> Hello, Hello, too! [...] > It seems that while Redhat Linux and Caldera Linux > distributions are immune to the recent /bin/login > environ overflow, other Linux distributions are not. > Several Linux distributions install /bin/login with > SysV login options enabled. > > Slackware 8.0 and lower [tested with 8.0, 4.0, 3.3] > has SysV options enabled with /bin/login and is > vulnerable. > > SuSE 6.1 has SysV options enabled with /bin/login and > is vulnerable. I don't have a newer SuSE release, so > others will need to verify. It would seem logical that > SuSE 8.3 still includes the SysV login options > enabled, and is probably vulnerable as well. While it still may be a bad idea for a whole variety of reasons, the sole fact that some implementations of /bin/login allow for environment to be passed on to the shell after authentification does not mean that the program is vulnerable to the problems as discovered with the SysV derived implementations. To be more precise (grep the source for the word "disaster" to find the spot): The login programs in SuSE 6.0 and 6.1 gladly pass on environment specified as silence login: draht variable=value Password: up to a maximum number of 32 variables. If the args to the user name do not contain a "=" character, the arguments will show up in the environment as $L1, $L2, ... where arguments are seperated by whitespace and ",". An overflow does not happen, or please prove me wrong. For the login programs in SuSE distributions before and including 6.1 there is no such thing as "SysV login options enabled". Environment passing is a non-configurable feature. The SuSE Linux distributions 6.0 and 6.1 were the last ones without PAM'ified authentification schemes. All newer distributions use PAM authentification modules that do not pass on environment as specified on the user input prompt (user + password prompting happens beyond the scope of the login program). SuSE Linux users who use a distribution before 6.4 are greatly encouraged to upgrade to a new release since distributions before SuSE Linux 6.4 have been discontinued a long while ago. > Other distributions should be checked as well. A > quick way to check for SysV option capabilities is to > type "login", then enter "root testenv1=test" at the > login: prompt. Supply your root passwd, and look for > "testenv1" in the output of set. If it's set, then > your copy of /bin/login supports SysV options.....and > is probably vulnerable. Follow similar procedure to > find overflow possibility/specifics ;) > > > Regards, > > Anton Rager > a_ragerat_private Thanks, Roman. -- - - | Roman Drahtmüller <drahtat_private> // "You don't need eyes to see, | SuSE GmbH - Security Phone: // you need vision!" | Nürnberg, Germany +49-911-740530 // Maxi Jazz, Faithless | - -
This archive was generated by hypermail 2b30 : Thu Dec 20 2001 - 17:36:44 PST