linux security - Dec 1996 - Buffer overflow in Linux''s login program [Forwarded e-mail from Joe Zbiciak]

------- start of forwarded message (RFC 934 encapsulation) -------
From: Joe Zbiciak <im14u2c@cegt201.bradley.edu>
Approved: alex@bach.cis.temple.edu
Sender: Bugtraq List <BUGTRAQ@netspace.org>
To: Multiple recipients of list BUGTRAQ <BUGTRAQ@netspace.org>
Subject:      Buffer overflow in Linux''s login program
Date: 	Sun, 22 Dec 1996 09:27:24 -0600
Reply-To: Joe Zbiciak <im14u2c@cegt201.bradley.edu>

Hello all,

I was browsing through my local copy of the util-linux-2.[56] sources
and found a very nasty buffer-overflow problem.  Although I haven''t
written an exploit (no time--moving from Illinois to Texas), it appears
that the standard stack-smashing techniques should prove workable.

The "login" program checks the username length when the user is asked
to type in the login name.  However, if the user *provides* a login
name with the "-f" flag, no such check is made.  I can successfully
get a segv with my binary with just over 1064 characters pushed into
- -f''s argument.

Here''s a short diff which patches the problem:

401c401,402
<               (void)strcpy(tbuf, username);
- ---
>               (void)strncpy(tbuf, username, sizeof(tbuf)-2);
>               tbuf[sizeof(tbuf)-1]=0;
Interim fix:  remove SUID bit on /bin/login:  chmod a-s /bin/login

Long-term fix:  download util-linux-2.6, and apply the above patch.

Basically, by removing the SUID bit on /bin/login, users won''t be able
to re-login by typing "exec login .........", and also won''t
be able
to compromise your host.  Normal login/logout should still work.  (Tried
it on my own systems, works just fine.)

I do not know if this is remotely exploitable.  My guess is not; however,
my common sense tells me not to discount this likelihood.

I am CC''ing this to the util-linux maintainer.

- --Joe


- --
:======= Joe Zbiciak =======:
:- - im14u2c@bradley.edu - -:         "An ounce of image is worth
: - - - - - http: - - - - - :          a pound of performance."
://ee1.bradley.edu/~im14u2c/:
:======= DISCLAIMER: =======:                  -- Laurence J. Peter
:   It''s all right... -  - --
- -- -  -   I didn''t do it!   :
(550:835 11:15)
------- end -------

> Interim fix:  remove SUID bit on /bin/login:  chmod a-s /bin/login
We always remove the suid bit on login on all our machines.  99.9% of users
don''t use the login command once logged in, and anyway is messes up
wtmp/utmp
entries.  We havn''t had a single complaint yet about login not being
available.

Some day I really will do a survey to find out which programs actually need
setuid root.  Very few I''d guess.

[Mod: Just remeber that while by itself suid but does not do much for login,
it tells ld.so to ignore LD_ variables which can be used to supply a fake
libc -- alex]

> [Mod: Just remeber that while by itself suid but does not do much for
login,
> it tells ld.so to ignore LD_ variables which can be used to supply a fake
> libc -- alex]
On many systems, ld.so will ignore LD_ variables only when effecive
uid != real uid. In other words,  ld.so does not care if the binary
is set-uid or not, it only looks at the rights of its process.

	Wietse