Re: Linux distributions and /bin/login overflow

From: pof (pauat_private)
Date: Fri Dec 21 2001 - 09:22:36 PST

Next message: Frederic Brouille: "VIGILANTe advisory 2001003 : Atmel SNMP Non Public Community Stri ng DoS Vulnerability"

Previous message: Alun Jones: "Re: IRM Security Advisory 002: Netware Web Server Source Disclosure"
In reply to: Roman Drahtmueller: "Re: Linux distributions and /bin/login overflow"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thu, 20 Dec 2001 06:21:10 +0100 (MET)
"Roman Drahtmueller" <drahtat_private> wrote:

> 
> > Hello,
> 
> Hello, too!
> 

Hello again :^)

> [...]
> 
> > It seems that while Redhat Linux and Caldera Linux
> > distributions are immune to the recent /bin/login
> > environ overflow, other Linux distributions are not.
> > Several Linux distributions install /bin/login with
> > SysV login options enabled.
> >
> > Slackware 8.0 and lower [tested with 8.0, 4.0, 3.3]
> > has SysV options enabled with /bin/login and is
> > vulnerable.
> >

As Roman said with SuSe, Slackware is also not vulnerable to /bin/login overflow. Explanation follows.

Slackware 8 comes with shadow-19990827 package and a non-pamified authentification scheme.
In shadow-19990827/libmisc/loginprompt.c line 133 you can find this piece of code:

   /*
    * This is a disaster, at best.  The user may have entered extra
    * environmental variables at the prompt.  There are several ways
    * to do this, and I just take the easy way out.
    */

   if (*cp != '\0') {      /* process new variables */
      char *nvar;
      int count = 1;

      for (envc = 0; envc < MAX_ENV; envc++) {
         nvar = strtok(envc ? (char *)0 : cp, " \t,");
         if (!nvar)
            break;
         if (strchr(nvar, '=')) {
            envp[envc] = nvar;
         } else {
            envp[envc] = xmalloc(strlen(nvar) + 32);
            sprintf(envp[envc], "L%d=%s", count++, nvar);
         }
      }
      set_env(envc, envp);
   }


which does what Roman has explained. So, this time it's not a bug, it *is* a feature ;)

> > SuSE 6.1 has SysV options enabled with /bin/login and
> > is vulnerable.  I don't have a newer SuSE release, so
> > others will need to verify. It would seem logical that
> > SuSE 8.3 still includes the SysV login options
> > enabled, and is probably vulnerable as well.
> 
> 
> While it still may be a bad idea for a whole variety of reasons, the sole
> fact that some implementations of /bin/login allow for environment to be
> passed on to the shell after authentification does not mean that the
> program is vulnerable to the problems as discovered with the SysV derived
> implementations.
> 
> To be more precise (grep the source for the word "disaster" to find the
> spot): The login programs in SuSE 6.0 and 6.1 gladly pass on environment
> specified as
> 
> silence login: draht variable=value
> Password:
> 
> up to a maximum number of 32 variables. If the args to the user name do
> not contain a "=" character, the arguments will show up in the environment
> as $L1, $L2, ... where arguments are seperated by whitespace and ",". An
> overflow does not happen, or please prove me wrong.
> 
> For the login programs in SuSE distributions before and including 6.1
> there is no such thing as "SysV login options enabled". Environment
> passing is a non-configurable feature.
>  The SuSE Linux distributions 6.0 and 6.1 were the last ones without
> PAM'ified authentification schemes. All newer distributions use PAM
> authentification modules that do not pass on environment as specified on
> the user input prompt (user + password prompting happens beyond the scope
> of the login program).
> 
> SuSE Linux users who use a distribution before 6.4 are greatly encouraged
> to upgrade to a new release since distributions before SuSE Linux 6.4 have
> been discontinued a long while ago.
> 
> 
> > Other distributions should be checked as well.  A
> > quick way to check for SysV option capabilities is to
> > type "login", then enter "root testenv1=test" at the
> > login: prompt.  Supply your root passwd, and look for
> > "testenv1" in the output of set.  If it's set, then
> > your copy of /bin/login supports SysV options.....and
> > is probably vulnerable. Follow similar procedure to
> > find overflow possibility/specifics ;)
> >
> >
> > Regards,
> >
> > Anton Rager
> > a_ragerat_private
> 
> Thanks,
> Roman.
> -- 
>  -                                                                      -
> | Roman Drahtmüller      <drahtat_private> // "You don't need eyes to see, |
>   SuSE GmbH - Security           Phone: //             you need vision!"
> | Nürnberg, Germany     +49-911-740530 //           Maxi Jazz, Faithless |
>  -                                                                      -


-- 
===========================================
Name: Pau Oliva     - Email: pauat_private
Linux user: #97195  - BSD user:  #BSD050609
WWW: www.eSlack.org - WWW:   pof.eSlack.org
===========================================

Next message: Frederic Brouille: "VIGILANTe advisory 2001003 : Atmel SNMP Non Public Community Stri ng DoS Vulnerability"
Previous message: Alun Jones: "Re: IRM Security Advisory 002: Netware Web Server Source Disclosure"
In reply to: Roman Drahtmueller: "Re: Linux distributions and /bin/login overflow"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Dec 21 2001 - 11:40:46 PST