| VID |
14017 |
| Severity |
40 |
| Port |
23 |
| Protocol |
TCP |
| Class |
R-Command |
| Detailed Description |
The /bin/login used by the relevant rlogin daemon seems to crash when it receives too many environment variables. This vulnerability allows remote attackers to execute arbitrary commands on a target system with superuser privilege.
'login' is a program used in Unix systems to authenticate users with a username and password. The utility is typically invoked at the console, by telnetd, rlogind and if configured to do so, SSH. Versions of 'login' descended from System V Unix contains a buffer overflow in handling of environment variables. System V based versions of 'login' ships with several operating systems, including: Sun Solaris/SunOS, HP-UX, AIX, SGI and Unixware.
It is reportedly possible for unauthenticated clients to exploit these conditions to execute arbitrary code remotely through the remote access services, in.telnetd and in.rlogind which use 'login'. No local account or special knowledge of the target is needed to successfully exploit this vulnerability.
* Note: Although this check detects /bin/urmlogin program in PassGo's URM as being vulnerable, the program is not affected by this flaw if URM is not installed using PAM modules. PassGo has tested the urmlogin command in URM and found that it is not affected by this buffer overflow flaw. PassGo tells that URM does not include any code from the UNIX System 5 or BSD versions of login; it is PassGo's in-house code, unique to URM.
* References:
http://www.securityfocus.com/bid/3681
http://www.cert.org/advisories/CA-2001-34.html
* Platforms Affected:
o IBM AIX versions 4.3 and earlier and 5.1
o SCO OpenServer 5.0.6a and earlier
o SGI IRIX 3.x
o Sun Solaris 8 and earlier |
| Recommendation |
As a workaround:
Disable TELNET, RLOGIN and other programs that use 'login' for authentication. Note that some SSH applications can be configured to use login for authentication. If this configuration is selected, then you will still be vulnerable.
If you cannot disable the service, you can limit your exposure to these vulnerabilities by using a router or firewall to restrict access to port 23/TCP (telnet) and port 513/TCP (rlogin).
-- OR --
Apply the appropriate patch, the patches are available by vendors as the following:
Sun Microsystems:
108993-18 SunOS 5.8: /usr/bin/login patch
108994-31 SunOS 5.8_x86: /usr/bin/login patch
112300-01 SunOS 5.7:: usr/bin/login Patch
112301-01 SunOS 5.7_x86:: usr/bin/login Patch
105665-04 SunOS 5.6: /usr/bin/login patch
105666-04 SunOS 5.6_x86: /usr/bin/login patch
106160-02 SunOS 5.5.1: /usr/bin/login patch
106161-02 SunOS 5.5.1_x86: /usr/bin/login patch
To access these patches, visit:
http://sunsolve.sun.com/securitypatch
IBM:
IBM's AIX operating system, versions 4.3 and 5.1, are susceptible to this vulnerability.
As of 13 December 2001, IBM has prepared an emergency fix ("efix"), "tsmlogin_efix.tar.Z", available for downloading from ftp://aix.software.ibm.com/aix/efixes/security. The APAR assignment for AIX 5.1 is IY26221, and will be available soon. The APAR for AIX 4.3 is pending, as a new level of 4.3 is nearly available. The README file at the above FTP site will be updated to provide the official fix information and availability.
Caldera International,:
Caldera OpenServer is vulnerable. Refer to the Caldera Security Advisory CSSA-2001-SCO.40, available at the following location:
http://stage.caldera.com/support/security
For other distributions:
Contact your vendor for upgrade or patch information. |
| Related URL |
CVE-2001-0797 (CVE) |
| Related URL |
(SecurityFocus) |
| Related URL |
(ISS) |
|
