2103021 : /bin/login buffer overflow

High RiskHigh Risk

Quick Links

Event description Jump to the top of this document

System V (SYSV) derived systems, such as Sun Solaris and AIX, are vulnerable to a static buffer overflow. The implementation of login (known as "/bin/login" for its location in the file system) for such SYSV-derived systems allows remote attackers to execute arbitrary commands on a target system with superuser privileges. Systems are vulnerable to this issue only if certain types of interactive connections are allowed, such as Telnet or rlogin. These services are enabled by default on most platforms.

Products that have this security check Jump to the top of this document

Telnet_Solaris_Forced_Login

This signature looks for an excessive number of white space characters in the login line, which may indicate an attempt to cause a vulnerable solaris telnet server to force a shell login without authentication.


Affected platforms Jump to the top of this document

How to remove this vulnerability Jump to the top of this document

For vulnerability detection:

Enable the following checks in the ISS Protection Platform:
TelnetTabBO

For Virtual Patch:

Enable the following checks in the ISS Protection Platform:
Telnet_Excessive_Tabs
Rlogin_Excessive_Tabs
Telnet_Solaris_Forced_Login

Block or restrict the following in the ISS Protection Platform as appropriate to the environment:
Port 23

For Manual Protection:

As a workaround, disable all default terminal communications services and install SSH to eliminate the vulnerability.

As of 12 December 2001, Sun is testing a fix. Sun T-patches are available for this vulnerability; contact your Sun representative for more information. Official Sun patches will soon be available at the SunSolve Security Patches Web site. See References.

IBM AIX versions 4.3 and 5.1 are susceptible to this vulnerability. As of 13 December 2001, IBM has prepared an emergency fix ("efix"), "tsmlogin_efix.tar.Z", available from the IBM Efixes FTP site. See References. The APAR assignment for AIX 5.1 is IY26221, and will be available soon. The APAR for AIX 4.3 is pending, as a new level of 4.3 is nearly available. The README file at the above FTP site will be updated to provide the official fix information and availability.

For Caldera OpenServer 5.0.6a and earlier: Apply the appropriate patch for your system, as listed in Caldera Systems, Inc. Security Advisory CSSA-2001-SCO.40. See References.

For Cisco products running on top of Solaris OS:
Refer to Cisco Security Advisory: Solaris /bin/login Vulnerability for upgrade information. See References.

For other distributions:
Contact your vendor for upgrade or patch information.

References Jump to the top of this document

Internet Security Systems Security Alert #105
Buffer Overflow in /bin/login
http://www.iss.net/xforce/alerts/id/advise105

BugTraq Mailing List, Wed Oct 02 2002 - 11:13:09 CDT
Solaris 2.6, 7, 8
http://archives.neohapsis.com/archives/bugtraq/2002-10/0014.html

Cisco Systems Inc. Security Advisory, 2002 April 10 16:00 (UTC+0000)
Solaris /bin/login Vulnerability
http://www.cisco.com/warp/public/707/Solaris-bin-login.shtml

Sun Microsystems, Inc. Security Bulletin #00213
login
http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/213

CIAC Information Bulletin M-031
Buffer Overflow in System V Derived Login
http://www.ciac.org/ciac/bulletins/m-031.shtml

BugTraq Mailing List, Wed Dec 19 2001 - 17:04:59 CST
Linux distributions and /bin/login overflow
http://archives.neohapsis.com/archives/bugtraq/2001-12/0206.html

SGI Security Advisory 20011201-01-I
Buffer Overflow in System V Derived Login
ftp://patches.sgi.com/support/free/security/advisories/20011201-01-I

Caldera International, Inc. Security Advisory CSSA-2001-SCO.40
OpenServer: /bin/login and /etc/getty argument buffer overflow
ftp://stage.caldera.com/pub/security/openserver/CSSA-2001-SCO.40/CSSA-2001-SCO.40.txt

IBM Efixes FTP site
Emergency fix ("efix") for tsmlogin
ftp://aix.software.ibm.com/aix/efixes/security/tsmlogin_efix.tar.Z

Sun SunSolve Security Patches Web site
Recommended and Security Patches
http://sunsolve.sun.com/securitypatch

CERT Advisory CA-2001-34
Buffer Overflow in System V Derived Login
http://www.cert.org/advisories/CA-2001-34.html

Common Vulnerabilities and Exposures
Buffer overflow in login in various System V based operating systems allows remote attackers to execute arbitrary commands via a large number of arguments through services such as telnet and rlogin.
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0797

BugTraq
Multiple Vendor System V Derived 'login' Buffer Overflow Vulnerability
http://www.securityfocus.com/bid/3681

BugTraq
Sun Solaris /bin/login Authentication Bypass Vulnerability
http://www.securityfocus.com/bid/5848

BugTraq
RETIRED: Solaris in.telnetd TTYPROMPT Buffer Overflow Vulnerability
http://www.securityfocus.com/bid/5531

Information about this document Jump to the top of this document

The information contained in this document may change without notice, and may have been altered or changed if you have received it from a source other than Internet Security Systems. Use of this information constitutes acceptance for use in an "AS IS" condition, without warranties of any kind, and any use of this information is at the user's own risk. Internet Security Systems disclaims all warranties, either expressed or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Internet Security Systems be liable for any damages whatsoever, including direct, indirect, incidental, consequential or special damages, arising from the use or dissemination hereof, even if Internet Security Systems has been advised of the possibility of such damages.

Copyright © 1997 – 2009 IBM Internet Security Systems. All rights reserved.

This page was created on Thu Jun 11 09:07:13 2009