login vulnerability
Created 12/13/01
CVE 2001-0797
Impact
An unauthenticated remote user could gain root privileges
on the system.
Background
The login program, which is commonly located in
the /bin directory on Unix systems, performs
user authentication. When invoked, it prompts a user for
a login name and password, and then checks that the login
and password pair are valid. It also accepts environment variables,
which specify certain parameters which affect the behavior of
the session, such as the terminal type.
login is not
normally run directly by a user. Instead, it is called by
other programs which provide an interactive shell environment,
such as telnetd and rlogind.
The Problem
Some versions of login derived from System V
are affected by a buffer overflow condition in the processing of
the environment variables provided by the client. A long, specially
crafted set of environment variables could cause vital memory
space to be overwritten, thus allowing the execution of arbitrary
commands. The buffer overflow occurs before authentication is
performed, so an attacker would not need to know a valid login
name and password in order to exploit the vulnerability.
Although login itself is normally not
installed with set-userid-root privileges, the programs which
call login usually are, so exploitation of this
vulnerability could lead to root privileges for the attacker.
The following operating systems are known to be affected by this
vulnerability. Other systems may also be affected, so following
the instructions below is recommended even if your system is not
listed.
- IBM AIX versions 4.3 and 5.1
- Hewlett-Packard's HP-UX
- SCO OpenServer 5.0.6 and earlier
- SGI IRIX 3.x
- Sun Solaris 8 and earlier
Resolution
See CERT Advisory 2001-34
for information on obtaining patches for your particular
operating system.
If a patch is not yet available, then
TCP ports 23 (telnet), 513 (rlogin),
and any other services which rely on login
should be blocked at the network perimeter or, better yet, shut off
and replaced by a more secure alternative such as Secure Shell (ssh).
When installing Secure Shell, ensure that the UseLogin option is shut off.
Where can I read more about this?
This vulnerability was reported in
CERT Advisory 2001-34.