BoS: /etc/default/login LOCKOUT= creates arbitrary files (fwd)

[vermont () GATE NET (Illuminati Primus)]

Can anyone get the specifics on this?

---------- Forwarded message ----------
Date: Mon, 7 Apr 1997 10:41:57 -0400
From: Alan J Rosenthal <ajr () claret psychology mcmaster ca>
Reply-To: best-of-security () suburbia net
To: best-of-security () suburbia net
Subject: BoS:  /etc/default/login LOCKOUT= creates arbitrary files
Resent-Date: Tue, 8 Apr 1997 03:00:30 +1000 (EST)
Resent-From: best-of-security () suburbia net

[this is a retransmission, originally sent from flaps () dgp toronto edu, but I
think that for some reason e-mail from there to you is not getting through.]

Several modern unixes provide configuration options for security and logging
in a file called /etc/default/login.  Irix, and I assume some others but
perhaps it's an Irix invention, includes a variable "LOCKOUT" which causes an
account with a specified number of incorrect login attempts in a row to be
locked (one successful login resets the count).  This seems like a really good
idea, especially if you set the variable high enough that no one would ever be
locked out through mistakes whereas any automated password guessing program
(which ran over the net by telnetting in) would be stopped.  Since one
successful login clears the record, people are not able to accumulate the
requisite number of failures over an extended period of time so as to be
suddenly surprised one day.  It should be good, if not for the following
serious security flaw, at least in Irix, checked in both 5.3 and 6.2.

Login maintains the LOCKOUT-related data in the directory /var/adm/badlogin,
which it creates when first needed.  Each logname gets a one byte file; that
byte is the number of failed login attempts.

Some time after turning it on, I looked again at /var/adm/badlogin and was
astonished to find quite a lot of stuff in there.  It seems that whatever you
type to "login:" gets counted as a logname for LOCKOUT purposes.  So this
directory contained misspellings, and garbage, and line noise, AND passwords...

But that's not all.  Since it doesn't check the logname, you can type
pathnames.  Try this:

        IRIX (loser.net)

        login: ../../../etc/something
        Password:
        UX:login: ERROR: Login incorrect

You've now created an /etc/something.  This works.

I can't always overwrite existing files; I'm not sure why because sometimes I
can.  But it doesn't truncate the file, it just increments the first byte.
So the exploit is not obvious.  Those of you who see how to exploit this,
please keep it to yourself until people have some time to remove the LOCKOUT
feature setting from their /etc/default/logins on irix, and on whatever other
unixes share this lockout feature and also share the misplaced logging.

So everybody, please disable the LOCKOUT parameter in /etc/default/logins on
irixes by setting it to zero or commenting it out (that's how it ships), and
on whatever other unix platforms have it and have this security problem.
It's easily tested by telnetting as in the above example and then checking for
the existence of /etc/something.

For the vendor(s), the fix is obvious:  Only valid lognames should be logged
to /var/adm/badlogin, because that's all the information that's needed
anyway.  The purpose of this logging is to lock accounts from repeated bad
login attempts.  There's no such thing as locking a non-account.  Failed
logins are already logged in syslog.  So it's a question of moving the logging
inside an 'if' where it should have been for many reasons, including simply
the growing amount of garbage in my /var/adm/badlogin until I turned LOCKOUT
off this morning.

ajr <flaps () dgp utoronto ca>