[8915] in bugtraq
Re: FreeBSD 2.2.5 Security problem
daemon@ATHENA.MIT.EDU (User NEAL)
Mon Jan 4 02:01:17 1999
Date: Sun, 3 Jan 1999 18:16:07 -0600
Reply-To: User NEAL <neal@PERNET.NET>
From: User NEAL <neal@PERNET.NET>
X-To: Missouri FreeNet Administration <measl@MFN.ORG>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <Pine.BSF.3.96.990102155924.20783A-100000@greeves.mfn.org>
Read the source, Luke! A login is allowed at most 10 attempts. After the
third attempt, a backoff starts up. After the tenth, the login fails and
is logged. Look in the source /usr/src/usr.bin/login/login.c, line 523:
(void)printf("Login incorrect\n");
failures++;
/*
* we allow up to 'retry' (10) tries,
* but after 'backoff' (3) we start backing off
*/
if (++cnt > backoff) {
if (cnt >= retries) {
badlogin(username);
sleepexit(1);
}
sleep((u_int)((cnt - backoff) * 5));
}
This code has been in there since 2.2.1 at least(I didn't check back
farther).
A simple test verified this behaviour. After ten login attempts, I was
booted off and it was dutifully logged:
Jan 3 16:17:06 <myhost> login: 10 LOGIN FAILURES FROM localhost
Jan 3 16:17:06 <myhost> login: 10 LOGIN FAILURES FROM localhost, root
On Sat, 2 Jan 1999, Missouri FreeNet Administration wrote:
> Greetings, how is everyone after the 30 day pig-out? ;-0
>
> We originally posted this problem to the FreeBSD GNATS system on
> December 20th, and still haven't heard so much as an acknowledgement
> of the report (GNATS#: i386/9141). I figured with the holidays, they
> were all busy, and would [eventually] get to it, but today I checked
> and saw that several GNATS reports on either side of this one (some
> as recent as today) have been looked at, processed, and even closed!
> So...
>
> FreeBSD 2.2.5-R (other rev's not tested) fail to log penetration attempts
> on quiescent systems properly when using syslog (to any target). Failed
> login attempts (*any* number of them) will not be reported until a user name
> which is *different* from the failed name is entered. For example, I can
> attempt to penetrate the root password *all day long* without getting a
> syslog report, provided a name other than root is not entered. The reson
> for this is that there is an attempt to de-verbosify syslog reporting in
> FBSD which accumulates a counter for events, and then reports a cumulative
> total. In this attempt to save verbiage, they are tallying all the failed
> attempts, *rather* than *reporting* them!
>
> This is (obviously) not going to be an issue on a busy system, as
> *someone* other than the target account is likely to log in and flush the
> counter report, but on a selected system, such as a name server, this
> could be a devastating flaw...
>
>
> Yours,
> J.A. Terranson
> sysadmin@mfn.org
>
> --
> If Governments really want us to behave like civilized human beings, they
> should give serious consideration towards setting a better example:
> Ruling by force, rather than consensus; the unrestrained application of
> unjust laws (which the victim-populations were never allowed input on in
> the first place); the State policy of justice only for the rich and
> elected; the intentional abuse and occassionally destruction of entire
> populations merely to distract an already apathetic and numb electorate...
> This type of demogoguery must surely wipe out the fascist United States
> as surely as it wiped out the fascist Union of Soviet Socialist Republics.
>
> The views expressed here are mine, and NOT those of my employers,
> associates, or others. Besides, if it *were* the opinion of all of
> those people, I doubt there would be a problem to bitch about in the
> first place...
> --------------------------------------------------------------------
>