__________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Center ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ INFORMATION BULLETIN Buffer Overflow in System V Derived Login [CERT Advisory CA-2001-34] December 21, 2001 20:00 GMT Number M-031 ______________________________________________________________________________ PROBLEM: A vulnerability has been discovered in the login program for many System V-derived Unix implementations that allows unauthorized root access. PLATFORM: IBM AIX versions 4.3 and 5.1 Hewlett-Packard's HP-UX SCO OpenServer 5.0.6 and earlier SGI IRIX 3.x Sun Solaris 8 and earlier DAMAGE: This vulnerability can be remotely exploited to gain privileges of the invoker of login. Programs such as telnetd, rlogind, and other suid root programs will allow root access to the system. SOLUTION: Apply the patch from vendor. ______________________________________________________________________________ VULNERABILITY The risk is HIGH. A remote attacker could exploit this ASSESSMENT: vulnerability and gain root access to the system. ______________________________________________________________________________ LINKS: CIAC BULLETIN: http://www.ciac.org/ciac/bulletins/m-031.shtml ORIGINAL BULLETIN: http://www.cert.org/advisories/CA-2001-34.html PATCHES: NOTE: PLEASE REVIEW CERT'S BULLETIN APPENDIX A FOR VENDOR PRODUCT UPDATES AND REVISIONS. ______________________________________________________________________________ [***** Start CERT Advisory CA-2001-34 *****] CERT Advisory CA-2001-34 Buffer Overflow in System V Derived Login Original release date: December 12, 2001 Last revised: -- Source: CERT/CC A complete revision history can be found at the end of this file. Systems Affected * IBM AIX versions 4.3 and 5.1 * Hewlett-Packard's HP-UX * SCO OpenServer 5.0.6 and earlier * SGI IRIX 3.x * Sun Solaris 8 and earlier Overview Several applications use login for authentication to the system. A remotely exploitable buffer overflow exists in login derived from System V. Attackers can exploit this vulnerability to gain root access to the server. I. Description Several implementations of login that are derived from System V allow a user to specify arguments such as environment variables to the process. An array of buffers is used to store these arguments. A flaw exists in the checking of the number of arguments accepted. This flaw permits the array of buffers to be overflowed. On most systems, login is not suid; therefore, it runs as the user who called it. If, however, login is called by an application that runs with greater privileges than those of the user, such as telnetd or rlogind, then the user can exploit this vulnerability to gain the privileges of that program. In the case of telnetd or rlogind, root access is gained. Since in.telnetd and in.rlogind are available over the network, a remote attacker without any previous access to the system could use this vulnerability to gain root access to the system. If a program that invokes login is suid (or sgid) USER_A, then this can be exploited to gain the privileges of USER_A. An exploit exists and may be circulating. II. Impact This vulnerability can be remotely exploited to gain privileges of the invoker of login. In the case of a program such as telnetd, rlogind, or other suid root programs, root access is gained. III. Solution Apply a patch from your vendor Appendix A contains information provided by vendors for this advisory. As vendors report new information to the CERT/CC, we will update this section and note the changes in our revision history. If a particular vendor is not listed below, we have not received their comments. Please review the VU#569272 for your vendor's status or contact your vendor directly. Restrict access to login We recommend disabling TELNET, RLOGIN and other programs that use login for authentication. Do not use programs that use a vulnerable login for authentication. Note that some SSH applications can be configured to use login for authentication. If this configuration is selected, then you will still be vulnerable. If you cannot disable the service, you can limit your exposure to these vulnerabilities by using a router or firewall to restrict access to port 23/TCP (telnet) and port 513/TCP (rlogin). Note that this does not protect you against attackers from within your network. Appendix A. - Vendor Information This appendix contains information provided by vendors for this advisory. As vendors report new information to the CERT/CC, we will update this section and note the changes in our revision history. If a particular vendor is not listed below, we have not received their comments. Apple Computer, Inc. Mac OS X and Mac OS X Server are not vulnerable. Caldera We are not using a SystemV based /bin/login, we are using the BSD originated rlogin tools. All OpenLinux products are 'Not Vulnerable'. Compaq Computer Corporation Compaq's Tru64 Software is not impacted by this reported problem. Cray Inc. Cray Inc. has determined that its implementation of login is not vulnerable to the situation described in VU#569272. Hewlett-Packard HP-UX