Reference:
Symantec Security Response
Risk Impact:
Medium.
This vulnerability can be remotely exploited to gain privileges of the invoker of login. In the case of a program such as telnetd, rlogind, or other suid root programs, root access is gained.
An exploit may exist. However, Symantec has had no notification that it is in the wild, nor actively being exploited.
Affected:
IBM AIX versions 4.3 and 5.1
Hewlett-Packard's HP-UX
SCO OpenServer 5.0.6 and earlier
SGI IRIX 3.x
Sun Solaris 8 and earlier
Overview:
Several applications use login for authentication to the system. A remotely exploitable buffer overflow exists in the login derived from System V. Attackers can exploit this vulnerability to gain root access to the server.
Details:
On 12 December 2001, the CERT issued a security advisory, CERT Advisory 2001-034 concerning several implementations of login that are derived from System V which allow malicious users to specify arguments such as environment variables to the process. An array of buffers is then used to store these arguments. A flaw exists in the checking of the number of arguments accepted. This flaw permits the array of buffers to be overflowed.
On most systems, login is not suid; therefore, it runs as the user who called it. If, however, login is called by an application that runs with greater privileges than those of the user, such as telnetd or rlogind, then the user can exploit this vulnerability to gain the privileges of that program. In the case of telnetd or rlogind, root access is gained.
Since in.telnetd and in.rlogind are available over the network, a remote attacker without any previous access to the system could use this vulnerability to gain root access to the system.
If a program that invokes login is suid (or sgid) USER_A, then this can be exploited to gain the privileges of USER_A.
Symantec Response:
It is recommended that administrators disable TELNET, RLOGIN and other programs that use login for authentication. Do not use programs that use a vulnerable login for authentication. Note that some SSH applications can be configured to use login for authentication. If this configuration is selected, then you will still be vulnerable.
If you cannot disable the service, you can limit your exposure to these vulnerabilities by using a router or firewall to restrict access to port 23/TCP (telnet) and port 513/TCP (rlogin). Note that this does not protect you against attackers from within your network.
You should also contact your vendor for patches.
Symantec recommends the following industry best practices to protect against these and other vulnerabilities:
- Regularly apply vendor patches and updates to your servers to fix security vulnerabilities.
- Remove any services that are not needed to conduct business. Any service is a point of exposure and may contain discovered and undiscovered vulnerabilities.
- Enforce a strong password policy.
Symantec's Enterprise Security Manager manages these important best practices. Patches are managed through the ESM patch module. ESM's startup files module detects running services in violation of your security policy, and the password strength module detects inadequate passwords. A policy has been released and is available for download here
CVE:
The Common Vulnerabilities and Exposures (CVE) initiative has assigned the name CAN-2001-0797 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems.
Credit:
Internet Security Systems Security Advisory # 105 dated December 12, 2001.
Copyright (c) 2001 by Symantec Corp.
Permission to redistribute this Bulletin electronically is granted as long as it is not edited in any way unless authorized by Symantec Security Response. Reprinting the whole or part of this Bulletin in medium other than electronically requires permission from SymSecurity@symantec.com.
Disclaimer:
The information in the advisory is believed to be accurate at the time of printing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect or consequential loss or damage arising from use of, or reliance on this information. Symantec, Symantec Security Response and SymSecurity are Registered Trademarks of Symantec Corp. and/or affiliated companies in the United States and other countries. All other registered and unregistered trademarks represented in this document are the sole property of their respective companies/owners.
