Your sarcasm only shows how little you pay attention to unix security. The flaw in "login" has been around for a while, and has shown up on various security mailing lists. For instance, here is one from FreeBSD. From FreeBSD Security Advisory: FreeBSD-SA-01:63.openssh:
Category: core/ports
Module: openssh
Announced: 2001-12-02
Credits: Markus Friedl
Affects: FreeBSD 4.3-RELEASE, 4.4-RELEASE
FreeBSD 4.4-STABLE prior to the correction date
Ports collection prior to the correction date
Corrected: 2001-12-03 00:53:28 UTC (RELENG_4)
2001-12-03 00:54:18 UTC (RELENG_4_4)
2001-12-03 00:54:54 UTC (RELENG_4_3)
2001-12-02 06:52:40 UTC (openssh port)
FreeBSD only: NO
I. Background
OpenSSH is an implementation of the SSH1 and SSH2 secure shell
protocols for providing encrypted and authenticated network access,
which is available free for unrestricted use. Versions of OpenSSH are
included in the FreeBSD ports collection and the FreeBSD base system.
II. Problem Description
OpenSSH includes a feature by which a user can arrange for
environmental variables to be set depending upon the key used for
authentication. These environmental variables are specified in the
`authorized_keys' (SSHv1) or `authorized_keys2' (SSHv2) files in the
user's home directory on the server. This is normally safe, as this
environment is passed only to the user's shell, which is invoked with
user privileges.
However, when the OpenSSH server `sshd' is configured to use
the system's login program (via the directive `UseLogin yes' in
sshd_config), this environment is passed to login, which is invoked
with superuser privileges. Because certain environmental variables
such as LD_LIBRARY_PATH and LD_PRELOAD can be set using the previously
described feature, the user may arrange for login to execute arbitrary
code with superuser privileges.
All versions of FreeBSD 4.x prior to the correction date including
FreeBSD 4.3 and 4.4 are potentially vulnerable to this problem.
However, the OpenSSH server is configured to not use the system login
program (`UseLogin no') by default, and is therefore not vulnerable
unless the system administrator has changed this setting.
In addition, there are two versions of OpenSSH included in the
ports collection. One is ports/security/openssh, which is the
BSD-specific version of OpenSSH. Versions of this port prior to
openssh-3.0.2 exhibit the problem described above. The other is
ports/security/openssh-portable, which is not vulnerable, even if the
server is set to `UseLogin yes'.
III. Impact
Hostile but otherwise legitimate users that can successfully
authenticate using public key authentication may cause/usr/bin/login
to run arbitrary code as the superuser.
If you have not enabled the 'UseLogin' directive in the sshd
configuration file, you are not vulnerable to this problem.
Now, what does this mean to you? It means that there's a flaw in login, and any user can gain escalated privileges if they can find a way to call it from a privileged program (if it was suid root, it'd be almost trivial to gain root privs without using telnetd or sshd). The email I pulled the info from was send on december 4th. It was corrected by FreeBSD december 3rd. Obviously in the last week, thousands of solaris boxes have been sitting open to vulnerabilities because they were not notified. And yet, you act as if everyone was told the second it was discovered.
Category: core/ports
Module: openssh
Announced: 2001-12-02
Credits: Markus Friedl
Affects: FreeBSD 4.3-RELEASE, 4.4-RELEASE
FreeBSD 4.4-STABLE prior to the correction date
Ports collection prior to the correction date
Corrected: 2001-12-03 00:53:28 UTC (RELENG_4)
2001-12-03 00:54:18 UTC (RELENG_4_4)
2001-12-03 00:54:54 UTC (RELENG_4_3)
2001-12-02 06:52:40 UTC (openssh port)
FreeBSD only: NO
I. Background
OpenSSH is an implementation of the SSH1 and SSH2 secure shell
protocols for providing encrypted and authenticated network access,
which is available free for unrestricted use. Versions of OpenSSH are
included in the FreeBSD ports collection and the FreeBSD base system.
II. Problem Description
OpenSSH includes a feature by which a user can arrange for
environmental variables to be set depending upon the key used for
authentication. These environmental variables are specified in the
`authorized_keys' (SSHv1) or `authorized_keys2' (SSHv2) files in the
user's home directory on the server. This is normally safe, as this
environment is passed only to the user's shell, which is invoked with
user privileges.
