Slashdot Mirror

← Back to Stories (view on slashdot.org)

Solaris, AIX Login Hole

Posted by michael on from the still-another-reason-not-to-use-telnet dept.

An anonymous submitter sent in: "A CERT Advisory describes a buffer overflow vulnerability in implementations of login derived from System V, which includes among Solaris 8 and earlier and AIX 4.3/5.1. "An exploit exists and may be circulating." Vendors are testing fixes." There's a Reuters story as well.

3 of 267 comments (clear)

  1. Re:See, Unix has problems too now. by vinnythenose · · Score: 3, Redundant

    Acutally it's been known for a long time that telnet and rlogin are insecure. The effort has been to shift people to secure methods such as OpenSSH for those things. For the most part any sysadmin that has been using telnet and rlogin is probably too lazy to switch. I worked under a sysadmin for a while and it took months of pushing to get him to start implemting SSH across the board.

    --
    --- I used to moderate, then I read the -1 articles and decided having to filter through them was not worth it.
  2. I must be missing something by overshoot · · Score: 2, Redundant

    This affects systems with telnet or rlogin accessible from the Internet? The implication is that these were somehow not vulnerable without this buffer overrun.
    News to me.

    --
    Lacking <sarcasm> tags, /. substitutes moderation as "Troll."
  3. Re:More info: by HMC+CS+Major · · Score: 0, Redundant
    Your sarcasm only shows how little you pay attention to unix security. The flaw in "login" has been around for a while, and has shown up on various security mailing lists. For instance, here is one from FreeBSD. From FreeBSD Security Advisory: FreeBSD-SA-01:63.openssh:


    Topic: OpenSSH UseLogin directive permits privilege escalation

    Category: core/ports
    Module: openssh
    Announced: 2001-12-02
    Credits: Markus Friedl
    Affects: FreeBSD 4.3-RELEASE, 4.4-RELEASE
    FreeBSD 4.4-STABLE prior to the correction date
    Ports collection prior to the correction date
    Corrected: 2001-12-03 00:53:28 UTC (RELENG_4)
    2001-12-03 00:54:18 UTC (RELENG_4_4)
    2001-12-03 00:54:54 UTC (RELENG_4_3)
    2001-12-02 06:52:40 UTC (openssh port)
    FreeBSD only: NO

    I. Background

    OpenSSH is an implementation of the SSH1 and SSH2 secure shell
    protocols for providing encrypted and authenticated network access,
    which is available free for unrestricted use. Versions of OpenSSH are
    included in the FreeBSD ports collection and the FreeBSD base system.

    II. Problem Description

    OpenSSH includes a feature by which a user can arrange for
    environmental variables to be set depending upon the key used for
    authentication. These environmental variables are specified in the
    `authorized_keys' (SSHv1) or `authorized_keys2' (SSHv2) files in the
    user's home directory on the server. This is normally safe, as this
    environment is passed only to the user's shell, which is invoked with
    user privileges.

    However, when the OpenSSH server `sshd' is configured to use
    the system's login program (via the directive `UseLogin yes' in
    sshd_config), this environment is passed to login, which is invoked
    with superuser privileges. Because certain environmental variables
    such as LD_LIBRARY_PATH and LD_PRELOAD can be set using the previously
    described feature, the user may arrange for login to execute arbitrary
    code with superuser privileges.

    All versions of FreeBSD 4.x prior to the correction date including
    FreeBSD 4.3 and 4.4 are potentially vulnerable to this problem.
    However, the OpenSSH server is configured to not use the system login
    program (`UseLogin no') by default, and is therefore not vulnerable
    unless the system administrator has changed this setting.

    In addition, there are two versions of OpenSSH included in the
    ports collection. One is ports/security/openssh, which is the
    BSD-specific version of OpenSSH. Versions of this port prior to
    openssh-3.0.2 exhibit the problem described above. The other is
    ports/security/openssh-portable, which is not vulnerable, even if the
    server is set to `UseLogin yes'.

    III. Impact

    Hostile but otherwise legitimate users that can successfully
    authenticate using public key authentication may cause /usr/bin/login
    to run arbitrary code as the superuser.

    If you have not enabled the 'UseLogin' directive in the sshd
    configuration file, you are not vulnerable to this problem.

    Now, what does this mean to you? It means that there's a flaw in login, and any user can gain escalated privileges if they can find a way to call it from a privileged program (if it was suid root, it'd be almost trivial to gain root privs without using telnetd or sshd). The email I pulled the info from was send on december 4th. It was corrected by FreeBSD december 3rd. Obviously in the last week, thousands of solaris boxes have been sitting open to vulnerabilities because they were not notified. And yet, you act as if everyone was told the second it was discovered.
    --
    Video for Online Dating Profiles