[575] in SIPB_Linux_Development
telnetd/login hole
daemon@ATHENA.MIT.EDU ("Mark W. Eichin")
Wed May 18 13:17:47 1994
Date: Wed, 18 May 94 13:17:13 EDT
From: eichin@MIT.EDU ("Mark W. Eichin")
To: linux-dev@MIT.EDU
I just saw this in linux-admin; it worked on my box (fortunately, it's
behind a firewall...) Quiche appears to not be vulnerable, login has
changed somewhat since old SLS.
_Mark_
From: karel@icce.rug.nl (Karel Kubat)
Subject: GIANT SECURITY HOLE + FIX
Date: Wed, 18 May 1994 12:00:09 GMT
Heia,
Recently I came across a *giant* security hole (thanx to Peter Bouthoorn for
pointing it out). It may well affect a large part of all Linux boxes. At
least, it affected all machines in my neighbourhood, which are --remotely--
based on an old SLS distribution.
I have no idea if newer distributions are also affected. However, you can test
if your box is insecure by telnetting to it and using the "-l" flag with
"-fusername": just try
telnet -l -finsert_user_name_here host_name_of_linux_box
If you get logged in without a password prompt, there you go -- the barn-wide
hole should be obvious. Anyone from all over the world can telnet in as the
user, without ever entering a password.
All programs which use /bin/login to authenticate on the host where logging in
are affected. E.g., rlogin is one of them and so is telnet. Now you can of
course restrict rlogins with /etc/hosts.allow, /etc/hosts.deny and
/etc/hosts.equiv. But you can't restrict telnetting (and you probably
don't want to). The problem lies with /bin/login: whenever someone passes the
-f flag to /bin/login, the user will be logged in without prompting for a
password.
Hence the following patch: it is a simple shell script, called /bin/login,
which executes /bin/login.prg (the original login program) after removing any
-f flags from the arguments. Which means that then all logins will require a
password to be entered. I know that it's not ideal, but it's the best I could
come up with in a short time. I'd appreciate follow-ups or replies with better
suggestions.
The script /bin/login follows. To install it, move /bin/login to
/bin/login.prg and install the shell script as /bin/login. Take care of the
right permissions. Further info in the script itself.
Cheers, Karel.
=============================== start of script, cut here
#!/bin/sh
########################################################################
# Login shell script, used to avoid the -fusername security hole..
# This is an ancient fault. It should have been fixed long ago.
# You have this barn-door wide security hole, if you can telnet to your
# box using:
# telnet -l -fusername hostname
# and then get logged in without the Password: prompt. This security hole
# will also show up with any programs that use /bin/login to validate;
# e.g., rlogin. This script fixes the hole, though a better /bin/login
# would be more appropriate.
#
# What this shell does, is that it effectively disables the passing of the
# -f flag to the original login program. It's the best I could come up with.
# Means that you'll always now have to type the password when logging in with
# rlogin etc..
#
# To install this shell:
# copy /bin/login to /bin/login.prg
# install this shell as /bin/login, perms -rws--x--x root:root
# make sure that the config parameters below are correct (they
# should be, for most systems)
#
# Cheers, Karel Kubat (karel@icce.rug.nl)
##########################################################################
# Config parameters, make sure that these are correct:
# original login program, under its newer name:
LOGINPRG=/bin/login.prg
# sed program, make also sure that it's in the path
SED=sed
# path in this shell to find progs (echo, sed)
PATH=/sbin:/bin:/usr/bin
NEWARG=`echo $* | sed 's/-f//g'`
exec $LOGINPRG $NEWARG
=============================== end of script, cut here
--
email: K.Kubat@icce.rug.nl "Premature optimization is the root
phone: (+31) 50 63 36 47 of all evil.." (Knuth)
mail : ICCE, Univ. of Groningen,
P.O. box 335, 9700 AH Groningen, Netherlands
------------------------------
