From the-concourse-on-high Sun Dec 22 21:44:11 1996

X-URL1:   http://ee1.bradley.edu/~im14u2c/
X-URL2:   http://ee1.bradley.edu/~im14u2c/asylum/
Pale-Mute-White-Guy-Version: 1.0
X-Mailer: ELM [version 2.4 PL25]
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Approved-By:  Joe Zbiciak <im14u2c@CEGT201.BRADLEY.EDU>
Message-ID:  <199612221527.JAA13040@cegt201.bradley.edu>
Date:         Sun, 22 Dec 1996 09:27:24 -0600
Reply-To: Joe Zbiciak <im14u2c@cegt201.bradley.edu>
Sender: Bugtraq List <BUGTRAQ@NETSPACE.ORG>
From: Joe Zbiciak <im14u2c@cegt201.bradley.edu>
Subject:      Buffer overflow in Linux's login program
X-cc:         util-linux@math.uio.no
To: Multiple recipients of list BUGTRAQ <BUGTRAQ@NETSPACE.ORG>

Hello all,

I was browsing through my local copy of the util-linux-2.[56] sources
and found a very nasty buffer-overflow problem.  Although I haven't
written an exploit (no time--moving from Illinois to Texas), it appears
that the standard stack-smashing techniques should prove workable.

The "login" program checks the username length when the user is asked
to type in the login name.  However, if the user *provides* a login
name with the "-f" flag, no such check is made.  I can successfully
get a segv with my binary with just over 1064 characters pushed into
-f's argument.

Here's a short diff which patches the problem:

401c401,402
<               (void)strcpy(tbuf, username);
---
>               (void)strncpy(tbuf, username, sizeof(tbuf)-2);
>               tbuf[sizeof(tbuf)-1]=0;

Interim fix:  remove SUID bit on /bin/login:  chmod a-s /bin/login

Long-term fix:  download util-linux-2.6, and apply the above patch.

Basically, by removing the SUID bit on /bin/login, users won't be able
to re-login by typing "exec login .........", and also won't be able
to compromise your host.  Normal login/logout should still work.  (Tried
it on my own systems, works just fine.)

I do not know if this is remotely exploitable.  My guess is not; however,
my common sense tells me not to discount this likelihood.

I am CC'ing this to the util-linux maintainer.

--Joe


--
:======= Joe Zbiciak =======:
:- - im14u2c@bradley.edu - -:         "An ounce of image is worth
: - - - - - http: - - - - - :          a pound of performance."
://ee1.bradley.edu/~im14u2c/:
:======= DISCLAIMER: =======:                  -- Laurence J. Peter
:   It's all right... -  - --
-- -  -   I didn't do it!   :
(550:835 11:15)