From owner-freebsd-security@FreeBSD.ORG  Tue Aug 10 15:25:43 2010
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 586CB1065674
	for <freebsd-security@freebsd.org>;
	Tue, 10 Aug 2010 15:25:43 +0000 (UTC) (envelope-from snabb@epipe.com)
Received: from tiktik.epipe.com (tiktik.epipe.com [IPv6:2001:470:8940:10::1])
	by mx1.freebsd.org (Postfix) with ESMTP id E85D68FC1E
	for <freebsd-security@freebsd.org>;
	Tue, 10 Aug 2010 15:25:42 +0000 (UTC)
Received: from tiktik.epipe.com (tiktik.epipe.com [IPv6:2001:470:8940:10::1])
	by tiktik.epipe.com (8.14.4/8.14.4) with ESMTP id o7AFPgM5072234
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO)
	for <freebsd-security@freebsd.org>; Tue, 10 Aug 2010 15:25:42 GMT
	(envelope-from snabb@epipe.com)
X-DKIM: Sendmail DKIM Filter v2.8.3 tiktik.epipe.com o7AFPgM5072234
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=epipe.com; s=default;
	t=1281453942; x=1282058742;
	bh=SiirlGEV0W4my7gxo7PM86gvOTScgBBl6k07UfGSixw=;
	h=Date:From:To:Subject:In-Reply-To:Message-ID:References:
	MIME-Version:Content-Type;
	b=lBb1R0Hp9yhOvTZLTFkZDT6I79QRICVasu2AkwosAyP3nsIL7GALCZPfMcJVOCB4n
	kpOoNAzY1rMuEeohgizn9J4t8ZM6DSr9ePa1+BpXivb3lpgLGCHxTNKH/1Kjj8WPp7
	I/m9JR0OUSQ9fYziFrz0U2lkTyGyxnOx7StMBY7k=
Date: Tue, 10 Aug 2010 15:25:42 +0000 (UTC)
From: Janne Snabb <snabb@epipe.com>
To: freebsd-security@freebsd.org
In-Reply-To: <alpine.BSF.2.00.1008100841350.96753@tiktik.epipe.com>
Message-ID: <alpine.BSF.2.00.1008101503190.96753@tiktik.epipe.com>
References: <alpine.BSF.2.00.1008100841350.96753@tiktik.epipe.com>
MIME-Version: 1.0
Content-Type: MULTIPART/MIXED;
	BOUNDARY="1852024168-802663992-1281453942=:96753"
Subject: Re: ~/.login_conf mechanism is flawed
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Security issues \[members-only posting\]"
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 10 Aug 2010 15:25:43 -0000

  This message is in MIME format.  The first part should be readable text,
  while the remaining parts are likely unreadable without MIME-aware tools.

--1852024168-802663992-1281453942=:96753
Content-Type: TEXT/PLAIN; charset=US-ASCII

On Tue, 10 Aug 2010, Janne Snabb wrote:

> Looks like the per-user login capability database (~/.login_conf,
> ~/.login_conf.db) functionality is creating a vulnerability.

Attached is a temporary workaround for anyone who is worried about
this problem. It disables per-user login capability databases
completely. Only the system wide /etc/login.conf is used. Do not
apply the patch if you need per-user login capabilities.

This should work on 8.1-RELEASE, most likely on some other releases
as well. I did not find any references to the evil ~/.login_conf{,.db}
anywhere else in the source except in lib/libutil/login_cap.c.

1. Save the attached login_cap.c.diff in /tmp

2. cd /usr/src/lib/libutil

3. patch < /tmp/login_cap.c.diff

4. make

5. make install

6. re-start any affected daemons:
   /etc/rc.d/sshd restart
   /etc/rc.d/ftpd restart

The relevant files are /lib/libutil.* and /usr/lib/libutil.* if you
build on one machine and distribute binaries to others. Re-start
the relevant daemons at each machine after updating the libutil
libraries.

