PGP SIGNED MESSAGE-----
CA-2001-34 Buffer Overflow in System V Derived Login
release date: December 12, 2001
Last revised: --
revision history can be found at the end of this file.
AIX versions 4.3 and 5.1
* Hewlett-Packard's HP-UX
* SCO OpenServer 5.0.6 and earlier
* SGI IRIX 3.x
* Sun Solaris 8 and earlier
applications use login for authentication to the system. A
remotely exploitable buffer overflow exists in login derived from
System V. Attackers can exploit this vulnerability to gain root access
to the server.
implementations of login that are derived from System V allow
a user to specify arguments such as environment variables to the
process. An array of buffers is used to store these arguments. A flaw
exists in the checking of the number of arguments accepted. This flaw
permits the array of buffers to be overflowed.
systems, login is not suid; therefore, it runs as the user who
called it. If, however, login is called by an application that runs
with greater privileges than those of the user, such as telnetd or
rlogind, then the user can exploit this vulnerability to gain the
privileges of that program. In the case of telnetd or rlogind, root
access is gained.
in.telnetd and in.rlogind are available over the network, a
remote attacker without any previous access to the system could use
this vulnerability to gain root access to the system.
If a program
that invokes login is suid (or sgid) USER_A, then this
can be exploited to gain the privileges of USER_A.
exists and may be circulating.
can be remotely exploited to gain privileges of the
invoker of login. In the case of a program such as telnetd, rlogind,
or other suid root programs, root access is gained.
patch from your vendor
A contains information provided by vendors for this advisory.
As vendors report new information to the CERT/CC, we will update this
section and note the changes in our revision history. If a particular
vendor is not listed below, we have not received their comments.
Please review the VU#569272 for your vendor's status or contact your
access to login
disabling TELNET, RLOGIN and other programs that use
login for authentication. Do not use programs that use a vulnerable
login for authentication. Note that some SSH applications can be
configured to use login for authentication. If this configuration is
selected, then you will still be vulnerable.
cannot disable the service, you can limit your exposure to
these vulnerabilities by using a router or firewall to restrict access
to port 23/TCP (telnet) and port 513/TCP (rlogin). Note that this does
not protect you against attackers from within your network.
A. - Vendor Information
contains information provided by vendors for this
advisory. As vendors report new information to the CERT/CC, we will
update this section and note the changes in our revision history. If
particular vendor is not listed below, we have not received their
X and Mac OS X Server are not vulnerable.
not using a SystemV based /bin/login, we are using the BSD
originated rlogin tools. All OpenLinux products are 'Not Vulnerable'.
Tru64 Software is not impacted by this reported problem.
has determined that its implementation of login is not
vulnerable to the situation described in VU#569272.
is NOT Exploitable, even though HP-UX does have the buffer
overflow, and hence is listed as "effected" above. In any
buffer overflow has been fixed by HP.
AIX operating system, versions 4.3 and 5.1, are susceptible to
this vulnerability. We have prepared an emergency fix ("efix"),
"tsmlogin_efix.tar.Z", and it is available for downloading
assignment for AIX 5.1 is IY26221, and will be available
soon. The APAR for AIX 4.3 is pending, as a new level of 4.3 is nearly
available. The "README" file at the above FTP site will be
provide the official fix information and availability.
does not use a System V derived login, and therefore, NetBSD is
Linux does not use a System V derived /bin/login, and is
therefore not vulnerable to this.
developed a fix and T-patches are being tested. Official
patches will be released shortly and Sun will issue a Sun Security
Bulletin when they are available.
Coordination Center thanks Internet Security Systems and Sun
Microsystems for the technical information they provided.
on this document can be directed to the author,
Jason A. Rafail
is available from:
Phone: +1 412-268-7090 (24-hour hotline)
Fax: +1 412-268-6989
CERT Coordination Center
Software Engineering Institute
Carnegie Mellon University
Pittsburgh PA 15213-3890
personnel answer the hotline 08:00-17:00 EST(GMT-5) /
EDT(GMT-4) Monday through Friday; they are on call for emergencies
during other hours, on U.S. holidays, and on weekends.
urge you to encrypt sensitive information sent by email.
Our public PGP key is available from
prefer to use DES, please call the CERT hotline for more
and other security information are available from
our web site
to the CERT mailing list for advisories and bulletins,
send email to firstname.lastname@example.org. Please include in the body of your
and "CERT Coordination Center" are registered in the U.S.
Patent and Trademark Office.
Any material furnished by Carnegie Mellon University and the Software
Engineering Institute is furnished on an "as is" basis. Carnegie
Mellon University makes no warranties of any kind, either expressed
implied as to any matter including, but not limited to, warranty of
fitness for a particular purpose or merchantability, exclusivity or
results obtained from use of the material. Carnegie Mellon University
does not make any warranty of any kind with respect to freedom from
patent, trademark, or copyright infringement.
for use, disclaimers, and sponsorship information
2001 Carnegie Mellon University.
December 12, 2001 : Initial Release
Version: PGP 6.5.8
-----END PGP SIGNATURE-----