_____________________________________________________
                          The U.S. Department of Energy
                       Computer Incident Advisory Capability
                              ___  __ __    _     ___
                             /       |     /_\   /
                             \___  __|__  /   \  \___
               _____________________________________________________

				ADVISORY NOTICE

			 UNIX /bin/login Vulnerability


May 23, 1994 0700 PDT                                              Number E-26
______________________________________________________________________________ 

PROBLEM:        A vulnerability exists in /bin/login on some UNIX platforms.
PLATFORMS:      IBM AIX 3 systems, Linux, possibly other UNIX systems.
DAMAGE:         Local and remote users can obtain unauthorized access to any
		account, including root.
SOLUTION:       Apply patches or workarounds described below.
______________________________________________________________________________

VULNERABILITY   This vulnerability has been widely discussed in detail on
ASSESSMENT:     Internet mailing lists and newsgroups and a simple one line
		exploitation script is being distributed.  CIAC strongly
		advises that this vulnerability be patched IMMEDIATELY.
______________________________________________________________________________

	 Critical Information about the UNIX /bin/login Vulnerability

CIAC has learned of a vulnerability in the UNIX /bin/login program.  This
vulnerability potentially affects all IBM AIX 3 systems, Linux systems, and
perhaps other UNIX platforms as well.  Information available at the time of
this advisory's publication indicates that only IBM AIX 3 and Linux systems are
at risk.

IBM AIX information

Current information indicates that the IBM AIX vulnerability applies only to
remote access.

IBM is currently developing an official fix.  Until the official fix is
available from IBM, CIAC recommends immediate application of the workaround or
installation of the emergency fix described here.

Workaround:

The recommended workaround is to disable the rlogin daemon by performing the
following three steps:

 1. As root, edit /etc/inetd.conf and comment out the line 'login ... rlogin' 
 2. Run 'inetimp'
 3. Run 'refresh -s inetd'

Emergency Fix:

IBM's emergency fix for the different levels of AIX 3 affected by this
vulnerability is available via anonymous FTP from software.watson.ibm.com in
the file /pub/rlogin/rlogin.tar.Z.  Installation instructions are included in
the README file which is included in rlogin.tar.Z.  Checksum information for
rlogin.tar.Z is included in the chart below.

  BSD: 25285 317
  SystemV: 13021 633
  MD5: 803ee38c2e3b8c8c575e2ff5e921034c

Official Fix:

IBM is working on an official fix; it can be ordered as APAR IX44254.  To order
an APAR from IBM in the U.S., call 1-800-237-5511 and ask IBM to ship it as
soon as it is available.  According to IBM, this fix will be available in
approximately two weeks.  APARs may be obtained outside the U.S. by contacting
your local IBM representative.


Linux information

Current information indicates that the Linux vulnerability applies to both
remote and local access.

Remote access fix:

A patch that addresses the remote access problem has been made available via
anonymous FTP from sunsite.unc.edu in the directory
/pub/Linux/system/Network/sunacm/URGENT.  This patch is found in the file
security.tgz, with the associated file README.security.  Note that security.tgz
includes other security fixes in addition to the /bin/login patch.  Checksum
information for both of these files is included below.

  README.security:                       security.tgz:
  BSD: 09575 1                           BSD: 32878 257 
  SystemV: 20945 1                       SystemV: 40797 513
  MD5: 41d14d7b8725c7a1015adeb49601619b  MD5: dd4585cf4da1b52d25d619bf45f55b75

Local access fix:

To address the local access problem, CIAC encourages installation of a version
of /bin/login that does not allow the -f option in the form "-f<user>".  The
recommended version should only allow this option in the form "-f <user>", with
a space to indicate two arguments.  At the time of this bulletin's publication,
CIAC does not know which versions of login.c are vulnerable.  As CIAC and
other FIRST teams receive additional information, the CA-94:09.README file will
be updated.  Again, we encourage you to check this README file regularly for
updates.  If you find a version of Linux which contains the login access
vulnerability, please contact CIAC.


