SunOS not vulnerable to rlogin bug (CERT CA-97.06)

SunOS not vulnerable to rlogin bug (CERT CA-97.06)

Post by Mark Gra » Tue, 11 Feb 1997 04:00:00



Many people have been asking me whether SunOS is vulnerable to the rlogin
attack described in CERT advisory CA-97.06, released this week. It is not.

I have checked the source for each release and find that the variable
affected by the overflow attack is not kept on the stack. Thus no such attack
can succeed.

Under normal conditions this information would have been included in the
bulletin. However I was not able to supply the information before the
publication deadline. I certainly apologize for any inconvenience resulting
from the lack of this information.

-mg-

Mark Graff
Sun Security Coordinator

 
 
 

SunOS not vulnerable to rlogin bug (CERT CA-97.06)

Post by William Unr » Tue, 11 Feb 1997 04:00:00



*>Many people have been asking me whether SunOS is vulnerable to the rlogin
*>attack described in CERT advisory CA-97.06, released this week. It is not.

*>I have checked the source for each release and find that the variable
*>affected by the overflow attack is not kept on the stack. Thus no such attack
*>can succeed.

*>Under normal conditions this information would have been included in the
*>bulletin. However I was not able to supply the information before the
*>publication deadline. I certainly apologize for any inconvenience resulting
*>from the lack of this information.

Useful information. HOwever SunOS rlogin does not properly check the
variable since if you hand it too long a TERM variable, it does crash
rlogin.
--
Bill Unruh


 
 
 

SunOS not vulnerable to rlogin bug (CERT CA-97.06)

Post by Thomas H. Ptac » Tue, 11 Feb 1997 04:00:00



Quote:>I have checked the source for each release and find that the variable
>affected by the overflow attack is not kept on the stack. Thus no such attack
>can succeed.

This is a massive assumption. In what segment IS it kept, Mr. Graff, and
what else is in that segment?

--
----------------

----------------
exit(main(kfp->kargc, argv, environ));

 
 
 

SunOS not vulnerable to rlogin bug (CERT CA-97.06)

Post by Casper H.S. Dik - Network Security Engine » Wed, 12 Feb 1997 04:00:00




>>I have checked the source for each release and find that the variable
>>affected by the overflow attack is not kept on the stack. Thus no such attack
>>can succeed.
>This is a massive assumption. In what segment IS it kept, Mr. Graff, and
>what else is in that segment?

I can answer that; it's in the data segment.  After the term variable,
it's mostly terminal setting (ttyflags, winsize), stdio flags.

The code in rlogin looks like this:

        s = getenv("TERM");
        if (s)
            strcpy(term, s);

        strcat(term,"/");
        strcat(term,speeds[<ttyspeed>]);

Whatever string you use to overflow, shortly after "term", the strings
used for "speeds" live.  One you overflow into those, the strcat will
not end as your strcat'ing the end of the overflown buffer to itself,
a process that doesn't finish until strcat hits the end of the data segment.

I'm fairly confident that you can't abuse this.  However, since
programs shouldn't core dump the buffer overflow is fixed in the next
release, but it doesn't look like a security problem from where I stand.

Casper

--
Expressed in this posting are my opinions.  They are in no way related
to opinions held by my employer, Sun Microsystems.
Statements on Sun products included here are not gospel and may
be fiction rather than truth.

 
 
 

SunOS not vulnerable to rlogin bug (CERT CA-97.06)

Post by Thomas H. Ptac » Wed, 12 Feb 1997 04:00:00



Quote:>I can answer that; it's in the data segment.  After the term variable,

Thanks for an exceptionally informative answer, Mr. Dik.

I understand and accept that rlogin may not be vulnerable to the
CERT-reported problem; my point, which I appear to have miscommunicated,
was that "that variable isn't in the stack, it's not a problem" is a bad
assumption.

Sorry for any misunderstandings.

--
----------------

----------------
exit(main(kfp->kargc, argv, environ));

 
 
 

SunOS not vulnerable to rlogin bug (CERT CA-97.06)

Post by Casper H.S. Dik - Network Security Engine » Thu, 13 Feb 1997 04:00:00



Quote:>I understand and accept that rlogin may not be vulnerable to the
>CERT-reported problem; my point, which I appear to have miscommunicated,
>was that "that variable isn't in the stack, it's not a problem" is a bad
>assumption.

That I agree with, though when it's on the stack, it's usually a problem and
when it's not, it's much harder to determine whether it is or isn't.
Datasegment overflows require careful study.