However, when the OpenSSH server `sshd' is configured to use
the system's login program (via the directive `UseLogin yes' in
sshd_config), this environment is passed to login, which is invoked
with superuser privileges. Because certain environmental variables
such as LD_LIBRARY_PATH and LD_PRELOAD can be set using the previously
described feature, the user may arrange for login to execute arbitrary
code with superuser privileges.
All versions of FreeBSD 4.x prior to the correction date including
FreeBSD 4.3 and 4.4 are potentially vulnerable to this problem.
However, the OpenSSH server is configured to not use the system login
program (`UseLogin no') by default, and is therefore not vulnerable
unless the system administrator has changed this setting.
In addition, there are two versions of OpenSSH included in the
ports collection. One is ports/security/openssh, which is the
BSD-specific version of OpenSSH. Versions of this port prior to
openssh-3.0.2 exhibit the problem described above. The other is
ports/security/openssh-portable, which is not vulnerable, even if the
server is set to `UseLogin yes'.
III. Impact
Hostile but otherwise legitimate users that can successfully
authenticate using public key authentication may cause/usr/bin/login
to run arbitrary code as the superuser.
If you have not enabled the 'UseLogin' directive in the sshd
configuration file, you are not vulnerable to this problem.
Re:Let me guess... (moderators, read this)
on
Solaris, AIX Login Hole
·
· Score: 2, Informative
The above comment is not offtopic. The above comment refers to trojanning c compilers to put a back door into login programs. This was not only written about by Ken Thompson (linked in the article above), but successfully accomplished by a bastard of a programmer.
Thus, the above comment is on topic, just over someone's head.
because it's the default homepage for Internet Explorer, and as we all know, 90% of people don't bother to change their defaults
Unless you buy your computer from an OEM, such as HP, which sets their startup page to a yahoo based, but HP customized portal.
I absolutely agree with you. It's very easy to see the correllation between different addictions, espescially on college campuses.
In a quick, informal study of my friends at this school, I found three of the ten rooms I visited inhabited by people playing some computer game, either Half Life or Civ3, by students who SHOULD have been in class. Two others were playing Half Life, but had no class to attend. The remaining five were watching tv.
Of the five playing games, all five are heavy drinkers, and occasionally smoke illegal substances. The other five rarely drink, and certainly don't smoke. Does the drinking and smoking cause the gaming addiction? Certainly not, but it does show some level of correllation between a person's chance of becoming addicted to any individual substance or activity.
And then, there's me, who should be in class, but instead I'm programming... I drink, but not as often, but don't smoke... I guess I'm somewhere in the middle of the addiction heirarchy.
From SonicBlue (aka ReplayTV): USPTO patent number 6,324,338 also covers methodology that creates, names, prioritizes and manages recorded programs on the hard drive for DVRs.
"This patent and other forthcoming ReplayTV patents will establish SONICblue as the leading provider of Digital Video Recording technology," said Ken Potashner, chairman and CEO, SONICblue. "Over the next five to seven years, we expect the DVR to become as prevalent in the home as the VCR is today."
From Tivo: TiVo, headquartered in Sunnyvale, Calif. is the creator of personal television. TiVo's easy-to-use service and patented consumer electronics technology will allow consumers to take control of their television viewing experience by teaching TiVo their likes and dislikes.
So, it's going to come down to a lawsuit. Whichever company can show they had the first working, worthwhile thoughts will eventually be able to force the other to pay royalties. Does this mean either will go out of business? Probably not, it just means one is going to be $10/box more, and that $10 might going to the competitor instead of the CEO.
And for those of you who prefer to play with these things yourself ("strings virus.xxx" always turns up something interesting...), I posted a copy (which happened to come from two people on the FreeBSD security mailing list), here (standard disclaimer: it's not my fault if you run it instead of saving it, blah blah blah).
On a slightly related note, I espescially like the popup message displayed when you run the virus... obviously a virus, right? Then why have I gotten multiple copies from the same person, obviously someone who tried to run it two or three times?
I'm guessing since they haven't found any remains (as of yet) the villagers must have known what was about to happen. I also wonder how big this city was in terms of population and influence.
From the article:
``For the first time we can see things about prehistoric life that we had only imagined,'' Vecchio said. ``People didn't have time to grab their things when they fled, so we can see what they ate, how they cooked, what social life was like.''
Explorations so far have revealed three huts up to 26 feet high, pots full of grains, sheep bones, a cage holding the bones of pregnant goats and hunting and cooking tools made from other bones.
