Vulnerability Note VU#569272
System V derived login contains a remotely exploitable buffer overflow
Overview
A remotely exploitable buffer overflow exists in implementations of login, derived from System V. An attacker can use this vulnerability to gain the privileges of the process that invoked login, user root in the cases of in.telnetd, or in.rlogind. We have been able to determine that several vendors are affected.
Description
Implementations of login, derived from System V, use a fixed-size buffer to store environment and argument variables that are received from other programs. This buffer can be overflowed by inputing numerous variables. An attacker can use this vulnerability to gain the privileges of the process that invoked login. If an attacker with a local shell invokes login directly, they can only gain the privileges of the shell they already have. However, if the attacker can invoke login via a suid root program, such as the in.telnetd or in.rlogind daemons, they can gain the privileges of the invoking suid program, typically root. And of course, because in.telnetd and in.rlogind are available over the network, an attacker without any previous access to the system could use this vulnerability to gain root access directly. An exploit exists and may be circulating. |
Impact
A remote intruder can gain a root shell. |
Solution
Apply a patch when one becomes available. If patches are not available for your version, upgrade to a supported version and apply all patches. |
Disable telnet, rlogin, and other programs that use login for authentication. Use programs that use SSH instead and do not use login by default. |
Systems Affected (Learn More)
| Vendor | Status | Date Notified | Date Updated |
|---|---|---|---|
| Cisco | Affected | - | 11 Apr 2002 |
| Hewlett Packard | Affected | 24 Oct 2001 | 19 Dec 2001 |
| IBM | Affected | 24 Oct 2001 | 21 Dec 2001 |
| SCO | Affected | 24 Oct 2001 | 14 Dec 2001 |
| SGI | Affected | - | 18 Dec 2001 |
| Sun | Affected | - | 17 Dec 2001 |
| Apple | Not Affected | 24 Oct 2001 | 25 Oct 2001 |
| BSDI | Not Affected | - | 12 Nov 2001 |
| Caldera | Not Affected | 24 Oct 2001 | 25 Oct 2001 |
| Compaq Computer Corporation | Not Affected | - | 12 Nov 2001 |
| Cray | Not Affected | - | 12 Nov 2001 |
| MandrakeSoft | Not Affected | 24 Oct 2001 | 12 Dec 2001 |
| NetBSD | Not Affected | - | 12 Nov 2001 |
| Red Hat | Not Affected | 24 Oct 2001 | 24 Oct 2001 |
| NCR | Unknown | - | 07 Jan 2002 |
CVSS Metrics (Learn More)
| Group | Score | Vector |
|---|---|---|
| Base | N/A | N/A |
| Temporal | N/A | N/A |
| Environmental | N/A | N/A |
References
Credit
Our thanks to Mark Dowd and ISS for the report and information contained in their advisory and to Sun Microsystems for their help in identifing the location of the vulnerability.
This document was written by Jason Rafail.
Other Information
- CVE IDs: Unknown
- CERT Advisory: CA-2001-34
- Date Public: 12 Dec 2001
- Date First Published: 12 Dec 2001
- Date Last Updated: 11 Apr 2002
- Severity Metric: 18.00
- Document Revision: 36
Feedback
If you have feedback, comments, or additional information about this vulnerability, please send us email.
View Notes By
Report a Vulnerability
Please use the Vulnerability Reporting Form to report a vulnerability. Alternatively, you can send us email. Be sure to read our vulnerability disclosure policy.