--
Janne Snabb / EPIPE Communications
snabb@epipe.com - http://epipe.com/
--1852024168-802663992-1281453942=:96753
Content-Type: TEXT/PLAIN; charset=US-ASCII; name=login_cap.c.diff
Content-Transfer-Encoding: BASE64
Content-ID: <alpine.BSF.2.00.1008101525420.96753@tiktik.epipe.com>
Content-Description: login_cap.c.diff
Content-Disposition: attachment; filename=login_cap.c.diff

LS0tIGxvZ2luX2NhcC5jLm9yaWcJMjAxMC0wNi0xNCAwMjowOTowNi4wMDAw
MDAwMDAgKzAwMDANCisrKyBsb2dpbl9jYXAuYwkyMDEwLTA4LTEwIDE0OjU1
OjEzLjAwMDAwMDAwMCArMDAwMA0KQEAgLTE5NCwxMSArMTk0LDEzIEBADQog
CWludCAgICAgICAgIHIsIG1lLCBpID0gMDsNCiAJdWlkX3QgZXVpZCA9IDA7
DQogCWdpZF90IGVnaWQgPSAwOw0KIAljb25zdCBjaGFyICAqbXNnID0gTlVM
TDsNCiAJY29uc3QgY2hhciAgKmRpcjsNCisjaWZkZWYgWFhYX1VTRVJfTE9H
SU5fQ09ORl9FTkFCTEVEDQogCWNoYXIJICAgIHVzZXJwYXRoW01BWFBBVEhM
RU5dOw0KKyNlbmRpZg0KIA0KIAlzdGF0aWMgY2hhciAqbG9naW5fZGJhcnJh
eVtdID0geyBOVUxMLCBOVUxMLCBOVUxMIH07DQogDQogCW1lID0gKG5hbWUg
IT0gTlVMTCAmJiBzdHJjbXAobmFtZSwgTE9HSU5fTUVDTEFTUykgPT0gMCk7
DQogCWRpciA9ICghbWUgfHwgcHdkID09IE5VTEwpID8gTlVMTCA6IHB3ZC0+
cHdfZGlyOw0KQEAgLTIxMywxNSArMjE1LDE3IEBADQogCSAgICBlZ2lkID0g
Z2V0ZWdpZCgpOw0KIAkgICAgKHZvaWQpc2V0ZWdpZChwd2QtPnB3X2dpZCk7
DQogCSAgICAodm9pZClzZXRldWlkKHB3ZC0+cHdfdWlkKTsNCiAJfQ0KIA0K
KyNpZmRlZiBYWFhfVVNFUl9MT0dJTl9DT05GX0VOQUJMRUQNCiAJaWYgKGRp
ciAmJiBzbnByaW50Zih1c2VycGF0aCwgTUFYUEFUSExFTiwgIiVzLyVzIiwg
ZGlyLA0KIAkJCSAgICBfRklMRV9MT0dJTl9DT05GKSA8IE1BWFBBVEhMRU4p
IHsNCiAJICAgIGlmIChfc2VjdXJlX3BhdGgodXNlcnBhdGgsIHB3ZC0+cHdf
dWlkLCBwd2QtPnB3X2dpZCkgIT0gLTEpDQogCQlsb2dpbl9kYmFycmF5W2kr
K10gPSB1c2VycGF0aDsNCiAJfQ0KKyNlbmRpZg0KIAkvKg0KIAkgKiBYWFg6
IFdoeSB0byBhZGQgdGhlIHN5c3RlbSBkYXRhYmFzZSBpZiB0aGUgY2xhc3Mg
aXMgYG1lJz8NCiAJICovDQogCWlmIChfc2VjdXJlX3BhdGgocGF0aF9sb2dp
bl9jb25mLCAwLCAwKSAhPSAtMSkNCiAJICAgIGxvZ2luX2RiYXJyYXlbaSsr
XSA9IHBhdGhfbG9naW5fY29uZjsNCg==

--1852024168-802663992-1281453942=:96753--