/bin/login buffer overflow

telnet-tab-bo (7284) The risk level is classified as HighHigh Risk

Description:

System V (SYSV) derived systems, such as Sun Solaris and AIX, are vulnerable to a static buffer overflow. The implementation of login (known as "/bin/login" for its location in the file system) for such SYSV-derived systems allows remote attackers to execute arbitrary commands on a target system with superuser privileges. Systems are vulnerable to this issue only if certain types of interactive connections are allowed, such as Telnet or rlogin. These services are enabled by default on most platforms.


Consequences:

Gain Access

Remedy:

For vulnerability detection:

Enable the following checks in the ISS Protection Platform:
TelnetTabBO

For Virtual Patch:

Enable the following checks in the ISS Protection Platform:
Telnet_Excessive_Tabs
Rlogin_Excessive_Tabs
Telnet_Solaris_Forced_Login

Block or restrict the following in the ISS Protection Platform as appropriate to the environment:
Port 23

For Manual Protection:

As a workaround, disable all default terminal communications services and install SSH to eliminate the vulnerability.

As of 12 December 2001, Sun is testing a fix. Sun T-patches are available for this vulnerability; contact your Sun representative for more information. Official Sun patches will soon be available at the SunSolve Security Patches Web site. See References.

IBM AIX versions 4.3 and 5.1 are susceptible to this vulnerability. As of 13 December 2001, IBM has prepared an emergency fix ("efix"), "tsmlogin_efix.tar.Z", available from the IBM Efixes FTP site. See References. The APAR assignment for AIX 5.1 is IY26221, and will be available soon. The APAR for AIX 4.3 is pending, as a new level of 4.3 is nearly available. The README file at the above FTP site will be updated to provide the official fix information and availability.

For Caldera OpenServer 5.0.6a and earlier: Apply the appropriate patch for your system, as listed in Caldera Systems, Inc. Security Advisory CSSA-2001-SCO.40. See References.

For Cisco products running on top of Solaris OS:
Refer to Cisco Security Advisory: Solaris /bin/login Vulnerability for upgrade information. See References.

For other distributions:
Contact your vendor for upgrade or patch information.

References:

Platforms Affected:

  • Cisco IDS
  • Cisco Media Gateway Controller
  • Compaq Tru64
  • Data General DG/UX
  • HP HP-UX
  • IBM AIX 4.3
  • IBM AIX 5.1
  • IBM AIX
  • Linux Kernel
  • SCO Caldera OpenServer 5.0.6a and prior
  • SCO SCO Unix
  • SGI IRIX 3.2
  • SGI IRIX 3.3
  • SGI IRIX 3.3.1
  • SGI IRIX 3.3.2
  • SGI IRIX 3.3.3
  • SGI IRIX
  • Sun Solaris
  • WindRiver BSDOS

Reported:

Oct 16, 2001

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email xforce@iss.net

Return to the main page