Privacy and Legal Notice

[CIAC] INFORMATION BULLETIN

M-031: Buffer Overflow in System V Derived Login

[CERT Advisory CA-2001-34]

December 21, 2001 20:00 GMT
  ------------------------------------------------------------------------
 PROBLEM:           A vulnerability has been discovered in the login
                    program for many System V-derived Unix implementations
                    that allows unauthorized root access.
 PLATFORM:          IBM AIX versions 4.3 and 5.1
                    Hewlett-Packard's HP-UX
                    SCO OpenServer 5.0.6 and earlier
                    SGI IRIX 3.x
                    Sun Solaris 8 and earlier
 DAMAGE:            This vulnerability can be remotely exploited to gain
                    privileges of the invoker of login. Programs such as
                    telnetd, rlogind, and other suid root programs will
                    allow root access to the system.
 SOLUTION:          Apply the patch from vendor.
  ------------------------------------------------------------------------
 VULNERABILITY      The risk is HIGH. A remote attacker could exploit this
 ASSESSMENT:        vulnerability and gain root access to the system.
  ------------------------------------------------------------------------

 LINKS:
   CIAC BULLETIN:          http://www.ciac.org/ciac/bulletins/m-031.shtml
   ORIGINAL BULLETIN:      http://www.kb.cert.org/vuls/id/569272
  ------------------------------------------------------------------------

[***** Start CERT Advisory CA-2001-34 *****]

CERT Advisory CA-2001-34 Buffer Overflow in System V Derived Login

   Original release date: December 12, 2001
   Last revised: --
   Source: CERT/CC

   A complete revision history can be found at the end of this file.

Systems Affected

     * IBM AIX versions 4.3 and 5.1
     * Hewlett-Packard's HP-UX
     * SCO OpenServer 5.0.6 and earlier
     * SGI IRIX 3.x
     * Sun Solaris 8 and earlier

Overview

   Several  applications  use  login  for authentication to the system. A
   remotely  exploitable  buffer  overflow  exists  in login derived from
   System V. Attackers can exploit this vulnerability to gain root access
   to the server.

I. Description

   Several  implementations of login that are derived from System V allow
   a  user  to  specify  arguments  such  as environment variables to the
   process.  An array of buffers is used to store these arguments. A flaw
   exists  in the checking of the number of arguments accepted. This flaw
   permits the array of buffers to be overflowed.

   On most systems, login is not suid; therefore, it runs as the user who
   called  it.  If,  however, login is called by an application that runs
   with  greater  privileges  than  those of the user, such as telnetd or
   rlogind,  then  the  user  can  exploit this vulnerability to gain the
   privileges  of  that  program. In the case of telnetd or rlogind, root
   access is gained.

   Since  in.telnetd  and  in.rlogind  are  available over the network, a
   remote  attacker  without  any previous access to the system could use
   this vulnerability to gain root access to the system.

   If  a  program  that invokes login is suid (or sgid) USER_A, then this
   can be exploited to gain the privileges of USER_A.

   An exploit exists and may be circulating.

II. Impact

   This vulnerability can be remotely exploited to gain privileges of the
   invoker  of  login. In the case of a program such as telnetd, rlogind,
   or other suid root programs, root access is gained.

III. Solution

Apply a patch from your vendor

   Appendix A contains information provided by vendors for this advisory.
   As  vendors report new information to the CERT/CC, we will update this
   section  and note the changes in our revision history. If a particular
   vendor  is  not  listed  below,  we  have not received their comments.
   Please  review  the VU#569272 for your vendor's status or contact your
   vendor directly.

Restrict access to login

   We  recommend  disabling  TELNET,  RLOGIN  and other programs that use
   login  for  authentication.  Do not use programs that use a vulnerable
   login  for  authentication.  Note  that  some  SSH applications can be
   configured  to  use login for authentication. If this configuration is
   selected, then you will still be vulnerable.

   If  you  cannot  disable  the  service, you can limit your exposure to
   these vulnerabilities by using a router or firewall to restrict access
   to port 23/TCP (telnet) and port 513/TCP (rlogin). Note that this does
   not protect you against attackers from within your network.

Appendix A. - Vendor Information

   This  appendix  contains  information  provided  by  vendors  for this
   advisory.  As  vendors  report new information to the CERT/CC, we will
   update this section and note the changes in our revision history. If a
   particular  vendor  is  not  listed  below, we have not received their
   comments.

Apple Computer, Inc.

   Mac OS X and Mac OS X Server are not vulnerable.

Caldera

   We  are  not  using  a  SystemV based /bin/login, we are using the BSD
   originated rlogin tools. All OpenLinux products are 'Not Vulnerable'.

Compaq Computer Corporation

   Compaq's Tru64 Software is not impacted by this reported problem.

Cray Inc.

   Cray  Inc.  has  determined  that  its  implementation of login is not
   vulnerable to the situation described in VU#569272.

Hewlett-Packard

   HP-UX  is  NOT  Exploitable,  even  though  HP-UX does have the buffer
   overflow,  and  hence  is listed as "effected" above. In any case, the
   buffer overflow has been fixed by HP.

