[LUGA] Mit freundlicher Unterstützung von:
Linux New Media AG

Mail Thread Index

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[luga] [langford@karman.tam.uiuc.edu: [linux-alert] rlogin authentication bug]

-----Forwarded message from "Jacob A. Langford" <langford@karman.tam.uiuc.edu>-----

Date: Tue, 30 Sep 1997 11:03:05 -0500
From: langford@karman.tam.uiuc.edu (Jacob A. Langford)
Message-Id: <199709301603.LAA19618@karman.tam.uiuc.edu>
To: linux-security@redhat.com
X-Mailing-List: <linux-alert@redhat.com> archive/latest/33
Subject: [linux-alert] rlogin authentication bug


I have discovered a bug in the rhost module of Linux-PAM-0.57.  This
bug leads to a vulnerability in the remote login authentication, with
the effect that ordinary user accounts may not be password protected.  

There is only one case when the bug causes a vulnerability:

The problem case is when the user's .rhost file has the name of a machine
with *more than one IP address* as the *final* entry.

To be explicit, here are two example .rhost files:  One of them
leaves an account wide open, the other does not.

----------------                 -----------------------

karman.tam.uiuc.edu              vn.nas.nasa.gov
vn.nas.nasa.gov                  karman.tam.uiuc.edu

Note that vn.nas.nasa.gov has two IP addresses.  Thus, as the final
entry of a .rhost file, it leaves the user's account wide open, i.e.
any other user of the same name can log in to that account from any
machine without a password.

The problem is in the rhost module of PAM.  The module calls
gethostbyname() in two locations, once for the connecting machine,
then once for each named entry in the .rhosts file.  The call returns
a structure with a pointer to a list of IP addresses stored as unsigned
longs.  Since there may be multiple IP addresses, the PAM code uses a
while loop over the addresses of the connecting machine, then another 
while loop over the addresses of the machines named in .rhosts.  
These while loops are terminated by a null pointer in the address list.
Apparently gethostbyname does not allocate new memory for the unsigned
longs each time it is called.  Thus the calls to gethostbyname() for
the .rhosts entries clobber the subsequent IP addresses of the connecting
machine.  If the final .rhost entry is a name with multiple IP addresses,
the the null terminator gets replaced with the second IP address of the 
final entry in the .rhost file.  The second iteration of the while loop
on the connecting machine now sets the IP number of the connecting machine
to the IP number of the final entry in the .rhosts file.  A match follows
and the account is open. 


Unfortunately, the effects of this vulnerability reach beyond the Linux
community.  For example, users named langford have been able to walk 
into my Linux account for months.  From that Linux account, user langford
could freely rlogin to other departmental machines and NASA government 
machines.  In particular, administrators of sites with multiple IP 
addresses might consider disabling rlogin access to their machines, with
the understanding that not all Linux users will fix the rlogin problem


I removed the loop that goes over IP numbers of the connecting machine.
IMO this is not particularly important.  The only case is if I have .rhost
entry by IP number, not name, of a machine I connect *from* with multiple
IP addresses.  If I refer to the connecting machine by *name* in the .rhost
file, the remaining while loop takes care of everything for me.  One of the
IP addresses will still match.  For me this fix is suitable, although I 
hope someone can fix the PAM module in a better way.

Until the PAM module is updated, users should check that the last entry
of their .rhost file only has one IP address.  They can use the command
nslookup, for example.

Jacob Langford

-----End of forwarded message-----

   _  | Peter J. Holzer             | If I were God, or better yet
|_|_) | Sysadmin WSR                | Linus, I would ...
| |   | hjp@wsr.ac.at               |     -- Bill Davidsen
__/   | http://wsrx.wsr.ac.at/~hjp/ |        (davidsen@tmr.com)

powered by LINUX the choice of a gnu generation
linux user group austria;
Letzte Änderung:
September 2010