Re: Fwd: Linux distributions and /bin/login overflow
hi
it seems that potato is vulnerable...
at the console, i entered root at the login: prompt and some bullshit
as the password. everything seemed fine, i got a login incorrect message
and another login: prompt. now i pressed CTRL-D, and voila:
Dec 20 11:16:27 upcrouter kernel: Security: signal 11 (read or execute
addr 0x00000000) sent to login[8421], UID 0, EUID 0, parent init[1], UID
0, EUID 0, by login[8421], UID 0, EUID 0, parent init[1], UID 0, EUID 0
it seems that openwall caught the attack. if i pressed CTRL-D at the
first prompt, i just got a login incorrect message.
i made another check by logging in and starting login as root from the
command prompt and simply pressing CTRL-D at the login: prompt:
upcrouter:~# login
upcrouter login:
Segmentation fault
upcrouter:~#
these checks were made on potato r3 with recent updates, running kernel
2.2.20 with openwall, hap-2 and stealth patches.
i checked this on an unpatched woody box as well and i didn't succeed.
comments?
On Thu, 2001-12-20 at 01:06, victor wrote:
> This is a forwarded message
> From: Anton Rager <a_rager@yahoo.com>
> To: bugtraq@securityfocus.com
> Date: Thursday, December 20, 2001, 12:04:59 AM
> Linux distributions and /bin/login overflow
> ===8<==============Original message text===============
> Hello,
>
> It seems that while Redhat Linux and Caldera Linux
> distributions are immune to the recent /bin/login
> environ overflow, other Linux distributions are not.
> Several Linux distributions install /bin/login with
> SysV login options enabled.
>
> Slackware 8.0 and lower [tested with 8.0, 4.0, 3.3]
> has SysV options enabled with /bin/login and is
> vulnerable.
>
> SuSE 6.1 has SysV options enabled with /bin/login and
> is vulnerable. I don't have a newer SuSE release, so
> others will need to verify. It would seem logical that
> SuSE 8.3 still includes the SysV login options
> enabled, and is probably vulnerable as well.
>
> Other distributions should be checked as well. A
> quick way to check for SysV option capabilities is to
> type "login", then enter "root testenv1=test" at the
> login: prompt. Supply your root passwd, and look for
> "testenv1" in the output of set. If it's set, then
> your copy of /bin/login supports SysV options.....and
> is probably vulnerable. Follow similar procedure to
> find overflow possibility/specifics ;)
>
>
> Regards,
>
> Anton Rager
> a_rager@yahoo.com
>
>
>
>
> __________________________________________________
> Do You Yahoo!?
> Check out Yahoo! Shopping and Yahoo! Auctions for all of
> your unique holiday gifts! Buy at http://shopping.yahoo.com
> or bid at http://auctions.yahoo.com
>
> ===8<===========End of original message text===========
>
> --
>
>
> --
> To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
>
--
__________________________________________
Gergely Trifonov mailto:gergely.trifonov@indweb.hu
System Administrator, WSD
IND - Interactive Net Design http://www.indweb.hu
Széchenyi u. 70. H - 3530 Miskolc Hungary
Phone: +36 46 505 106 Fax: +36 46 505 107
Mobile: +36 20 395 6476
!Please install IND CA Certification as TRUSTED CA!
https://www.indweb.hu/IND.crt
Reply to: