[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Fwd: Linux distributions and /bin/login overflow

hi
it seems that potato is vulnerable... 
at the console, i entered root at the login: prompt and some bullshit
as the password. everything seemed fine, i got a login incorrect message
and another login: prompt. now i pressed CTRL-D, and voila:

Dec 20 11:16:27 upcrouter kernel: Security: signal 11 (read or execute
addr 0x00000000) sent to login[8421], UID 0, EUID 0, parent init[1], UID
0, EUID 0, by login[8421], UID 0, EUID 0, parent init[1], UID 0, EUID 0

it seems that openwall caught the attack. if i pressed CTRL-D at the
first prompt, i just got a login incorrect message. 

i made another check by logging in and starting login as root from the
command prompt and simply pressing CTRL-D at the login: prompt:

upcrouter:~# login
upcrouter login: 
Segmentation fault
upcrouter:~# 

these checks were made on potato r3 with recent updates, running kernel
2.2.20 with openwall, hap-2 and stealth patches.

i checked this on an unpatched woody box as well and i didn't succeed.

comments?

On Thu, 2001-12-20 at 01:06, victor wrote:
> This is a forwarded message
> From: Anton Rager <a_rager@yahoo.com>
> To: bugtraq@securityfocus.com
> Date: Thursday, December 20, 2001, 12:04:59 AM
> Linux distributions and /bin/login overflow
> ===8<==============Original message text===============
> Hello,
> 
> It seems that while Redhat Linux and Caldera Linux
> distributions are immune to the recent /bin/login
> environ overflow, other Linux distributions are not. 
> Several Linux distributions install /bin/login with
> SysV login options enabled.
> 
> Slackware 8.0 and lower [tested with 8.0, 4.0, 3.3]
> has SysV options enabled with /bin/login and is
> vulnerable.
> 
> SuSE 6.1 has SysV options enabled with /bin/login and
> is vulnerable.  I don't have a newer SuSE release, so
> others will need to verify. It would seem logical that
> SuSE 8.3 still includes the SysV login options
> enabled, and is probably vulnerable as well.
> 
> Other distributions should be checked as well.  A
> quick way to check for SysV option capabilities is to
> type "login", then enter "root testenv1=test" at the
> login: prompt.  Supply your root passwd, and look for
> "testenv1" in the output of set.  If it's set, then
> your copy of /bin/login supports SysV options.....and
> is probably vulnerable. Follow similar procedure to
> find overflow possibility/specifics ;)
> 
> 
> Regards,
> 
> Anton Rager
> a_rager@yahoo.com
> 
> 
> 
> 
> __________________________________________________
> Do You Yahoo!?
> Check out Yahoo! Shopping and Yahoo! Auctions for all of
> your unique holiday gifts! Buy at http://shopping.yahoo.com
> or bid at http://auctions.yahoo.com
> 
> ===8<===========End of original message text===========
> 
> -- 
> 
> 
> -- 
> To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
> 
-- 
__________________________________________
Gergely Trifonov    mailto:gergely.trifonov@indweb.hu                   
System Administrator, WSD
 
IND - Interactive Net Design      http://www.indweb.hu
Széchenyi u. 70.        H - 3530 Miskolc          Hungary
Phone: +36 46 505 106              Fax: +36 46 505 107
                    Mobile: +36 20 395 6476

!Please install IND CA Certification as TRUSTED CA!
                  https://www.indweb.hu/IND.crt
Reply to: