetty even when the "login" bug is fixed.
A simple user can lock wtmp by "nvi /var/log/wtmp" without having write
permission on it.
If you have fixed it for "login", you can still log in your system, but
if you try to log _out_, the tty is dead until the lock is removed.
The author of mingetty, Florian La Roche, has been informed, he will fix
it for mingetty.
I'll also send a mail to Nicolai Langfeldt (maintainer of util-linux) to
inform him about the agetty problem if he doesn't already know this.
--
EMail: laura@caissa.franken.de
PGP public key on demand or finger pgp@caissa.franken.de