IBM

   IBM's  AIX  operating system, versions 4.3 and 5.1, are susceptible to
   this  vulnerability.  We  have  prepared  an  emergency  fix ("efix"),
   "tsmlogin_efix.tar.Z", and it is available for downloading from:

   ftp://aix.software.ibm.com/aix/efixes/security

   The  APAR  assignment  for  AIX  5.1 is IY26221, and will be available
   soon. The APAR for AIX 4.3 is pending, as a new level of 4.3 is nearly
   available.  The "README" file at the above FTP site will be updated to
   provide the official fix information and availability.

NetBSD

   NetBSD does not use a System V derived login, and therefore, NetBSD is
   not vulnerable.

Red Hat

   Red  Hat  Linux  does  not  use  a System V derived /bin/login, and is
   therefore not vulnerable to this.

Sun Microsystems

   Sun  has  developed  a  fix  and  T-patches are being tested. Official
   patches  will  be  released  shortly and Sun will issue a Sun Security
   Bulletin when they are available.
     _________________________________________________________________

   The  CERT Coordination Center thanks Internet Security Systems and Sun
   Microsystems for the technical information they provided.
     _________________________________________________________________

   Feedback  on  this  document  can  be directed to the author,
   Jason A. Rafail
     _________________________________________________________________

   References
     * http://www.kb.cert.org/vuls/id/569272
     * http://www.kb.cert.org/vuls
   ______________________________________________________________________

   This document is available from:
   http://www.cert.org/advisories/CA-2001-34.html
   ______________________________________________________________________

CERT/CC Contact Information

   Email: cert@cert.org
          Phone: +1 412-268-7090 (24-hour hotline)
          Fax: +1 412-268-6989
          Postal address:
          CERT Coordination Center
          Software Engineering Institute
          Carnegie Mellon University
          Pittsburgh PA 15213-3890
          U.S.A.

   CERT/CC   personnel   answer  the  hotline  08:00-17:00  EST(GMT-5)  /
   EDT(GMT-4)  Monday  through  Friday;  they are on call for emergencies
   during other hours, on U.S. holidays, and on weekends.

Using encryption

   We  strongly  urge you to encrypt sensitive information sent by email.
   Our public PGP key is available from

   http://www.cert.org/CERT_PGP.key

   If  you  prefer  to  use  DES,  please  call the CERT hotline for more
   information.

Getting security information

   CERT  publications  and  other security information are available from
   our web site

   http://www.cert.org/

   To  subscribe  to  the CERT mailing list for advisories and bulletins,
   send  email  to majordomo@cert.org. Please include in the body of your
   message

   subscribe cert-advisory

   *  "CERT"  and  "CERT  Coordination Center" are registered in the U.S.
   Patent and Trademark Office.
   ______________________________________________________________________

   NO WARRANTY
   Any  material furnished by Carnegie Mellon University and the Software
   Engineering  Institute  is  furnished  on  an  "as is" basis. Carnegie
   Mellon University makes no warranties of any kind, either expressed or
   implied  as  to  any matter including, but not limited to, warranty of
   fitness  for  a  particular purpose or merchantability, exclusivity or
   results  obtained from use of the material. Carnegie Mellon University
   does  not  make  any warranty of any kind with respect to freedom from
   patent, trademark, or copyright infringement.
     _________________________________________________________________

   Conditions for use, disclaimers, and sponsorship information

   Copyright 2001 Carnegie Mellon University.

   Revision History
December 12, 2001 : Initial Release
[***** End CERT Advisory CA-2001-34 *****]

  ------------------------------------------------------------------------
CIAC wishes to acknowledge the contributions of CERT Coordination Center
for the information contained in this bulletin.
  ------------------------------------------------------------------------
CIAC services are available to DOE, DOE Contractors, and the NIH. CIAC can
be contacted at:

    Voice:          +1 925-422-8193 (7 x 24)
    FAX:            +1 925-423-8002
    STU-III:        +1 925-423-2604
    E-mail:          ciac@llnl.gov
    World Wide Web:  http://www.ciac.org/
                     http://ciac.llnl.gov
                     (same machine -- either one will work)
    Anonymous FTP:   ftp.ciac.org
                     ciac.llnl.gov
                     (same machine -- either one will work)

  ------------------------------------------------------------------------
This document was prepared as an account of work sponsored by an agency of
the United States Government. Neither the United States Government nor the
University of California nor any of their employees, makes any warranty,
express or implied, or assumes any legal liability or responsibility for
the accuracy, completeness, or usefulness of any information, apparatus,
product, or process disclosed, or represents that its use would not
infringe privately owned rights. Reference herein to any specific
commercial products, process, or service by trade name, trademark,
manufacturer, or otherwise, does not necessarily constitute or imply its
endorsement, recommendation or favoring by the United States Government or
the University of California. The views and opinions of authors expressed
herein do not necessarily state or reflect those of the United States
Government or the University of California, and shall not be used for
advertising or product endorsement purposes.
  ------------------------------------------------------------------------
UCRL-MI-119788
[Privacy and Legal Notice]