ISS X-Force Database: telnet-tab-bo(7284): /bin/login buffer overflow

/bin/login buffer overflow

telnet-tab-bo (7284)

High Risk

Description:

System V (SYSV) derived systems, such as Sun Solaris and AIX, are vulnerable to a static buffer overflow. The implementation of login (known as "/bin/login" for its location in the file system) for such SYSV-derived systems allows remote attackers to execute arbitrary commands on a target system with superuser privileges. Systems are vulnerable to this issue only if certain types of interactive connections are allowed, such as Telnet or rlogin. These services are enabled by default on most platforms.

Platforms Affected:

Cisco, IDS
Cisco, Media Gateway Controller
Compaq, Tru64
Data General, DG/UX
HP, HP-UX
IBM, AIX 4.3
IBM, AIX 5.1
IBM, AIX
Linux, Kernel
SCO, Caldera OpenServer 5.0.6a and prior
SCO, SCO Unix
SGI, IRIX 3.2
SGI, IRIX 3.3
SGI, IRIX 3.3.1
SGI, IRIX 3.3.2
SGI, IRIX 3.3.3
SGI, IRIX
Sun, Solaris
WindRiver, BSDOS

Remedy:

For vulnerability detection:

Enable the following checks in the ISS Protection Platform:
TelnetTabBO

For Virtual Patch:

Enable the following checks in the ISS Protection Platform:
Telnet_Excessive_Tabs
Rlogin_Excessive_Tabs
Telnet_Solaris_Forced_Login

Block or restrict the following in the ISS Protection Platform as appropriate to the environment:
Port 23

For Manual Protection:

As a workaround, disable all default terminal communications services and install SSH to eliminate the vulnerability.

As of 12 December 2001, Sun is testing a fix. Sun T-patches are available for this vulnerability; contact your Sun representative for more information. Official Sun patches will soon be available at the SunSolve Security Patches Web site. See References.

IBM AIX versions 4.3 and 5.1 are susceptible to this vulnerability. As of 13 December 2001, IBM has prepared an emergency fix ("efix"), "tsmlogin_efix.tar.Z", available from the IBM Efixes FTP site. See References. The APAR assignment for AIX 5.1 is IY26221, and will be available soon. The APAR for AIX 4.3 is pending, as a new level of 4.3 is nearly available. The README file at the above FTP site will be updated to provide the official fix information and availability.

For Caldera OpenServer 5.0.6a and earlier: Apply the appropriate patch for your system, as listed in Caldera Systems, Inc. Security Advisory CSSA-2001-SCO.40. See References.

For Cisco products running on top of Solaris OS:
Refer to Cisco Security Advisory: Solaris /bin/login Vulnerability for upgrade information. See References.

For other distributions:
Contact your vendor for upgrade or patch information.

Consequences:

Gain Access

References:

BugTraq Mailing List, Wed Dec 19 2001 - 17:04:59 CST, Linux distributions and /bin/login overflow at http://archives.neohapsis.com/archives/bugtraq/2001-12/0206.html.
BugTraq Mailing List, Wed Oct 02 2002 - 11:13:09 CDT, Solaris 2.6, 7, 8 at http://archives.neohapsis.com/archives/bugtraq/2002-10/0014.html.
Caldera International, Inc. Security Advisory CSSA-2001-SCO.40, OpenServer: /bin/login and /etc/getty argument buffer overflow at ftp://stage.caldera.com/pub/security/openserver/CSSA-2001-SCO.40/CSSA-2001-SCO.40.txt.
CERT Advisory CA-2001-34, Buffer Overflow in System V Derived Login at http://www.cert.org/advisories/CA-2001-34.html.
CIAC Information Bulletin M-031, Buffer Overflow in System V Derived Login at http://www.ciac.org/ciac/bulletins/m-031.shtml.
Cisco Systems Inc. Security Advisory, 2002 April 10 16:00 (UTC+0000), Solaris /bin/login Vulnerability at http://www.cisco.com/warp/public/707/Solaris-bin-login.shtml.
IBM Efixes FTP site, Emergency fix ("efix") for tsmlogin at ftp://aix.software.ibm.com/aix/efixes/security/tsmlogin_efix.tar.Z.
Internet Security Systems Security Alert #105, Buffer Overflow in /bin/login at http://www.iss.net/xforce/alerts/id/advise105.
SGI Security Advisory 20011201-01-I, Buffer Overflow in System V Derived Login at ftp://patches.sgi.com/support/free/security/advisories/20011201-01-I.
Sun Microsystems, Inc. Security Bulletin #00213, login at http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/213.
Sun SunSolve Security Patches Web site, Recommended and Security Patches at http://sunsolve.sun.com/securitypatch.
BID-3681: Multiple Vendor System V Derived 'login' Buffer Overflow Vulnerability
BID-5531: RETIRED: Solaris in.telnetd TTYPROMPT Buffer Overflow Vulnerability
BID-5848: Sun Solaris /bin/login Authentication Bypass Vulnerability
CVE-2001-0797: Buffer overflow in login in various System V based operating systems allows remote attackers to execute arbitrary commands via a large number of arguments through services such as telnet and rlogin.
US-CERT VU#569272: System V derived login contains a remotely exploitable buffer overflow

Reported:

Oct 16, 2001

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email xforce@iss.net

Return to the main page