Privacy and Legal Notice

CIAC INFORMATION BULLETIN

E-26: UNIX /bin/login Vulnerability

May 23, 1994 0700 PDT 

PROBLEM:    A vulnerability exists in /bin/login on some UNIX platforms.
PLATFORMS:  IBM AIX 3 systems, Linux, possibly other UNIX systems.
DAMAGE:     Local and remote users can obtain unauthorized access to any
            account, including root.
SOLUTION:   Apply patches or workarounds described below.


VULNERABILITY  This vulnerability has been widely discussed in detail on
ASSESSMENT:    Internet mailing lists and newsgroups and a simple one line
               exploitation script is being distributed.  CIAC strongly
               advises that this vulnerability be patched IMMEDIATELY.

Critical Information about the UNIX /bin/login Vulnerability

CIAC has learned of a vulnerability in the UNIX /bin/login program. This vulnerability potentially affects all IBM AIX 3 systems, Linux systems, and perhaps other UNIX platforms as well. Information available at the time of this advisory's publication indicates that only IBM AIX 3 and Linux systems are at risk.

IBM AIX information

Current information indicates that the IBM AIX vulnerability applies only to remote access.

IBM is currently developing an official fix. Until the official fix is available from IBM, CIAC recommends immediate application of the workaround or installation of the emergency fix described here.

Workaround:

The recommended workaround is to disable the rlogin daemon by performing the following three steps:

  1. As root, edit /etc/inetd.conf and comment out the line 'login ... rlogin'
  2. Run 'inetimp'
  3. Run 'refresh -s inetd'

Emergency Fix:

IBM's emergency fix for the different levels of AIX 3 affected by this vulnerability is available via anonymous FTP from software.watson.ibm.com in the file /pub/rlogin/rlogin.tar.Z. Installation instructions are included in the README file which is included in rlogin.tar.Z. Checksum information for rlogin.tar.Z is included in the chart below. 

  BSD: 25285 317
  SystemV: 13021 633
  MD5: 803ee38c2e3b8c8c575e2ff5e921034c

Official Fix:

IBM is working on an official fix; it can be ordered as APAR IX44254. To order an APAR from IBM in the U.S., call 1-800-237-5511 and ask IBM to ship it as soon as it is available. According to IBM, this fix will be available in approximately two weeks. APARs may be obtained outside the U.S. by contacting your local IBM representative.

Linux information

Current information indicates that the Linux vulnerability applies to both remote and local access.

Remote access fix:

A patch that addresses the remote access problem has been made available via anonymous FTP from sunsite.unc.edu in the directory /pub/Linux/system/Network/sunacm/URGENT. This patch is found in the file security.tgz, with the associated file README.security. Note that security.tgz includes other security fixes in addition to the /bin/login patch. Checksum information for both of these files is included below. 

  README.security:                       security.tgz:
  BSD: 09575 1                           BSD: 32878 257 
  SystemV: 20945 1                       SystemV: 40797 513
  MD5: 41d14d7b8725c7a1015adeb49601619b  MD5: dd4585cf4da1b52d25d619bf45f55b75

Local access fix:

To address the local access problem, CIAC encourages installation of a version of /bin/login that does not allow the -f option in the form "-f<user>". The recommended version should only allow this option in the form "-f <user>", with a space to indicate two arguments. At the time of this bulletin's publication, CIAC does not know which versions of login.c are vulnerable. As CIAC and other FIRST teams receive additional information, the CA-94:09.README file will be updated. Again, we encourage you to check this README file regularly for updates. If you find a version of Linux which contains the login access vulnerability, please contact CIAC.

Other vendor information

The CERT Coordination Center (CERT/cc) has provided CIAC with the file CA-94:09.README, which lists the vendors who have responded to inquiries involving this vulnerability and the status of their investigations into this problem. This file is included with this advisory as an appendix. As additional information is received relating to this advisory, the CERT/cc will place it, along with any clarifications, in the README file available via anonymous FTP from info.cert.org. CIAC encourages you to check the README file regularly for updates that relate to your UNIX operating system.

Note: md5 checksum utility is available via anonymous FTP from CIAC's server irbis.llnl.gov (soon to be renamed ciac.llnl.gov) as md5.tar in directory /pub/util/crypto.

CIAC thanks the CERT Coordination Center for the information provided in this advisory.
CIAC services are available to DOE, DOE Contractors, and the NIH. CIAC can be contacted at: 
    Voice:          +1 925-422-8193 (7 x 24)
    FAX:            +1 925-423-8002
    STU-III:        +1 925-423-2604
    E-mail:          ciac@ciac.org
    World Wide Web:  http://www.ciac.org/
    Anonymous FTP:   ftp.ciac.org
This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes.
UCRL-MI-119788
[Privacy and Legal Notice]