Re: Linux distributions and /bin/login overflow

[Roman Drahtmueller <draht () suse de>]

> Hello,

Hello, too!

[...]

> It seems that while Redhat Linux and Caldera Linux
> distributions are immune to the recent /bin/login
> environ overflow, other Linux distributions are not.
> Several Linux distributions install /bin/login with
> SysV login options enabled.
>
> Slackware 8.0 and lower [tested with 8.0, 4.0, 3.3]
> has SysV options enabled with /bin/login and is
> vulnerable.
>
> SuSE 6.1 has SysV options enabled with /bin/login and
> is vulnerable.  I don't have a newer SuSE release, so
> others will need to verify. It would seem logical that
> SuSE 8.3 still includes the SysV login options
> enabled, and is probably vulnerable as well.


While it still may be a bad idea for a whole variety of reasons, the sole
fact that some implementations of /bin/login allow for environment to be
passed on to the shell after authentification does not mean that the
program is vulnerable to the problems as discovered with the SysV derived
implementations.

To be more precise (grep the source for the word "disaster" to find the
spot): The login programs in SuSE 6.0 and 6.1 gladly pass on environment
specified as

silence login: draht variable=value
Password:

up to a maximum number of 32 variables. If the args to the user name do
not contain a "=" character, the arguments will show up in the environment
as $L1, $L2, ... where arguments are seperated by whitespace and ",". An
overflow does not happen, or please prove me wrong.

For the login programs in SuSE distributions before and including 6.1
there is no such thing as "SysV login options enabled". Environment
passing is a non-configurable feature.
 The SuSE Linux distributions 6.0 and 6.1 were the last ones without
PAM'ified authentification schemes. All newer distributions use PAM
authentification modules that do not pass on environment as specified on
the user input prompt (user + password prompting happens beyond the scope
of the login program).

SuSE Linux users who use a distribution before 6.4 are greatly encouraged
to upgrade to a new release since distributions before SuSE Linux 6.4 have
been discontinued a long while ago.


> Other distributions should be checked as well.  A
> quick way to check for SysV option capabilities is to
> type "login", then enter "root testenv1=test" at the
> login: prompt.  Supply your root passwd, and look for
> "testenv1" in the output of set.  If it's set, then
> your copy of /bin/login supports SysV options.....and
> is probably vulnerable. Follow similar procedure to
> find overflow possibility/specifics ;)
>
>
> Regards,
>
> Anton Rager
> a_rager () yahoo com

Thanks,
Roman.
-- 
 -                                                                      -
| Roman Drahtmüller      <draht () suse de> // "You don't need eyes to see, |
  SuSE GmbH - Security           Phone: //             you need vision!"
| Nürnberg, Germany     +49-911-740530 //           Maxi Jazz, Faithless |
 -                                                                      -