Hi Roman, thanks for this clarification :-) -----Ursprüngliche Nachricht----- Von: Roman Drahtmueller [mailto:draht@suse.de] Gesendet am: Donnerstag, 20. Dezember 2001 13:16 An: Bitzer,Gerd Cc: 'Steffen Dettmer'; SuSE-Security Betreff: Re: AW: [suse-security] Linux distributions and /bin/login overflow ( fwd)
I have issued this question a few days ago, short after this topic was posted on CERT. The only response from Suse until this moment was, that
they
will investigate wether this weakness is relevant for Suse Linux or not (or did I miss the reply ?)
So again, is Suse Linux vulnerable for this remotely exploitable buffer overflow attack ?
It's not. I've said that we look into it and as long as you don't hear
from us, it's not vulnerable (the probability that the code in question is
faulty is/was very small).
Here is my reply from very early in the morning / late in the night to
bugtraq:
From: Roman Drahtmueller
Hello,
Hello, too! [...]
It seems that while Redhat Linux and Caldera Linux distributions are immune to the recent /bin/login environ overflow, other Linux distributions are not. Several Linux distributions install /bin/login with SysV login options enabled.
Slackware 8.0 and lower [tested with 8.0, 4.0, 3.3] has SysV options enabled with /bin/login and is vulnerable.
SuSE 6.1 has SysV options enabled with /bin/login and is vulnerable. I don't have a newer SuSE release, so others will need to verify. It would seem logical that SuSE 8.3 still includes the SysV login options enabled, and is probably vulnerable as well.
While it still may be a bad idea for a whole variety of reasons, the sole fact that some implementations of /bin/login allow for environment to be passed on to the shell after authentification does not mean that the program is vulnerable to the problems as discovered with the SysV derived implementations. To be more precise (grep the source for the word "disaster" to find the spot): The login programs in SuSE 6.0 and 6.1 gladly pass on environment specified as silence login: draht variable=value Password: up to a maximum number of 32 variables. If the args to the user name do not contain a "=" character, the arguments will show up in the environment as $L1, $L2, ... where arguments are seperated by whitespace and ",". An overflow does not happen, or please prove me wrong. For the login programs in SuSE distributions before and including 6.1 there is no such thing as "SysV login options enabled". Environment passing is a non-configurable feature. The SuSE Linux distributions 6.0 and 6.1 were the last ones without PAM'ified authentification schemes. All newer distributions use PAM authentification modules that do not pass on environment as specified on the user input prompt (user + password prompting happens beyond the scope of the login program). SuSE Linux users who use a distribution before 6.4 are greatly encouraged to upgrade to a new release since distributions before SuSE Linux 6.4 have been discontinued a long while ago.
Other distributions should be checked as well. A quick way to check for SysV option capabilities is to type "login", then enter "root testenv1=test" at the login: prompt. Supply your root passwd, and look for "testenv1" in the output of set. If it's set, then your copy of /bin/login supports SysV options.....and is probably vulnerable. Follow similar procedure to find overflow possibility/specifics ;)
Regards,
Anton Rager a_rager@yahoo.com
Thanks,
Roman.
--
- -
| Roman Drahtmüller