Security bug: BSD login.c version "5.73 (Berkeley) 6/29/91"

Security bug: BSD login.c version "5.73 (Berkeley) 6/29/91"

Post by Stephen Ush » Thu, 26 May 1994 22:16:36



Thanks to one of the users of my MiNTOS package I have tracked down a bug in
the BSD-net2 version of login.c which allows anyone who has an account on
the machine to gain root priviledges.

The version of login.c has the following sccsid line:-


The bug is that it doesn't reset the root login flag after an unsuccessful
attempt to login as root. The upshot of this is that if a person first
attempts to login as root, fails, then logs in as him/herself, he/she has a
uid of 0!

The fix is to add the line:-

                rootlogin = 0;

After the code:-

                if (pwd && !rval)
                        break;

I don't know if there are any other versions of this code which also have
the same problem.

I suggest that if you have a Net2-BSD derived system you check login.c and
fix it ASAP.

Steve
--
---------------------------------------------------------------------------
Computer Systems Administrator, Dept. of Earth Sciences, Oxford University.

Tel:- Oxford (0865) 282110 (UK) or +44 865 282110 (International).

 
 
 

Security bug: BSD login.c version "5.73 (Berkeley) 6/29/91"

Post by Karl Strickla » Fri, 27 May 1994 02:54:48



>  Thanks to one of the users of my MiNTOS package I have tracked down a bug in
>  the BSD-net2 version of login.c which allows anyone who has an account on
>  the machine to gain root priviledges.

>  The version of login.c has the following sccsid line:-


>  The bug is that it doesn't reset the root login flag after an unsuccessful
>  attempt to login as root. The upshot of this is that if a person first
>  attempts to login as root, fails, then logs in as him/herself, he/she has a
>  uid of 0!

>  The fix is to add the line:-

>               rootlogin = 0;

>  After the code:-

>               if (pwd && !rval)
>                       break;

>  I don't know if there are any other versions of this code which also have
>  the same problem.

>  I suggest that if you have a Net2-BSD derived system you check login.c and
>  fix it ASAP.

Thanks for the info.  I just checked the following systems and they do NOT
have this bug:

        FreeBSD 1.0.2, FreeBSD 1.1 and FreeBSD-current
        NetBSD-current
        BSDI's BSD/386 1.1
        BSD 4.4

The above versions are the only ones I have access to, so thats all I could
check.  In most cases, earlier versions than those above are probably fixed
also.  (eg NetBSD 0.9?)
--
------------------------------------------+-----------------------------------
Posted using GNUS 4.1 on FreeBSD          |                    Karl Strickland



 
 
 

1. (fwd) Security bug: BSD login.c version "5.73 (Berkeley) 6/29/91"

Newsgroups: comp.security.misc,comp.security.unix
Path: ddsw1!news.kei.com!MathWorks.Com!europa.eng.gtefsd.com!gatech!swrinde!pipex!uknet!comlab.ox.ac.uk!steve

Subject: Security bug: BSD login.c version "5.73 (Berkeley) 6/29/91"


Organization: Dept of Earth Sciences, Oxford University, UK.
Date: Wed, 25 May 1994 13:16:36 GMT
Lines: 34
Xref: ddsw1 comp.security.misc:9850 comp.security.unix:5831

Thanks to one of the users of my MiNTOS package I have tracked down a bug in
the BSD-net2 version of login.c which allows anyone who has an account on
the machine to gain root priviledges.

The version of login.c has the following sccsid line:-


The bug is that it doesn't reset the root login flag after an unsuccessful
attempt to login as root. The upshot of this is that if a person first
attempts to login as root, fails, then logs in as him/herself, he/she has a
uid of 0!

The fix is to add the line:-

                rootlogin = 0;

After the code:-

                if (pwd && !rval)
                        break;

I don't know if there are any other versions of this code which also have
the same problem.

I suggest that if you have a Net2-BSD derived system you check login.c and
fix it ASAP.

Steve
--
---------------------------------------------------------------------------
Computer Systems Administrator, Dept. of Earth Sciences, Oxford University.

Tel:- Oxford (0865) 282110 (UK) or +44 865 282110 (International).

2. state machine implement

3. GETSERVBYNAME()????????????????????"""""""""""""

4. Where can I find Veritas VxVM manuals w/o buying it first?

5. """"""""My SoundBlast 16 pnp isn't up yet""""""""""""

6. 486

7. how 2 change this "hostname login:" to simple "login:"

8. System locks up when I start SVGA server (ET4000)

9. rss" and "stack" and "data" in /etc/security/limits file

10. Type "(", ")" and "{", "}" in X...

11. Ports of BSD "scsi" and "sdremap" wanted

12. Ports of BSD "sdremap" "scsi" utilities

13. Solaris 2.5 "bsd" vs. "s5" printing oddities