[ale] rlogind patches/potential security bug (fwd)

Omar Loggiodice ologgio at vrainn.com
Sat Oct 26 14:50:31 EDT 1996


Hi Folks,

   I just sent this mail to the maintainer of NetKit-B, it has a patch to
   fix a problem with the rlogind daemon. The problem is that a bogus remote
   hostname is reported to the login program, and that same bogus host name
   is used to do the rlogind authentication.
   
   Besides breaking scripts, and other programs that depend on a valid utmp
   remote host entry, it can be a security problem. I recommend you apply this
   patch as soon as you can, especially those of you using NIS.

   Please don't redistribute the patch yet, until I hear from the NetKit
   maintainer.
   
   Thanks.

Omar Loggiodice Writes :
:From ologgio at linda.vrainn.com  Sat Oct 26 14:39:41 1996
:From: Omar Loggiodice <ologgio at vrainn.com>
:Message-Id: <199610261839.OAA03108 at linda.vrainn.com>
:Subject: rlogind patches/potential security bug
:To: dholland at hcs.harvard.edu
:Date: Sat, 26 Oct 1996 14:39:35 -0400 (EDT)
:Cc: ologgio at linda.vrainn.com
:X-Mailer: ELM [version 2.4 PL24 PGP3 *ALPHA*]
:MIME-Version: 1.0
:Content-Type: text/plain; charset=US-ASCII
:Content-Transfer-Encoding: 7bit
:
:Hi David,
:
:    The rlogind daemon has a bug when working with NIS enabled in libc. The
:    static data area of the gethostby* functions gets overwritten by libc,
:    leaving a bogus peer (remote) hostname for the authentication function
:    (do_rlogin) and for the exec of the login program. 
:    
:    Besides the obvious effects of giving a bogus remote host name to the
:    login program, (and the breakage of scripts that try to set the DISPLAY
:    variable), we have a potential security problem because an attacker could
:    fool the rlogind authentication by providing a bogus hostname in the 
:    /etc/yp.conf file.
:    
:    Attached is a patch to fix this problem. It applies to NetKit
:    NetKit-B-0.08.tar.gz (whose file size is 471367).
:    
:    I suggest applying this patch even if NIS is not used.
:    
:    I leave it up to you whether you want to notify CERT.
:
:    Thanks for the good work!
:
:Best regards,
:   Omar Loggiodice
:   
:
:PS. I don't know if this should be considerd a libc bug or not. In any case,
:I think the patch should be applied because it makes less assumptions about
:the static data used by the gethostby* functions.
:
:
################ CUT HERE #######################
--- rlogind.c.orig	Sat Oct 26 13:50:34 1996
+++ rlogind.c	Sat Oct 26 13:58:51 1996
@@ -215,6 +215,8 @@
 		 */
 		hp = &hostent;
 		hp->h_name = inet_ntoa(fromp->sin_addr);
+		strncpy(remotehost, hp->h_name, sizeof(remotehost) - 1);
+		remotehost[sizeof(remotehost) - 1] = 0;
 		hostok++;
 	} 
 	else if (check_all || local_domain(hp->h_name)) {
@@ -272,7 +274,7 @@
 	        }
 	    }
 #endif
-	    if (do_rlogin(hp->h_name) == 0 && hostok)
+	    if (do_rlogin(remotehost) == 0 && hostok)
 		    authenticated++;
 	}
 	if (confirmed == 0) {
@@ -301,7 +303,7 @@
                        pam_end(pamh, PAM_SUCCESS);
 #endif
 		       execl(_PATH_LOGIN, "login", "-p",
-			     "-h", hp->h_name, "-f", lusername, 0);
+			     "-h", remotehost, "-f", lusername, 0);
                        /* should not return... */
 		} 
 		else {
@@ -313,7 +315,7 @@
 			pam_end(pamh, PAM_SUCCESS);
 #endif
 			execl(_PATH_LOGIN, "login", "-p",
-			      "-h", hp->h_name, lusername, 0);
+			      "-h", remotehost, lusername, 0);
 			/* should not return... */
 		}
 		fatal(STDERR_FILENO, _PATH_LOGIN, 1);


###################### END OF PATCH ############################



-- 
____________________________________________________________________
            /   __  __  __  - __  __ / - _  __  ologgio at vrainn.com
  Omar R.  /__ /_/ /_/ /_/ / /_/ /_/ / /_  /-_  CIS: 74040,1543
                  __/ __/                         
___C++/6_yrs____Virtual Reality/4_yrs____Vorl_____Linux(free)_______
YACC? No!...check pccts...ftp://ftp.parr-research.com/pub/pccts






More information about the Ale mailing list