Gentoo Archives: gentoo-announce

From: Daniel Robbins <drobbins@g.o>
To: gentoo-announce@g.o, gentoo-security@g.o
Subject: [gentoo-announce] Security Announcement - Bug in /bin/login
Date: Mon, 08 Apr 2002 15:47:58
-----Forwarded Message-----

- --------------------------------------------------------------------------
- --------------------------------------------------------------------------

PACKAGE        :shadow
SUMMARY        :Bug in /bin/login
DATE           :8 Apr 2002 19:30:00 UTC

- --------------------------------------------------------------------------


 The /bin/login program contained in the shadow ebuild contains a PAM-related
 bug that, in some instances, can allow anyone who has a valid user account 
 and password to log in as root either from the console or via telnet. 

 It should be known that Gentoo does not default to allowing telnet access 
 and ssh is unaffected by this bug.  Nevertheless, this is an important
 security flaw that should be corrected immediately on all affected systems.


 The shadow package's /bin/login code gets the login username from PAM, but
 it uses a pointer to a string that can and will get overwritten if is active.  

 Because shadow's login.c doesn't compensate or protect against this, a 
 disasterous chain of events takes place: the login name is overwritten
 with a random string, login.c passes this to getpwnam() which returns NULL,
 login.c mis-handles the NULL return value (another bug) and creates a small
 pwent structure without a home directory but with other default values in
 place that allow you to log in -- and these default values specify a *root*
 login, of all things.  This bug is triggerable because shadow's login.c
 doesn't respect PAM's "too many logins" return value but uses its own value
 from /etc/login.defs instead.

 It was previously thought that swapping pam_pwdb for pam_unix in 
 /etc/pam.d/system-auth corrected the above problem. In general, this fixed
 the symptoms on nearly all systems, but did not address the root cause of
 the security problem. Further examination of the problem revealed that the 
 real issue was with shadow's /bin/login program.

 The implemented solution was to switch over to using util-linux's /bin/login
 program, which does not rely on PAM for the username after PAM has 
 authenticated the user.  The new util-linux /bin/login does not have this
 bug, which appears to be similar if not identical to the one experienced 
 with older versions of util-linux. Refer to  bugtraq id 3415 concerning that 

 It is recommended that all Gentoo Linux users update their systems as follows.
 Please note that these fixes are included in Gentoo Linux 1.1a and above. All
 other Gentoo Linux users should upgrade their systems as follows:

 To upgrade affected Gentoo Linux 1.0+ systems automatically (This will also 
 upgrade other packages unrelated to this security announcement):

 emerge rsync
 emerge --update world

 Upgrade affected Gentoo Linux 1.0+ systems (just affected packages):

 emerge rsync
 emerge sys-apps/shadow
 emerge sys-apps/util-linux

- --------------------------------------------------------------------------
- --------------------------------------------------------------------------

Daniel Robbins                                  <drobbins@g.o>
Chief Architect/President              
Gentoo Technologies, Inc.