Bugtraq mailing list archives
Buffer overflow in Linux's login program
From: im14u2c () cegt201 bradley edu (Joe Zbiciak)
Date: Sun, 22 Dec 1996 09:27:24 -0600
Hello all, I was browsing through my local copy of the util-linux-2.[56] sources and found a very nasty buffer-overflow problem. Although I haven't written an exploit (no time--moving from Illinois to Texas), it appears that the standard stack-smashing techniques should prove workable. The "login" program checks the username length when the user is asked to type in the login name. However, if the user *provides* a login name with the "-f" flag, no such check is made. I can successfully get a segv with my binary with just over 1064 characters pushed into -f's argument. Here's a short diff which patches the problem: 401c401,402 < (void)strcpy(tbuf, username); ---
(void)strncpy(tbuf, username, sizeof(tbuf)-2); tbuf[sizeof(tbuf)-1]=0;
Interim fix: remove SUID bit on /bin/login: chmod a-s /bin/login Long-term fix: download util-linux-2.6, and apply the above patch. Basically, by removing the SUID bit on /bin/login, users won't be able to re-login by typing "exec login .........", and also won't be able to compromise your host. Normal login/logout should still work. (Tried it on my own systems, works just fine.) I do not know if this is remotely exploitable. My guess is not; however, my common sense tells me not to discount this likelihood. I am CC'ing this to the util-linux maintainer. --Joe -- :======= Joe Zbiciak =======: :- - im14u2c () bradley edu - -: "An ounce of image is worth : - - - - - http: - - - - - : a pound of performance." ://ee1.bradley.edu/~im14u2c/: :======= DISCLAIMER: =======: -- Laurence J. Peter : It's all right... - - -- -- - - I didn't do it! : (550:835 11:15)
Current thread:
- CERT/AUCERT, (continued)
- CERT/AUCERT Mycroft (Dec 19)
- Re: CERT/AUCERT itudps (Dec 19)
- Re: CERT/AUCERT Aleph One (Dec 19)
- Re: CERT/AUCERT Theo de Raadt (Dec 19)
- Slow vendor response Alan Cox (Dec 20)
- CERT Bashing, etc Aleph One (Dec 19)
- Re: CERT/AUCERT Yuri Volobuev (Dec 19)
- Re: CERT/AUCERT Tung-Hui Hu (Dec 19)
- TCP bug on old Solaris box ? Gilles Soulet (Dec 20)
- Re: TCP bug on old Solaris box ? Nathan Lawson (Dec 21)
- Buffer overflow in Linux's login program Joe Zbiciak (Dec 22)
- CERT/AUCERT Mycroft (Dec 19)
- Solaris 2.5 x86 aspppd (semi-exploitable-hole) Thamer Al-Herbish (Dec 20)
- CERT, CIAC, etc. and unethical practices Thamer Al-Herbish (Dec 20)
- ANNOUNCE: Crack v5.0a available... Alec Muffett (Dec 20)
- Security Survey Aleph One (Dec 20)