[prev in list] [next in list] [prev in thread] [next in thread]
List: bugtraq
Subject: Buffer overflow in Linux's login program
From: Joe Zbiciak <im14u2c () cegt201 ! bradley ! edu>
Date: 1996-12-22 9:27:24
[Download RAW message or body]
Hello all,
I was browsing through my local copy of the util-linux-2.[56] sources
and found a very nasty buffer-overflow problem. Although I haven't
written an exploit (no time--moving from Illinois to Texas), it appears
that the standard stack-smashing techniques should prove workable.
The "login" program checks the username length when the user is asked
to type in the login name. However, if the user *provides* a login
name with the "-f" flag, no such check is made. I can successfully
get a segv with my binary with just over 1064 characters pushed into
-f's argument.
Here's a short diff which patches the problem:
401c401,402
< (void)strcpy(tbuf, username);
---
> (void)strncpy(tbuf, username, sizeof(tbuf)-2);
> tbuf[sizeof(tbuf)-1]=0;
Interim fix: remove SUID bit on /bin/login: chmod a-s /bin/login
Long-term fix: download util-linux-2.6, and apply the above patch.
Basically, by removing the SUID bit on /bin/login, users won't be able
to re-login by typing "exec login .........", and also won't be able
to compromise your host. Normal login/logout should still work. (Tried
it on my own systems, works just fine.)
I do not know if this is remotely exploitable. My guess is not; however,
my common sense tells me not to discount this likelihood.
I am CC'ing this to the util-linux maintainer.
--Joe
--
:======= Joe Zbiciak =======:
:- - im14u2c@bradley.edu - -: "An ounce of image is worth
: - - - - - http: - - - - - : a pound of performance."
://ee1.bradley.edu/~im14u2c/:
:======= DISCLAIMER: =======: -- Laurence J. Peter
: It's all right... - - --
-- - - I didn't do it! :
(550:835 11:15)
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic