[prev in list] [next in list] [prev in thread] [next in thread]
List: bugtraq
Subject: Rlogin vulnerabilty
From: Gabriele Avosani <zuc () merc ! iternet ! it>
Date: 1996-08-28 21:37:25
[Download RAW message or body]
I was wondering about one of the latest linux alert advisory,
veridicity.
Lemme explain: here follows the complete advisory.
___________________________________________________________________________
This is an official update of the Linux security FAQ, and it is supposed
to
be signed by one of the following PGP keys:
pub 1024/9ED505C5 1995/12/06 Jeffrey A. Uphoff <<juphoff@nrao.edu>
Jeffrey A. Uphoff <<jeff.uphoff@linux.org>
1024/EFE347AD 1995/02/17 Olaf Kirch <<okir@monad.swb.de>
1024/ADF3EE95 1995/06/08 Linux Security FAQ Primary Key <<Alexander O.
Yuriev>
Unless you are able to verify at least one of signatures, please be
very
careful when following instructions.
Linux Security WWW: http://bach.cis.temple.edu/linux/linux-security
linux-security & linux-alert mailing list archives:
ftp://linux.nrao.edu/pub/linux/security/list-archive
============================================================================
ABSTRACT
A vulnerability exists in the rlogin program of NetKitB-0.6
This vulnerability affects several widely used Linux
distributions, including RedHat Linux 2.0, 2.1 and derived
systems including Caldera Network Desktop, Slackware 3.0 and
others. This vulnerability is not limited to Linux or any
other free UNIX systems. Both the information about this
vulnerability and methods of its expolit were made available
on the Internet.
RISK ASSESMENT
Local and remote users could gain super-user priviledges
DISTRIBUTION FIXES
Red Hat Commercial Linux
Red Hat Linux version 2.0 and 2.1 contains
vulnerable program unless NetKit-B-0.06-7.i386.rpm
was installed.
In order to fix the vulnerability install
NetKit-B-0.06-7 rpm available from
ftp://ftp.redhat.com/pub/redhat/old-releases/redhat-2.1/i386/updates/RPMS/NetKit-B-0.06-7.i386.rpm
ftp://bach.cis.temple.edu/pub/Linux/security/DISTRIBUTION-FIXES/RedHat-2.1/NetKit-B-0.06-7.i386.rpm
ftp://tarsier.cv.nrao.edu/pub/linux/security/DISTRIBUTION-FIXES/RedHat-2.1/NetKit-B-0.06-7.i386.rpm
Please verify the MD5 signature of the RPM prior to
installing it.
601c3f6137a6fb15ae61a6b817395040 NetKit-B-0.06-7.i386.rpm
Red Hat Linux version 3.0.3 (Picasso) does not
contain vulnerable rlogin program.
Caldera Network Desktop
Version 1 of CND contains the vulnerable program
unless NetKit-B-0.06-4c1.i386.rpm was installed.
This RPM is available from
ftp://ftp.caldera.com/pub/cnd-1.0/updates/NetKit-B-0.06-4c1.i386.rpm
ftp://bach.cis.temple.edu/pub/Linux/Security/DISTRIBUTION-FIXES/CND/NetKit-B-0.06-4c1.i386.rpm
ftp://tarsier.cv.nrao.edu/pub/linux/security/DISTRIBUTION-FIXES/CND/NetKit-B-0.06-4c1.i386.rpm
Please verify the MD5 signature of RPM prior to
installing it.
aeb2da201477cd3280fdc09836395c35 NetKit-B-0.06-4c1.i386.rpm
Version 1 of CND upgraded to RedHat Linux 3.0.3
(Picasso) does not contain a vulnerable program.
Debian
Debian Project did not either confirm or deny the
vulnerability of Debian/GNU Linux 1.1.
Debian/GNU Linux systems may be vulnerable if
NetKit-B-0.6 is installed. Until the official
fix-kit is available for Debian/GNU Linux, system
administrators of Debian systems are advised to
follow guidelines under Other Linux Distributions
section.
Slackware
The Slackware Linux distribution Version 3.0 is
confirmed to be vulnerable unless a NetKit newer
than NetKit-B-0.6 is installed.
Until the official fix-kit is available for
Slackware 3.0, the system administrators are advised
to follow the guidelines under Other Linux
Distributions section.
Yggdrasil
Yggdrasil Computing's Plug & Play Linux Fall'95
contains vulnerable rlogin program.
Adam J. Richter from Yggdrasil Computing made an
unofficial fix-kit available at
ftp.yggdrasil.com/pub/support/fall95/rlogin_fix/
We are unable to provide MD5 signature for the fix
kit as we are unable to verify the integrity of the
message.
Other Linux Distributions
System administrators of systems based on other
Linux distributions or distributions that do not
have official patch-kits available are advised to
install newly released NetKit-B-0.7 available from
ftp://ftp.uk.linux.org/pub/linux/Networking/base
and ftp://sunsite.unc.edu/pub/Linux/Incoming
CREDITS
This LSF Update is based on the information provided by Alan
Cox. The first patch for rlogin program was provided by Marc
Ewing of Red Hat Software. Ron Holt of Caldera Inc provided
fixed RPM for Caldera Network Desktop within 3 hours after
the initial contact. Adam J. Richter provided unofficial
information about the unofficial fix-kit for Yggdrasil Plug
and Play Linux Fall'95.
____________________________________________________________________________
As everybody can see, no info is given, none at all. So the onliest way
is to check the differences between the old version of rlogin.c and the
patched one.
In the old one, i found this code interesting:
rlogin.c:
......
<fontfamily><param>Times New Roman</param><bigger>char *host, *p, *user,
term[1024];
</bigger></fontfamily>......
<fontfamily><param>Times New Roman</param><bigger>(void)strcpy(term, (p =
getenv("TERM")) ? p : "network"); <<---- always the same old story ???
if (ioctl(0, TIOCGETP, &ttyb) == 0) {
(void)strcat(term, "/");
(void)strcat(term, speeds[ttyb.sg_ospeed]);
</bigger></fontfamily>......
Well, if this was the onliest check, it should have been easy to hack it,
but checking in rlogind.c, i found the following:
rlogind.c:
<fontfamily><param>Times New
Roman</param><bigger>#define ENVSIZE (sizeof("TERM=")-1) /* skip null for
concatenation */
static char term[64] = "TERM=";
getstr(term+ENVSIZE, sizeof(term)-ENVSIZE, "Terminal type too long");
</bigger></fontfamily>
It doesn't seems exploitable to me .. what bugtraq thinks ?? Anyway what
follows is the new version of rlogin.c, the patched one:
rlogin.c:
<fontfamily><param>Times New Roman</param><bigger>p = getenv("TERM");
if (!p) p = "network";
if (tcgetattr(0, &tios) == 0) {
speed_t speed = cfgetispeed(&tios);
snprintf(term, sizeof(term), "%.256s/%s", p, speeds[speed]); <<----- this
is the way it should be done
}
else snprintf(term, sizeof(term), "%.256s", p);
</bigger></fontfamily>
So i'm having an headcache into understanding where was the flaw, there
was at least a bound check ...
Why, the hell, when someone wants to learn, someone other is concealing
informations ? ( Rethorical question, sorry )
g.a.
Hack-It founder
hack-it@mail.ibm.it
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic