Mailinglist Archive: opensuse-security (465 mails)

< Previous Next >
Re: AW: [suse-security] Linux distributions and /bin/login overflow ( fwd)
  • From: Roman Drahtmueller <draht@xxxxxxx>
  • Date: Thu, 20 Dec 2001 13:15:49 +0100 (MET)
  • Message-id: <Pine.LNX.4.43.0112201313350.19815-100000@xxxxxxxxxxxx>
> I have issued this question a few days ago, short after this topic was
> posted on CERT. The only response from Suse until this moment was, that they
> will investigate wether this weakness is relevant for Suse Linux or not (or
> did I miss the reply ?)
> So again, is Suse Linux vulnerable for this remotely exploitable buffer
> overflow attack ?

It's not. I've said that we look into it and as long as you don't hear
from us, it's not vulnerable (the probability that the code in question is
faulty is/was very small).

Here is my reply from very early in the morning / late in the night to

From: Roman Drahtmueller <draht@xxxxxxx>
To: bugtraq@xxxxxxxxxxxxxxxxx
Date: Thu, 20 Dec 2001 06:21:10 +0100 (MET)
Subject: Re: Linux distributions and /bin/login overflow

> Hello,

Hello, too!


> It seems that while Redhat Linux and Caldera Linux
> distributions are immune to the recent /bin/login
> environ overflow, other Linux distributions are not.
> Several Linux distributions install /bin/login with
> SysV login options enabled.
> Slackware 8.0 and lower [tested with 8.0, 4.0, 3.3]
> has SysV options enabled with /bin/login and is
> vulnerable.
> SuSE 6.1 has SysV options enabled with /bin/login and
> is vulnerable. I don't have a newer SuSE release, so
> others will need to verify. It would seem logical that
> SuSE 8.3 still includes the SysV login options
> enabled, and is probably vulnerable as well.

While it still may be a bad idea for a whole variety of reasons, the sole
fact that some implementations of /bin/login allow for environment to be
passed on to the shell after authentification does not mean that the
program is vulnerable to the problems as discovered with the SysV derived

To be more precise (grep the source for the word "disaster" to find the
spot): The login programs in SuSE 6.0 and 6.1 gladly pass on environment
specified as

silence login: draht variable=value

up to a maximum number of 32 variables. If the args to the user name do
not contain a "=" character, the arguments will show up in the environment
as $L1, $L2, ... where arguments are seperated by whitespace and ",". An
overflow does not happen, or please prove me wrong.

For the login programs in SuSE distributions before and including 6.1
there is no such thing as "SysV login options enabled". Environment
passing is a non-configurable feature.
The SuSE Linux distributions 6.0 and 6.1 were the last ones without
PAM'ified authentification schemes. All newer distributions use PAM
authentification modules that do not pass on environment as specified on
the user input prompt (user + password prompting happens beyond the scope
of the login program).

SuSE Linux users who use a distribution before 6.4 are greatly encouraged
to upgrade to a new release since distributions before SuSE Linux 6.4 have
been discontinued a long while ago.

> Other distributions should be checked as well. A
> quick way to check for SysV option capabilities is to
> type "login", then enter "root testenv1=test" at the
> login: prompt. Supply your root passwd, and look for
> "testenv1" in the output of set. If it's set, then
> your copy of /bin/login supports SysV options.....and
> is probably vulnerable. Follow similar procedure to
> find overflow possibility/specifics ;)
> Regards,
> Anton Rager
> a_rager@xxxxxxxxx

- -
| Roman Drahtm├╝ller <draht@xxxxxxx> // "You don't need eyes to see, |
SuSE GmbH - Security Phone: // you need vision!"
| N├╝rnberg, Germany +49-911-740530 // Maxi Jazz, Faithless |
- -

< Previous Next >