Date: 23 May 1994 12:16:49 -0400 From: "Kenneth R. van Wyk" Subject: A vulnerability exists in /bin/login on some UNIX platforms. To: ASSIST Bulletins Cc: Automated Systems Security Incident Support Team Reply-to: Automated Systems Security Incident Support Team Content-transfer-encoding: 7BIT -----BEGIN PRIVACY-ENHANCED MESSAGE----- Proc-Type: 4,MIC-CLEAR Content-Domain: RFC822 Originator-Certificate: MIICqjCCAhMCARAwDQYJKoZIhvcNAQECBQAwgYYxC zAJBgNVBAYTAlVTMSswKQYDVQQKEyJEZWZlbnNlIEluZm9ybWF0aW9uIFN5c3Rlb XMgQWdlbmN5MTAwLgYDVQQLEydDZW50ZXIgZm9yIEluZm9ybWF0aW9uIFN5c3Rlb XMgU2VjdXJpdHkxGDAWBgNVBAsTD0NvdW50ZXJtZWFzdXJlczAeFw05MzEyMDkxM zAwNDRaFw05NTEyMDkxMzAwNDRaMIG4MQswCQYDVQQGEwJVUzErMCkGA1UEChMiR GVmZW5zZSBJbmZvcm1hdGlvbiBTeXN0ZW1zIEFnZW5jeTEwMC4GA1UECxMnQ2Vud GVyIGZvciBJbmZvcm1hdGlvbiBTeXN0ZW1zIFNlY3VyaXR5MRgwFgYDVQQLEw9Db 3VudGVybWVhc3VyZXMxEzARBgNVBAsTCk9wZXJhdGlvbnMxGzAZBgNVBAMTEktlb m5ldGggUi4gdmFuIFd5azCBmjAKBgRVCAEBAgIEAAOBiwAwgYcCgYEA87an/VaSD dGo6vyWxeuYagddw7CFtKmrgvExfmcie7QUd7Nd63b31AK6tBeu4LLTsaKXR8d9O yzu+MWQFPS0QkfAa501U3AhSGmdJK8I1sIyGHnIXtiDI6dWDR7d/kFfFCFi1Skbv b5wQzZzwSg5xGJgZLunVwtKkP2dxV8hC+cCAQMwDQYJKoZIhvcNAQECBQADgYEAG B808ZN0Egrl+/A7tXicIVtm9OEMsWVc+P36oh9Ql/IZHc0C5tt4ZrXyeWSXIKlnR cEIHkJqXlBs3/THCZzZqFCJG1rki7kxKNrmmqB2+/bnfK2ZUBjVnW3cHeoEnv/VI MaNWjcrdc+DQpP8pXojfTvxnTuawSOSvyhs13RUC0s= Issuer-Certificate: MIICNTCCAZ4CASIwDQYJKoZIhvcNAQECBQAwRDELMAkGA 1UEBhMCVVMxCzAJBgNVBAgTAk1EMSgwJgYDVQQKEx9UcnVzdGVkIEluZm9ybWF0a W9uIFN5c3RlbXMgUENBMB4XDTk0MDIyNTE0NDkxMloXDTk0MDMwNzE0NDkxMlowg YYxCzAJBgNVBAYTAlVTMSswKQYDVQQKEyJEZWZlbnNlIEluZm9ybWF0aW9uIFN5c 3RlbXMgQWdlbmN5MTAwLgYDVQQLEydDZW50ZXIgZm9yIEluZm9ybWF0aW9uIFN5c 3RlbXMgU2VjdXJpdHkxGDAWBgNVBAsTD0NvdW50ZXJtZWFzdXJlczCBmjAKBgRVC AEBAgIEAAOBiwAwgYcCgYEA19l6BN7iTGYEU61qJETIjBh3iAeHzoL8sZ5KwFRZD S/a1KnYlD1zJHR/KeQCOBWW2HzX43TFLCNGU7UD9i6m8AymLe5IJf/bGh0Rne7Jd Q1GAOLw7/J4hE57IMbGETZpzeU1D9IYxiERRNio/oa422lUlS9JZHLA5jaPNcUrX P8CAQMwDQYJKoZIhvcNAQECBQADgYEApkliqAdudoOxvOFmQkOZbSgtlpn61VcNC R7azDNJa2ulevaebptwSTs2OvMeuR/J0Ez4TC7XrJXLVjI5huRAqc+EWGRpZYRMa CARZyE7gGYjUqS7DIQazfskeWiB8zheyW5tCVn+jnB09AZXtgbM6qRjyqrmSdCpg CtfgazIKqI= Issuer-Certificate: MIIB8jCCAVsCAQEwDQYJKoZIhvcNAQECBQAwRDELMAkGA 1UEBhMCVVMxCzAJBgNVBAgTAk1EMSgwJgYDVQQKEx9UcnVzdGVkIEluZm9ybWF0a W9uIFN5c3RlbXMgUENBMB4XDTkzMDUyODE3MTEyN1oXDTk1MDUyODE3MTEyN1owR DELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAk1EMSgwJgYDVQQKEx9UcnVzdGVkIEluZ m9ybWF0aW9uIFN5c3RlbXMgUENBMIGaMAoGBFUIAQECAgQAA4GLADCBhwKBgQDbL xaRlS3u54yyRgVDI5dcE9nlasL8fJqOGlyo7xH2FZnr3kUfsFj7OGiYsr6UbvqwK nyfMIRUrXDUa64leGmft3SK27psDUHOynRSCc40d/HrDf810U5tnTamBKUIMqivK 4GoL0tMRA1eX6hALAvLLgK1HbnwZAo6GqQGW8CIJQIBAzANBgkqhkiG9w0BAQIFA AOBgQDBp5aC6oV6IuFi8JCctq57bew604HHNllgjjp7zdXafq6jctRg2g91k/yFW h19bJC/tNrb0WVwuZOs5L/FToPMNIIHzaW/YSROBmyhTDYaKHZGj0P1+iNjMbHt9 dm1QEHGIfKgBwFidItnOa74DfkXdijlPRnr/+E2Ib6PM+hEfQ== MIC-Info: RSA-MD5,RSA,ZHen5dpb3HYsVJRCgo4zVS6M3wwgEEpbcUy0bFuiAV6 ObPEqE3g/B1gE7upyRlT6E2PqsosZCNpi3FKCGeKY7FhpYzhUhoHc6C2u2ZFf/Tf Kpz4B+sdK5GTwTDxaE3EMU303tJndkcfvN15aGLbR5jrgQknbmFgkPev69IdAwqM = <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Automated Systems Security Incident Support Team _____ ___ ___ _____ ___ _____ | / /\ / \ / \ | / \ | | / Integritas / \ \___ \___ | \___ | | < et /____\ \ \ | \ | | \ Celeritas / \ \___/ \___/ __|__ \___/ | |_____\ <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Bulletin 94-19 Release date: 23 May 1994, 12:00 AM EDT SUBJECT: A vulnerability exists in /bin/login on some UNIX platforms. SUMMARY: ASSIST has learned of a vulnerability in the UNIX /bin/login. This vulnerability potentially affects all IBM AIX 3 systems, Linux systems, and perhaps other UNIX platforms as well. Information available at the time of this advisory's publication indicates that only IBM AIX 3 and Linux systems are at risk. BACKGROUND: A vulnerability exists in /bin/login on some UNIX platforms. Local and remote users can obtain unauthorized access to any account, including root. This vulnerability has been widely discussed in detail on public Internet forums, therefore ASSIST strongly recommends that system administrators IMMEDIATELY install recommended workarounds and patches until IBM releases an official fix, at which time ASSIST will release an follow-up bulletin. IMPACT: Local and remote users can obtain unauthorized access to any account, including root. RECOMMENDED SOLUTION: ASSIST strongly recommends applying the IBM workarounds or Linux patches. Included with this advisory in appendix A is a list of the vendors which have responded to inquires, and the status of their investigations into this vulnerability report. Also on the ASSIST BBS and anonymous FTP is a file called ASSIST 94-19.readme, which is the living appendix A file. ASSIST will update the file as new information from the vendors is received. A. Description of IBM AIX vulnerability A vulnerability exists in /bin/login on all IBM AIX 3 systems. Impact of IBM AIX vulnerability Remote users can obtain unauthorized root access on the affected hosts. Solution for IBM AIX vulnerability IBM is working on an official fix, which is still under development. The reference number for this fix is APAR IX44254. Until you obtain the official fix from IBM, we encourage you to apply the workarounds or install the emergency fix below. A. Workarounds The recommended workaround is to disable the rlogin daemon: 1. As root, edit /etc/inetd.conf Comment out the line 'login ... rlogin' 2. Run 'inetimp' 3. Run 'refresh -s inetd' B. Emergency fix The emergency fix for the different levels of AIX 3 affected by this vulnerability is available via anonymous FTP from software.watson.ibm.com:/pub/rlogin/rlogin.tar.Z. Installation instructions are included in the README file (which is included in rlogin.tar.Z). Checksum information for rlogin.tar.Z: BSD: 25285 317 SystemV: 13021 633 rlogin.tar.Z MD5: MD5 (rlogin.tar.Z) = 803ee38c2e3b8c8c575e2ff5e921034c C. Official fix The official fix for this problem can be ordered as APAR IX44254. To order an APAR from IBM in the U.S., call 1-800-237-5511 and ask IBM to ship it as soon as it is available. According to IBM, this fix will be available in approximately two weeks. APARs may be obtained outside the U.S. by contacting your local IBM representative. B. Description of Linux vulnerability A vulnerability exists in /bin/login for Linux systems. Impact of Linux vulnerability Any user, remote or local, can obtain unauthorized root access on the affected hosts. Solution for Linux vulnerability A patch that addresses the remote access problem has been made available via anonymous FTP from sunsite.unc.edu: /pub/Linux/system/Network/sunacm/URGENT/README.security /pub/Linux/system/Network/sunacm/URGENT/security.tgz The "security.tgz" file includes other security fixes in addition to the /bin/login patch. Checksum information for README.security: BSD: 09575 1 SystemV: 20945 1 README.security MD5: MD5 (README.security) = 41d14d7b8725c7a1015adeb49601619b Checksum information for security.tgz: BSD: 32878 257 SystemV: 40797 513 security.tgz MD5: MD5 (security.tgz) = dd4585cf4da1b52d25d619bf45f55b75 To address the local access problem, we encourage you to install a version of /bin/login that does not allow the -f option in the form "-f", but only allows this option in the form "-f ", as two arguments. At this time, we do not know which versions of login.c are vulnerable. As we receive additional information, we will update the CA-94:09.README file. Again, we encourage you to check this README file regularly for