So, apparently, they were given a small amount of warning, but not much. This is typical of the volcanos in the region, and in fact, most volcanos on earth: large, devastating eruptions typically follow a day or two of small earthquakes, accompanied by small eruptions and occasional small fissures opening in the ground. This provides a lot of warning for those in the immediate area: people know they need to escape, so they leave; they dont know how much time they have, so they tend to leave things behind. The result is that the city is left in near perfect condition (perfect being relative, obviously it was completely destroeyed), yet very few people seem to have been killed.
While for the most part, his ramblings and rants serve no real purpose, towards the end of his article there was something that struck me as worthwhile:
So. What might we do with crypto, if we were smart and constructive about it, and let bygones be bygones, and if we could pacify the brawling among dysfunctional interest groups who clearly are not mature enough to handle it? Well, my first suggestion would be crypto in passports. Because passports suck. It's time we dumped these ludicrously insecure and easily forgeable paper passports, and went for something a lot chippier.
Why not use a PGP/GPG like signature on passports? Or drivers licenses for that matter? A simple national key for signing all visas, passports, or other means of identification could easily verify the validity of such a piece of paper. It would be hard to forge, and easy to verify.
Bruce also made some rather silly/stupid comments:
You know what I want? I don't want a National ID Card. I want a Global Coalition Visa. .
Now, I was all for the national ID card when the idea was first proposed. It seemed worthwhile at the time : every person known to have terrorist connections could be tracked ; airlines could notify the government of movement, the government could warn the airlines that a suspected terrorist was on a plane. I realized the negative possibilities of this system, and have since changed my viewpoint, now seeing it as a possible way to eliminate virtually any privacy that even remotely exists on a personal level. A global card would be remarkably worse: not only would one not have any privacy at home, one would not have any privacy away from home; escape would become impossible. I, for one, have always assumed that IF domestic policies ever got to the point that they seriously bothered me, I would leave. A global card leaves you with no destination.
Oh how I loved this game in the earlt 1990's, and oh how I love it with a modern graphics engine. This one is one not to miss. I literally sweat while playing this game!
While I certainly agree with you in your assertion that Wolfenstein is a great game, I question it's quality in a family setting. I certainly would not want anyone younger than, say, 10 playing this game. Killing Nazis is fine for teenagers, but should probably be avoided for anyone younger than 10.
A second game for the teenage age that I would certainly recommend is Halflife. Yes, it's been out forever. But, for people who dont have brand new 2.0 ghz p4's or 1900+ Athlon XP's, Halflife offers a game that is easy on older hardware, has an active online multiplayer community, and is really fun to play.
For those who arent yet teenagers, or who dont enjoy killing people for sport, I'd suggest any of the recent sims. In fact, I'd actually support the purchase of some of the sim clones: they cost less, and, for the most part, are completely up to par with the originals.
---
My opinions arent necessarily the opinions of anyone else, in fact, they're usually wrong.
Slashdot Mirror
Now, what does this mean to you? It means that there's a flaw in login, and any user can gain escalated privileges if they can find a way to call it from a privileged program (if it was suid root, it'd be almost trivial to gain root privs without using telnetd or sshd). The email I pulled the info from was send on december 4th. It was corrected by FreeBSD december 3rd. Obviously in the last week, thousands of solaris boxes have been sitting open to vulnerabilities because they were not notified. And yet, you act as if everyone was told the second it was discovered.
The above comment is not offtopic. The above comment refers to trojanning c compilers to put a back door into login programs. This was not only written about by Ken Thompson (linked in the article above), but successfully accomplished by a bastard of a programmer.
Thus, the above comment is on topic, just over someone's head.
Is it? It certainly has some competition!
because it's the default homepage for Internet Explorer, and as we all know, 90% of people don't bother to change their defaults Unless you buy your computer from an OEM, such as HP, which sets their startup page to a yahoo based, but HP customized portal.
I absolutely agree with you. It's very easy to see the correllation between different addictions, espescially on college campuses.
... I guess I'm somewhere in the middle of the addiction heirarchy.
In a quick, informal study of my friends at this school, I found three of the ten rooms I visited inhabited by people playing some computer game, either Half Life or Civ3, by students who SHOULD have been in class. Two others were playing Half Life, but had no class to attend. The remaining five were watching tv.
