Gentoo Archives: gentoo-announce

From: Daniel Robbins <drobbins@g.o>
To: gentoo-announce@g.o, gentoo-security@g.o
Subject: [gentoo-announce] Security Announcement - Bug in /bin/login
Date: Mon, 08 Apr 2002 15:47:58
Message-Id: 1018298917.13281.86.camel@inventor.gentoo.org
1 -----Forwarded Message-----
2
3 - --------------------------------------------------------------------------
4 GLSA: GENTOO LINUX SECURITY ANNOUNCEMENT
5 - --------------------------------------------------------------------------
6
7 PACKAGE :shadow
8 SUMMARY :Bug in /bin/login
9 DATE :8 Apr 2002 19:30:00 UTC
10
11 - --------------------------------------------------------------------------
12
13 OVERVIEW
14
15 The /bin/login program contained in the shadow ebuild contains a PAM-related
16 bug that, in some instances, can allow anyone who has a valid user account
17 and password to log in as root either from the console or via telnet.
18
19 It should be known that Gentoo does not default to allowing telnet access
20 and ssh is unaffected by this bug. Nevertheless, this is an important
21 security flaw that should be corrected immediately on all affected systems.
22
23 DETAIL
24
25 The shadow package's /bin/login code gets the login username from PAM, but
26 it uses a pointer to a string that can and will get overwritten if
27 pam_limits.so is active.
28
29 Because shadow's login.c doesn't compensate or protect against this, a
30 disasterous chain of events takes place: the login name is overwritten
31 with a random string, login.c passes this to getpwnam() which returns NULL,
32 login.c mis-handles the NULL return value (another bug) and creates a small
33 pwent structure without a home directory but with other default values in
34 place that allow you to log in -- and these default values specify a *root*
35 login, of all things. This bug is triggerable because shadow's login.c
36 doesn't respect PAM's "too many logins" return value but uses its own value
37 from /etc/login.defs instead.
38
39 It was previously thought that swapping pam_pwdb for pam_unix in
40 /etc/pam.d/system-auth corrected the above problem. In general, this fixed
41 the symptoms on nearly all systems, but did not address the root cause of
42 the security problem. Further examination of the problem revealed that the
43 real issue was with shadow's /bin/login program.
44
45 The implemented solution was to switch over to using util-linux's /bin/login
46 program, which does not rely on PAM for the username after PAM has
47 authenticated the user. The new util-linux /bin/login does not have this
48 bug, which appears to be similar if not identical to the one experienced
49 with older versions of util-linux. Refer to bugtraq id 3415 concerning that
50 vulnerbility.
51
52 SOLUTION
53
54 It is recommended that all Gentoo Linux users update their systems as follows.
55 Please note that these fixes are included in Gentoo Linux 1.1a and above. All
56 other Gentoo Linux users should upgrade their systems as follows:
57
58 To upgrade affected Gentoo Linux 1.0+ systems automatically (This will also
59 upgrade other packages unrelated to this security announcement):
60
61 emerge rsync
62 emerge --update world
63
64 Upgrade affected Gentoo Linux 1.0+ systems (just affected packages):
65
66 emerge rsync
67 emerge sys-apps/shadow
68 emerge sys-apps/util-linux
69
70 - --------------------------------------------------------------------------
71 jhhudso@g.o
72 drobbins@g.o
73 - --------------------------------------------------------------------------
74
75 --
76 Daniel Robbins <drobbins@g.o>
77 Chief Architect/President http://www.gentoo.org
78 Gentoo Technologies, Inc.