[UNIX] Buffer Overflow in /bin/login

• Previous message: support@securiteam.com: "[NEWS] Flawed Outbound Packet Filtering in Various Personal Firewalls"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

From: support@securiteam.com
To: list@securiteam.com
Date: Wed, 12 Dec 2001 23:00:00 +0100 (CET)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  Buffer Overflow in /bin/login
------------------------------------------------------------------------

SUMMARY

ISS X-Force has discovered a serious vulnerability in the "login" program
present in Sun Solaris systems. Login allows users to sign on to the
system by entering a username and password. This vulnerability allows
remote attackers to execute arbitrary commands on a target system with
superuser privilege. Systems are vulnerable to this issue only if certain
types of interactive connections are allowed, such as Telnet or Rlogin.
These services are enabled by default on most platforms. X-Force has
learned that an exploit for this vulnerability has been made public.

DETAILS

Affected versions:
Sun Microsystems Solaris 8 and earlier

* Note: Additional SysV derived UNIX operating systems may or may not be
affected.

A static buffer overflow vulnerability is present in the Sun Solaris
implementation of "login", otherwise known as "/bin/login" for its
location in the file system. Login is executed to authenticate remote
users as they initiate clear-text terminal connections over a network.
These types of connections are ubiquitous in modern networked
environments.

Login incorrectly handles long environment variables passed to it by
in.telnetd, in.rlogind, or any other similar daemon that operates in
conjunction with login. No local account or special knowledge of the
target is needed to successfully exploit this vulnerability.

There are secure alternatives to using Telnet and Rlogin that are not
vulnerable to this issue. Secure Shell (SSH) implements encrypted terminal
connections, and it is designed to replace insecure protocols like Telnet
and Rlogin. Recent versions of SSH implement their own version of the
login program, and are not vulnerable. However, some versions of SSH may
be configured to interact with login, and may be vulnerable in this
configuration.

Recommendations:
There is no simple workaround for this issue. However, disabling all
default terminal communications services and installing SSH will eliminate
the vulnerability.

ISS X-Force urges that all vulnerable machines be patched as soon as the
vendor releases these updates. This advisory is being released before
patches are available, because the exploit for this vulnerability has been
made public.

Sun Microsystems, Inc.
Sun has reproduced the vulnerability and is testing a fix. Sun T-patches
are now available for this vulnerability. Official patches will soon be
available at the following location:
 <http://sunsolve.sun.com/securitypatch>
http://sunsolve.sun.com/securitypatch

ADDITIONAL INFORMATION

The information has been provided by <mailto:xforce@iss.net> X-Force.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

• Previous message: support@securiteam.com: "[NEWS] Flawed Outbound Packet Filtering in Various Personal Firewalls"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: IBM Infoprint Remote Management Simple DoS ... >has a DoS vulnerability. ... >properly check user input, namely the login name. ... and the Telnet service will refuse to allow ... >will continue accepting connections but will no longer display a login ... (Bugtraq) CERT Advisory CA-2001-34 Buffer Overflow in System V Derived Login ... Several applications use login for authentication to the system. ... System V. Attackers can exploit this vulnerability to gain root access ... vendor is not listed below, we have not received their comments. ... (Cert) CERT Advisory CA-2001-34 Buffer Overflow in System V Derived Login ... Several applications use login for authentication to the system. ... System V. Attackers can exploit this vulnerability to gain root access ... vendor is not listed below, we have not received their comments. ... (Cert) [UNIX] Password Disclosure Vulnerability Found in ChitChat ... files including administrator's login and password information. ... The vulnerability allows any user to access the passwd.txt file where the ... The information in this bulletin is provided "AS IS" without warranty of any kind. ... In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages. ... (Securiteam) CERT Advisory CA-2002-35 Vulnerability in RaQ 4 Servers ... A remotely exploitable vulnerability has been discovered in Sun Cobalt ... Cobalt RaQ 4, please see the COBALT RaQ 4 User Manual. ... Security Hardening Package (SHP) for Cobalt RaQ 4. ... (Cert)

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint