Buffer Overflow in /bin/login ------------------------------------------------------------------------ SUMMARY ISS X-Force has discovered a serious vulnerability in the "login" program present in Sun Solaris systems. Login allows users to sign on to the system by entering a username and password. This vulnerability allows remote attackers to execute arbitrary commands on a target system with superuser privilege. Systems are vulnerable to this issue only if certain types of interactive connections are allowed, such as Telnet or Rlogin. These services are enabled by default on most platforms. X-Force has learned that an exploit for this vulnerability has been made public. DETAILS Affected versions: Sun Microsystems Solaris 8 and earlier * Note: Additional SysV derived UNIX operating systems may or may not be affected. A static buffer overflow vulnerability is present in the Sun Solaris implementation of "login", otherwise known as "/bin/login" for its location in the file system. Login is executed to authenticate remote users as they initiate clear-text terminal connections over a network. These types of connections are ubiquitous in modern networked environments. Login incorrectly handles long environment variables passed to it by in.telnetd, in.rlogind, or any other similar daemon that operates in conjunction with login. No local account or special knowledge of the target is needed to successfully exploit this vulnerability. There are secure alternatives to using Telnet and Rlogin that are not vulnerable to this issue. Secure Shell (SSH) implements encrypted terminal connections, and it is designed to replace insecure protocols like Telnet and Rlogin. Recent versions of SSH implement their own version of the login program, and are not vulnerable. However, some versions of SSH may be configured to interact with login, and may be vulnerable in this configuration. Recommendations: There is no simple workaround for this issue. However, disabling all default terminal communications services and installing SSH will eliminate the vulnerability. ISS X-Force urges that all vulnerable machines be patched as soon as the vendor releases these updates. This advisory is being released before patches are available, because the exploit for this vulnerability has been made public. Sun Microsystems, Inc. Sun has reproduced the vulnerability and is testing a fix. Sun T-patches are now available for this vulnerability. Official patches will soon be available at the following location: <http://sunsolve.sun.com/securitypatch> http://sunsolve.sun.com/securitypatch ADDITIONAL INFORMATION The information has been provided by <mailto:[EMAIL PROTECTED]> X-Force. ======================================== This bulletin is sent to members of the SecuriTeam mailing list. To unsubscribe from the list, send mail with an empty subject line and body to: [EMAIL PROTECTED] In order to subscribe to the mailing list, simply forward this email to: [EMAIL PROTECTED] ==================== ==================== DISCLAIMER: The information in this bulletin is provided "AS IS" without warranty of any kind. In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages. _______________________________________________ Bits mailing list [EMAIL PROTECTED] http://www.sugoi.org/mailman/listinfo/bits