Other vendor information

The CERT Coordination Center (CERT/cc) has provided CIAC with the file
CA-94:09.README, which lists the vendors who have responded to inquiries
involving this vulnerability and the status of their investigations into this
problem.  This file is included with this advisory as an appendix.  As
additional information is received relating to this advisory, the CERT/cc will
place it, along with any clarifications, in the README file available via
anonymous FTP from info.cert.org.  CIAC encourages you to check the README file
regularly for updates that relate to your UNIX operating system.

Note: md5 checksum utility is available via anonymous FTP from CIAC's
server irbis.llnl.gov (soon to be renamed ciac.llnl.gov) as md5.tar in
directory /pub/util/crypto.
______________________________________________________________________________

CIAC thanks the CERT Coordination Center for the information provided in this
advisory.
______________________________________________________________________________

For additional information or assistance, please contact CIAC:
    Voice:   510-422-8193
    FAX:     510-423-8002
    STU-III: 510-423-2604
    E-mail:  ciac@llnl.gov

CIAC has several self-subscribing mailing lists for electronic publications:
1. CIAC-BULLETIN for Advisories, highest priority - time critical information
   and Bulletins, important computer security information;
2. CIAC-NOTES for Notes, a collection of computer security articles;
3. SPI-ANNOUNCE for official news about Security Profile Inspector (SPI)
   software updates, new features, distribution and availability;
4. SPI-NOTES, for discussion of problems and solutions regarding the use of
   SPI products.

Our mailing lists are managed by a public domain software package called
ListProcessor, which ignores E-mail header subject lines.  To subscribe (add
yourself) to one of our mailing lists, send the following request as the
E-mail message body, substituting CIAC-BULLETIN, CIAC-NOTES, SPI-ANNOUNCE or
SPI-NOTES for "list-name" and valid information for "LastName" "FirstName" and
"PhoneNumber" when sending

E-mail to ciac-listproc@llnl.gov:
          subscribe list-name  LastName, FirstName PhoneNumber
    e.g., subscribe ciac-notes O'Hara, Scarlett 404-555-1212 x36

You will receive an acknowledgment containing address, initial PIN, and
information on how to change either of them, cancel your subscription, or get
help.
______________________________________________________________________________

PLEASE NOTE: Many users outside of the DOE and ESnet computing communities
receive CIAC bulletins.  If you are not part of these communities, please
contact your agency's response team to report incidents.  Your agency's team
will coordinate with CIAC.  The Forum of Incident Response and Security Teams
(FIRST) is a world-wide organization.  A list of FIRST member organizations
and their constituencies can be obtained by sending E-mail to
first-request@first.org with an empty subject line and a message body
containing the line: send first-contacts.

This document was prepared as an account of work sponsored by an agency of the
United States Government.  Neither the United States Government nor the
University of California nor any of their employees, makes any warranty,
expressed or implied, or assumes any legal liability or responsibility for the
accuracy, completeness, or usefulness of any information, product, or process
disclosed, or represents that its use would not infringe privately owned
rights.  Reference herein to any specific commercial products, process, or
service by trade name, trademark manufacturer, or otherwise, does not
necessarily constitute or imply its endorsement, recommendation, or favoring by
the United States Government or the University of California.  The views and
opinions of authors expressed herein do not necessarily state or reflect those
of the United States Government nor the University of California, and shall not
be used for advertising or product endorsement purposes.

-----------------------------------------------------------------------------
Appendix

CA-94:09.README

This file is a supplement to the CERT Advisory
CA-94:09.bin.login.vulnerability of May 23, 1994, and will be updated
as additional information becomes available. 

We have received feedback from these vendors, who indicated that their
products are not vulnerable: 

     Amdahl
     Apple 
     BSD   
     BSDI  
     Harris
     HP    
     Motorola 
     NeXT     
     Pyramid  
     SCO      
     SGI      
     Solbourne
     Sony     
     Sun      

CERT has verified that the following vendor products are not vulnerable:

     Free BSD 

We have received feedback from these vendors, who have made patches
available to address the /bin/login vulnerability:

     IBM
       workaround:       see Section III. Solution for IBM AIX
                         vulnerability A. Workaround of CERT advisory
                         CA-94:09 
       emergency patch:  software.watson.ibm.com:/pub/rlogin/rlogin.tar.Z
       Official patch:   APAR IX44254

     Linux  
       patch:  sunsite.unc.edu:/pub/Linux/system/Network/sunacm/URGENT/*