1 |
-----Forwarded Message----- |
2 |
|
3 |
- -------------------------------------------------------------------------- |
4 |
GLSA: GENTOO LINUX SECURITY ANNOUNCEMENT |
5 |
- -------------------------------------------------------------------------- |
6 |
|
7 |
PACKAGE :shadow |
8 |
SUMMARY :Bug in /bin/login |
9 |
DATE :8 Apr 2002 19:30:00 UTC |
10 |
|
11 |
- -------------------------------------------------------------------------- |
12 |
|
13 |
OVERVIEW |
14 |
|
15 |
The /bin/login program contained in the shadow ebuild contains a PAM-related |
16 |
bug that, in some instances, can allow anyone who has a valid user account |
17 |
and password to log in as root either from the console or via telnet. |
18 |
|
19 |
It should be known that Gentoo does not default to allowing telnet access |
20 |
and ssh is unaffected by this bug. Nevertheless, this is an important |
21 |
security flaw that should be corrected immediately on all affected systems. |
22 |
|
23 |
DETAIL |
24 |
|
25 |
The shadow package's /bin/login code gets the login username from PAM, but |
26 |
it uses a pointer to a string that can and will get overwritten if |
27 |
pam_limits.so is active. |
28 |
|
29 |
Because shadow's login.c doesn't compensate or protect against this, a |
30 |
disasterous chain of events takes place: the login name is overwritten |
31 |
with a random string, login.c passes this to getpwnam() which returns NULL, |
32 |
login.c mis-handles the NULL return value (another bug) and creates a small |
33 |
pwent structure without a home directory but with other default values in |
34 |
place that allow you to log in -- and these default values specify a *root* |
35 |
login, of all things. This bug is triggerable because shadow's login.c |
36 |
doesn't respect PAM's "too many logins" return value but uses its own value |
37 |
from /etc/login.defs instead. |
38 |
|
39 |
It was previously thought that swapping pam_pwdb for pam_unix in |
40 |
/etc/pam.d/system-auth corrected the above problem. In general, this fixed |
41 |
the symptoms on nearly all systems, but did not address the root cause of |
42 |
the security problem. Further examination of the problem revealed that the |
43 |
real issue was with shadow's /bin/login program. |
44 |
|
45 |
The implemented solution was to switch over to using util-linux's /bin/login |
46 |
program, which does not rely on PAM for the username after PAM has |
47 |
authenticated the user. The new util-linux /bin/login does not have this |
48 |
bug, which appears to be similar if not identical to the one experienced |
49 |
with older versions of util-linux. Refer to bugtraq id 3415 concerning that |
50 |
vulnerbility. |
51 |
|
52 |
SOLUTION |
53 |
|
54 |
It is recommended that all Gentoo Linux users update their systems as follows. |
55 |
Please note that these fixes are included in Gentoo Linux 1.1a and above. All |
56 |
other Gentoo Linux users should upgrade their systems as follows: |
57 |
|
58 |
To upgrade affected Gentoo Linux 1.0+ systems automatically (This will also |
59 |
upgrade other packages unrelated to this security announcement): |
60 |
|
61 |
emerge rsync |
62 |
emerge --update world |
63 |
|
64 |
Upgrade affected Gentoo Linux 1.0+ systems (just affected packages): |
65 |
|
66 |
emerge rsync |
67 |
emerge sys-apps/shadow |
68 |
emerge sys-apps/util-linux |
69 |
|
70 |
- -------------------------------------------------------------------------- |
71 |
jhhudso@g.o |
72 |
drobbins@g.o |
73 |
- -------------------------------------------------------------------------- |
74 |
|
75 |
-- |
76 |
Daniel Robbins <drobbins@g.o> |
77 |
Chief Architect/President http://www.gentoo.org |
78 |
Gentoo Technologies, Inc. |