I also recall several data segment problems, one in rdist which allowed
you to zero out the user variable and one in sendmail which allowed you
to negatively index an array and write random values on random
places in the data segment.

Casper
--
Expressed in this posting are my opinions.  They are in no way related
to opinions held by my employer, Sun Microsystems.
Statements on Sun products included here are not gospel and may
be fiction rather than truth.

 
 
 

SunOS not vulnerable to rlogin bug (CERT CA-97.06)

Post by Mark Gra » Fri, 14 Feb 1997 04:00:00




>>I understand and accept that rlogin may not be vulnerable to the
>>CERT-reported problem; my point, which I appear to have miscommunicated,
>>was that "that variable isn't in the stack, it's not a problem" is a bad
>>assumption.

Yes, I suppose that is a fair criticism. It appears you read that sentence
more carefully than I wrote it.

-mg-

 
 
 

SunOS not vulnerable to rlogin bug (CERT CA-97.06)

Post by Bradley M. Ku » Fri, 14 Feb 1997 04:00:00



Quote:>Many people have been asking me whether SunOS is vulnerable to the rlogin
>attack described in CERT advisory CA-97.06, released this week. It is not.

All versions of SunOS?  You could be more specific here...

Quote:>-mg-

>Mark Graff
>Sun Security Coordinator

Well, I am still wondering, since this message is *not* PGP signed, or
authenticated in any other way....

Can't this information be passed to CERT and have them release the info?
--
                             Bradley M. Kuhn
                       http://www.smart.net/~bkuhn

        Geek code, favorite quotes, PGP public key, et al. on WWW page

 
 
 

SunOS not vulnerable to rlogin bug (CERT CA-97.06)

Post by Mark Gra » Sun, 16 Feb 1997 04:00:00




>>Many people have been asking me whether SunOS is vulnerable to the rlogin
>>attack described in CERT advisory CA-97.06, released this week. It is not.

>All versions of SunOS?  You could be more specific here...

>>-mg-

>>Mark Graff
>>Sun Security Coordinator

>Well, I am still wondering, since this message is *not* PGP signed, or
>authenticated in any other way....

>Can't this information be passed to CERT and have them release the info?
>--

Now I am wondering why I bothered trying to help folks by posting my note
in the first place. Gracious.

Quote:>Can't this information be passed to CERT and have them release the info?

1. I believe I explained in my original note what happened. I certainly did in
one draft. In any event: I didn't provide the info to CERT soon enough for
them to include it in the orginial advisory. There are several reasons for this,
none of which I propose to explain here. I think if you check now you
will see that they have updated the Sun entry.

Quote:>All versions of SunOS?  You could be more specific here...

2. By "SunOS" I indeed intended to subsume all versions of SunOS, i.e.,
4.1.x and also 5.x (often called "Solaris").

Quote:>Well, I am still wondering, since this message is *not* PGP signed, or
>authenticated in any other way....

3. I suppose ideally I would PGP-sign every such announcement, including my
postings and security bulletins. But I don't. One reason: time and simple inertia
(some might call it indolence). Another reason: only two or three of the
thousands of people I have corresponded with on these subjects have ever
asked for this. The final reason: you meet the nicest people when they call
or write to verify something you wrote!

If the lack of a PGP signature represents a serious impediment to my
comments being taken seriously, tell me about it, folks, and I will see
about mending my ways.

-mg-

Mark Graff

Sun Security Coordinator

415-786-5274

 
 
 

1. rlogin vulnerability: CERT Advisory CA-97.06

In the recent CERT advisory for the rlogin problem, APAR IX57972 is
listed as the fix for AIX 4.1.  This fix is contained in fileset
bos.net.tcp.client.4.1.4.13 (and perhaps others).

Does anyone know if this fix is just contained within the rlogin
executable, or if other parts of the fileset are needed?  On some of
our systems we'd like to get away with just distributing a new rlogin
instead of installing that fileset and all of its prerequisites, if
possible.

-Phil                   Cornell Theory Center

2. Q: Perl Scripts on Apache server

3. CERT Advisory CA-97.06: BAD rlogin_wrapper.c installation

4. PM problem

5. HTTPD and CERT advisory CA-97.07

6. SmallTalk Problem

7. CA Cert with OpenSSL not recognised as "CA" cert

8. kernel compilation/configuration

9. CA-97.04 patched ntalk?

10. unix Hostile Bug in Word 97 SR-1 Save As HTML (Repost)

11. CERT Advisory CA-94:09.bin.login.vulnerability

12. CERT Advisory CA-2002-25 & Sun Alert 46122

13. AC '97 with i810e not working