[ale] rlogind patches/potential security bug (fwd)
Omar Loggiodice
ologgio at vrainn.com
Sat Oct 26 14:50:31 EDT 1996
Hi Folks,
I just sent this mail to the maintainer of NetKit-B, it has a patch to
fix a problem with the rlogind daemon. The problem is that a bogus remote
hostname is reported to the login program, and that same bogus host name
is used to do the rlogind authentication.
Besides breaking scripts, and other programs that depend on a valid utmp
remote host entry, it can be a security problem. I recommend you apply this
patch as soon as you can, especially those of you using NIS.
Please don't redistribute the patch yet, until I hear from the NetKit
maintainer.
Thanks.
Omar Loggiodice Writes :
:From ologgio at linda.vrainn.com Sat Oct 26 14:39:41 1996
:From: Omar Loggiodice <ologgio at vrainn.com>
:Message-Id: <199610261839.OAA03108 at linda.vrainn.com>
:Subject: rlogind patches/potential security bug
:To: dholland at hcs.harvard.edu
:Date: Sat, 26 Oct 1996 14:39:35 -0400 (EDT)
:Cc: ologgio at linda.vrainn.com
:X-Mailer: ELM [version 2.4 PL24 PGP3 *ALPHA*]
:MIME-Version: 1.0
:Content-Type: text/plain; charset=US-ASCII
:Content-Transfer-Encoding: 7bit
:
:Hi David,
:
: The rlogind daemon has a bug when working with NIS enabled in libc. The
: static data area of the gethostby* functions gets overwritten by libc,
: leaving a bogus peer (remote) hostname for the authentication function
: (do_rlogin) and for the exec of the login program.
:
: Besides the obvious effects of giving a bogus remote host name to the
: login program, (and the breakage of scripts that try to set the DISPLAY
: variable), we have a potential security problem because an attacker could
: fool the rlogind authentication by providing a bogus hostname in the
: /etc/yp.conf file.
:
: Attached is a patch to fix this problem. It applies to NetKit
: NetKit-B-0.08.tar.gz (whose file size is 471367).
:
: I suggest applying this patch even if NIS is not used.
:
: I leave it up to you whether you want to notify CERT.
:
: Thanks for the good work!
:
:Best regards,
: Omar Loggiodice
:
:
:PS. I don't know if this should be considerd a libc bug or not. In any case,
:I think the patch should be applied because it makes less assumptions about
:the static data used by the gethostby* functions.
:
:
################ CUT HERE #######################
--- rlogind.c.orig Sat Oct 26 13:50:34 1996
+++ rlogind.c Sat Oct 26 13:58:51 1996
@@ -215,6 +215,8 @@
*/
hp = &hostent;
hp->h_name = inet_ntoa(fromp->sin_addr);
+ strncpy(remotehost, hp->h_name, sizeof(remotehost) - 1);
+ remotehost[sizeof(remotehost) - 1] = 0;
hostok++;
}
else if (check_all || local_domain(hp->h_name)) {
@@ -272,7 +274,7 @@
}
}
#endif
- if (do_rlogin(hp->h_name) == 0 && hostok)
+ if (do_rlogin(remotehost) == 0 && hostok)
authenticated++;
}
if (confirmed == 0) {
@@ -301,7 +303,7 @@
pam_end(pamh, PAM_SUCCESS);
#endif
execl(_PATH_LOGIN, "login", "-p",
- "-h", hp->h_name, "-f", lusername, 0);
+ "-h", remotehost, "-f", lusername, 0);
/* should not return... */
}
else {
@@ -313,7 +315,7 @@
pam_end(pamh, PAM_SUCCESS);
#endif
execl(_PATH_LOGIN, "login", "-p",
- "-h", hp->h_name, lusername, 0);
+ "-h", remotehost, lusername, 0);
/* should not return... */
}
fatal(STDERR_FILENO, _PATH_LOGIN, 1);
###################### END OF PATCH ############################
--
____________________________________________________________________
/ __ __ __ - __ __ / - _ __ ologgio at vrainn.com
Omar R. /__ /_/ /_/ /_/ / /_/ /_/ / /_ /-_ CIS: 74040,1543
__/ __/
___C++/6_yrs____Virtual Reality/4_yrs____Vorl_____Linux(free)_______
YACC? No!...check pccts...ftp://ftp.parr-research.com/pub/pccts
More information about the Ale
mailing list