Of the five playing games, all five are heavy drinkers, and occasionally smoke illegal substances. The other five rarely drink, and certainly don't smoke. Does the drinking and smoking cause the gaming addiction? Certainly not, but it does show some level of correllation between a person's chance of becoming addicted to any individual substance or activity.
And then, there's me, who should be in class, but instead I'm programming... I drink, but not as often, but don't smoke
Both companies claim they have patents....
:
From SonicBlue (aka ReplayTV):
USPTO patent number 6,324,338 also covers methodology that creates, names, prioritizes and manages recorded programs on the hard drive for DVRs.
"This patent and other forthcoming ReplayTV patents will establish SONICblue as the leading provider of Digital Video Recording technology," said Ken Potashner, chairman and CEO, SONICblue. "Over the next five to seven years, we expect the DVR to become as prevalent in the home as the VCR is today."
From Tivo
TiVo, headquartered in Sunnyvale, Calif. is the creator of personal television. TiVo's easy-to-use service and patented consumer electronics technology will allow consumers to take control of their television viewing experience by teaching TiVo their likes and dislikes.
So, it's going to come down to a lawsuit. Whichever company can show they had the first working, worthwhile thoughts will eventually be able to force the other to pay royalties. Does this mean either will go out of business? Probably not, it just means one is going to be $10/box more, and that $10 might going to the competitor instead of the CEO.
And for those of you who prefer to play with these things yourself ("strings virus.xxx" always turns up something interesting...), I posted a copy (which happened to come from two people on the FreeBSD security mailing list), here (standard disclaimer: it's not my fault if you run it instead of saving it, blah blah blah). On a slightly related note, I espescially like the popup message displayed when you run the virus ... obviously a virus, right? Then why have I gotten multiple copies from the same person, obviously someone who tried to run it two or three times?
I'm guessing since they haven't found any remains (as of yet) the villagers must have known what was about to happen. I also wonder how big this city was in terms of population and influence.
From the article:
So, apparently, they were given a small amount of warning, but not much. This is typical of the volcanos in the region, and in fact, most volcanos on earth: large, devastating eruptions typically follow a day or two of small earthquakes, accompanied by small eruptions and occasional small fissures opening in the ground. This provides a lot of warning for those in the immediate area: people know they need to escape, so they leave; they dont know how much time they have, so they tend to leave things behind. The result is that the city is left in near perfect condition (perfect being relative, obviously it was completely destroeyed), yet very few people seem to have been killed.
I'll politely ignore your second comment.
Why not use a PGP/GPG like signature on passports? Or drivers licenses for that matter? A simple national key for signing all visas, passports, or other means of identification could easily verify the validity of such a piece of paper. It would be hard to forge, and easy to verify.
Bruce also made some rather silly/stupid comments:
You know what I want? I don't want a National ID Card. I want a Global Coalition Visa. .
Now, I was all for the national ID card when the idea was first proposed. It seemed worthwhile at the time : every person known to have terrorist connections could be tracked ; airlines could notify the government of movement, the government could warn the airlines that a suspected terrorist was on a plane. I realized the negative possibilities of this system, and have since changed my viewpoint, now seeing it as a possible way to eliminate virtually any privacy that even remotely exists on a personal level. A global card would be remarkably worse: not only would one not have any privacy at home, one would not have any privacy away from home; escape would become impossible. I, for one, have always assumed that IF domestic policies ever got to the point that they seriously bothered me, I would leave. A global card leaves you with no destination.
Oh how I loved this game in the earlt 1990's, and oh how I love it with a modern graphics engine. This one is one not to miss. I literally sweat while playing this game!
While I certainly agree with you in your assertion that Wolfenstein is a great game, I question it's quality in a family setting. I certainly would not want anyone younger than, say, 10 playing this game. Killing Nazis is fine for teenagers, but should probably be avoided for anyone younger than 10.
A second game for the teenage age that I would certainly recommend is Halflife. Yes, it's been out forever. But, for people who dont have brand new 2.0 ghz p4's or 1900+ Athlon XP's, Halflife offers a game that is easy on older hardware, has an active online multiplayer community, and is really fun to play.
For those who arent yet teenagers, or who dont enjoy killing people for sport, I'd suggest any of the recent sims. In fact, I'd actually support the purchase of some of the sim clones: they cost less, and, for the most part, are completely up to par with the originals.
---
My opinions arent necessarily the opinions of anyone else, in fact, they're usually wrong.