Slashdot Mirror

← Back to Stories (view on slashdot.org)

Solaris, AIX Login Hole

Posted by michael on from the still-another-reason-not-to-use-telnet dept.

An anonymous submitter sent in: "A CERT Advisory describes a buffer overflow vulnerability in implementations of login derived from System V, which includes among Solaris 8 and earlier and AIX 4.3/5.1. "An exploit exists and may be circulating." Vendors are testing fixes." There's a Reuters story as well.

4 of 267 comments (clear)

  1. Re:More info: by HMC+CS+Major · · Score: 1, Offtopic
    This actually is not a new vulnerability. From FreeBSD Security Advisory: FreeBSD-SA-01:63.openssh:


    Topic: OpenSSH UseLogin directive permits privilege escalation

    Category: core/ports
    Module: openssh
    Announced: 2001-12-02
    Credits: Markus Friedl
    Affects: FreeBSD 4.3-RELEASE, 4.4-RELEASE
    FreeBSD 4.4-STABLE prior to the correction date
    Ports collection prior to the correction date
    Corrected: 2001-12-03 00:53:28 UTC (RELENG_4)
    2001-12-03 00:54:18 UTC (RELENG_4_4)
    2001-12-03 00:54:54 UTC (RELENG_4_3)
    2001-12-02 06:52:40 UTC (openssh port)
    FreeBSD only: NO

    I. Background

    OpenSSH is an implementation of the SSH1 and SSH2 secure shell
    protocols for providing encrypted and authenticated network access,
    which is available free for unrestricted use. Versions of OpenSSH are
    included in the FreeBSD ports collection and the FreeBSD base system.

    II. Problem Description

    OpenSSH includes a feature by which a user can arrange for
    environmental variables to be set depending upon the key used for
    authentication. These environmental variables are specified in the
    `authorized_keys' (SSHv1) or `authorized_keys2' (SSHv2) files in the
    user's home directory on the server. This is normally safe, as this
    environment is passed only to the user's shell, which is invoked with
    user privileges.

    However, when the OpenSSH server `sshd' is configured to use
    the system's login program (via the directive `UseLogin yes' in
    sshd_config), this environment is passed to login, which is invoked
    with superuser privileges. Because certain environmental variables
    such as LD_LIBRARY_PATH and LD_PRELOAD can be set using the previously
    described feature, the user may arrange for login to execute arbitrary
    code with superuser privileges.

    All versions of FreeBSD 4.x prior to the correction date including
    FreeBSD 4.3 and 4.4 are potentially vulnerable to this problem.
    However, the OpenSSH server is configured to not use the system login
    program (`UseLogin no') by default, and is therefore not vulnerable
    unless the system administrator has changed this setting.

    In addition, there are two versions of OpenSSH included in the
    ports collection. One is ports/security/openssh, which is the
    BSD-specific version of OpenSSH. Versions of this port prior to
    openssh-3.0.2 exhibit the problem described above. The other is
    ports/security/openssh-portable, which is not vulnerable, even if the
    server is set to `UseLogin yes'.

    III. Impact

    Hostile but otherwise legitimate users that can successfully
    authenticate using public key authentication may cause /usr/bin/login
    to run arbitrary code as the superuser.

    If you have not enabled the 'UseLogin' directive in the sshd
    configuration file, you are not vulnerable to this problem.
    --
    Video for Online Dating Profiles
  2. Well obviously... by billmaly · · Score: 0, Offtopic

    They should be taken to court, made fun of, boycotted! A security hole, my god, well I run Solaris, thank goodness I'm not affecte.....What's that?? It affects what? Oh....oh my....OH WAITER!!!! A plate of crow please! :)

  3. Now I can use the AIX box I bought at auction! by Spoing · · Score: 0, Offtopic
    If this fails, anyone know if PPC Aix disks can be mounted on an x86 Linux box? Proper partition and fs support enabled, of course.

    Background: The box came from a defunct internet delivery service. I wonder what corporate records I'll find? Definately customer records if the admins didn't wipe the database. It's a good thing I'm ethical. I wonder how many customer records from defunct Internet-focused IPOs are now in the hands of crooks?

    --
    A firewall can not protect you from yourself. Turn off what you do not need. Do not use the firewall to do your work.
  4. Unix has always had problems: X11 for example. by SimHacker · · Score: 1, Offtopic
    Ivan Raikov stated "I'd say there's a subtle, but important difference between insecure by design and insecure due to a programmer's mistake."

    Some times, "design" is 100% equivalent to "a programmer's mistake".

    That is obviously the case with X-Windows, the world's first fully modular software disaster. It was a mistake to even design it. A mistake carried out to perfection. The defecto standard. Flaky and built to stay that way. Complex nonsolutions to simple nonproblems. Form follows malfunction. Ignorance is our most important resource. It could be worse, but it'll take time. More than enough rope. Power tools for power fools. Putting new limits on productivity. The cutting edge of obsolescence. The art of incompetence. The defacto substandard. You'll envy the dead. Even your dog won't like it.

    -Don

    --
    Take a look and feel free: http://www.PieMenu.com