Buffer overflow in Linux's login program

[im14u2c () cegt201 bradley edu (Joe Zbiciak)]

Hello all,

I was browsing through my local copy of the util-linux-2.[56] sources
and found a very nasty buffer-overflow problem.  Although I haven't
written an exploit (no time--moving from Illinois to Texas), it appears
that the standard stack-smashing techniques should prove workable.

The "login" program checks the username length when the user is asked
to type in the login name.  However, if the user *provides* a login
name with the "-f" flag, no such check is made.  I can successfully
get a segv with my binary with just over 1064 characters pushed into
-f's argument.

Here's a short diff which patches the problem:

401c401,402
<               (void)strcpy(tbuf, username);
---
>               (void)strncpy(tbuf, username, sizeof(tbuf)-2);
>               tbuf[sizeof(tbuf)-1]=0;

Interim fix:  remove SUID bit on /bin/login:  chmod a-s /bin/login

Long-term fix:  download util-linux-2.6, and apply the above patch.

Basically, by removing the SUID bit on /bin/login, users won't be able
to re-login by typing "exec login .........", and also won't be able
to compromise your host.  Normal login/logout should still work.  (Tried
it on my own systems, works just fine.)

I do not know if this is remotely exploitable.  My guess is not; however,
my common sense tells me not to discount this likelihood.

I am CC'ing this to the util-linux maintainer.

--Joe


--
:======= Joe Zbiciak =======:
:- - im14u2c () bradley edu - -:         "An ounce of image is worth
: - - - - - http: - - - - - :          a pound of performance."
://ee1.bradley.edu/~im14u2c/:
:======= DISCLAIMER: =======:                  -- Laurence J. Peter
:   It's all right... -  - --
-- -  -   I didn't do it!   :
(550:835 11:15)