is NOT Exploitable, even though HP-UX does have the buffer overflow, and hence is listed as "effected" above. In any case, the buffer overflow has been fixed by HP. IBM IBM's AIX operating system, versions 4.3 and 5.1, are susceptible to this vulnerability. We have prepared an emergency fix ("efix"), "tsmlogin_efix.tar.Z", and it is available for downloading from: ftp://aix.software.ibm.com/aix/efixes/security The APAR assignment for AIX 5.1 is IY26221, and will be available soon. The APAR for AIX 4.3 is pending, as a new level of 4.3 is nearly available. The "README" file at the above FTP site will be updated to provide the official fix information and availability. NetBSD NetBSD does not use a System V derived login, and therefore, NetBSD is not vulnerable. Red Hat Red Hat Linux does not use a System V derived /bin/login, and is therefore not vulnerable to this. Sun Microsystems Sun has developed a fix and T-patches are being tested. Official patches will be released shortly and Sun will issue a Sun Security Bulletin when they are available. _________________________________________________________________ The CERT Coordination Center thanks Internet Security Systems and Sun Microsystems for the technical information they provided. _________________________________________________________________ Feedback on this document can be directed to the author, Jason A. Rafail _________________________________________________________________ References * http://www.kb.cert.org/vuls/id/569272 * http://www.kb.cert.org/vuls ______________________________________________________________________ This document is available from: http://www.cert.org/advisories/CA-2001-34.html ______________________________________________________________________ CERT/CC Contact Information Email: cert@cert.org Phone: +1 412-268-7090 (24-hour hotline) Fax: +1 412-268-6989 Postal address: CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh PA 15213-3890 U.S.A. CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends. Using encryption We strongly urge you to encrypt sensitive information sent by email. Our public PGP key is available from http://www.cert.org/CERT_PGP.key If you prefer to use DES, please call the CERT hotline for more information. Getting security information CERT publications and other security information are available from our web site http://www.cert.org/ To subscribe to the CERT mailing list for advisories and bulletins, send email to majordomo@cert.org. Please include in the body of your message subscribe cert-advisory * "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office. ______________________________________________________________________ NO WARRANTY Any material furnished by Carnegie Mellon University and the Software Engineering Institute is furnished on an "as is" basis. Carnegie Mellon University makes no warranties of any kind, either expressed or implied as to any matter including, but not limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use of the material. Carnegie Mellon University does not make any warranty of any kind with respect to freedom from patent, trademark, or copyright infringement. _________________________________________________________________ Conditions for use, disclaimers, and sponsorship information Copyright 2001 Carnegie Mellon University. Revision History December 12, 2001 : Initial Release [***** End CERT Advisory CA-2001-34 *****] _______________________________________________________________________________ CIAC wishes to acknowledge the contributions of CERT Coordination Center for the information contained in this bulletin. _______________________________________________________________________________ CIAC, the Computer Incident Advisory Center, is the computer security incident response team for the U.S. Department of Energy (DOE) and the emergency backup response team for the National Institutes of Health (NIH). CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. CIAC services are available to DOE, DOE contractors, and the NIH. CIAC can be contacted at: Voice: +1 925-422-8193 (7x24) FAX: +1 925-423-8002 STU-III: +1 925-423-2604 E-mail: ciac@ciac.org Previous CIAC notices, anti-virus software, and other information are available from the CIAC Computer Security Archive. World Wide Web: http://www.ciac.org/ Anonymous FTP: ftp.ciac.org PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained via WWW at http://www.first.org/. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC) M-022: SGI IRIX shells create temporary files insecurely M-023: Multiple Vendor wu-ftdp File Globbing Heap Corruption Vulnerability M-024: Microsoft Internet Explorer calls telnet.exe with unsafe command-line arguments M-025: IRIX NEdit Vulnerability M-026: OpenSSH UseLogin Privilege Elevation Vulnerability M-027: Microsoft Internet Explorer-Content Type Falsification (Three Vulnerabilities) M-028: hplx-sendmail Vulnerability M-029: Red Hat glibc Vulnerability CIACTech02-001: Understanding the SSH CRC32 Exploit M-030: Multiple Remote Windows XP/ME/98 Universal Plug and Play Vulnerabilities