updates. _________________________________________________________________________ ASSIST would like to thank the CERT Coordination Center for the information contained within this bulletin. _________________________________________________________________________ APPENDIX A. The CERT Coordination Center has received feedback from these vendors, who indicated that all versions of their products on all hardware platforms are not vulnerable: Amdahl Apple BSD BSDI Harris HP Motorola NeXT Pyramid SCO SGI Solbourne Sony Sun The CERT Coordination Center has verified that the following vendor products are not vulnerable: FreeBSD The CERT Coordination Center has received feedback from these vendors, who have made patches available to address the /bin/login vulnerability: IBM workaround: see Section A. Solution for IBM AIX vulnerability. emergency patch: software.watson.ibm.com:/pub/rlogin/rlogin.tar.Z Official patch: APAR IX44254 Linux patch: sunsite.unc.edu:/pub/Linux/system/Network/sunacm/URGENT/* - ------------------------------------------------------------------------- ASSIST is an element of the Defense Information Systems Agency (DISA), Center for Information Systems Security (CISS), that provides service to the entire DoD community. If you are a constituent of the DoD and have any questions about ASSIST or computer security issues, contact ASSIST using one of the methods listed below. If your organization/institution is non-DoD, contact your Forum of Incident Response and Security Teams (FIRST) representative. You can obtain a list of FIRST member organizations and their constituencies by sending email to docserver@first.org with an empty "subject" line and a message body containing the line "send first-contacts". ASSIST INFORMATION RESOURCES: If you would like to be included in the distribution list for these bulletins, send your Milnet (Internet) e-mail address to assist-request@assist.ims.disa.mil. Back issues of ASSIST bulletins, and other security related information, are available from the ASSIST BBS at 703-756-7993/ 1154 DSN 289, and through anonymous FTP from assist.ims.disa.mil (IP address 137.130.234.30). Note: assist.ims.disa.mil will only accept anonymous FTP connections from Milnet addresses that are registered with the NIC or DNS. ASSIST contact information: PHONE: 703-756-7974, DSN 289, duty hours are 06:00 to 22:30 EST Monday through Friday. During off duty hours, weekends, and holidays, ASSIST can be reached via pager at 800-SKY-PAGE (800-759-7243) PIN 2133937. Your page will be answered within 30 minutes, however if a quicker response is required, prefix your phone number with "999". ELECTRONIC MAIL: Send to assist@assist.ims.disa.mil. ASSIST BBS: Leave a message for the "sysop". Privacy Enhanced Mail (PEM): ASSIST uses PEM, a public key encryption tool, to digitally sign all bulletins that are distributed through e-mail. The section of seemingly random characters between the "BEGIN PRIVACY-ENHANCED MESSAGE" and "BEGIN ASSIST BULLETIN" contains machine-readable digital signature information generated by PEM, not corrupted data. PEM software for UNIX systems is available from Trusted Information Systems (TIS) at no cost, and can be obtained via anonymous FTP from ftp.tis.com (IP 192.94.214.100). Note: The TIS software is just one of several implementations of PEM currently available and additional versions are likely to be offered from other sources in the near future. Reference herein to any specific commercial products, process, or service by trade name, trademark manufacturer, or otherwise, does not constitute or imply its endorsement, recommendation, or favoring by ASSIST. The views and opinions of authors expressed herein shall not be used for adverstising or product endorsement purposes. -----END PRIVACY-ENHANCED MESSAGE-----