Date: Tue, 13 Aug 1996 09:48:47 +0200 From: ollivier.robert@eurocontrol.fr (Ollivier Robert) To: freebsd-security@freebsd.org Subject: Re: SECURITY: LSF Update#11: Vulnerability of rlogin Message-ID: <199608130748.AA198942528@euro.eurocontrol.fr>
index | next in thread | raw e-mail
We are vulnerable. I've just look at rlogin.c.
------- start of forwarded message -------
From: deraadt@theos.com (Theo de Raadt)
Newsgroups: comp.os.linux.networking,comp.security.unix
Subject: Re: SECURITY: LSF Update#11: Vulnerability of rlogin
Date: 10 Aug 1996 17:37:06 GMT
In article <dvvuyl.g3f@bigred.inka.de> Olaf Titz <olaf@bigred.inka.de> writes:
Alexander O. Yuriev <linux-security@tarsier.cv.nrao.edu> wrote:
> A vulnerability exists in the rlogin program of NetKitB-0.6
> This vulnerability affects several widely used Linux
> distributions, including RedHat Linux 2.0, 2.1 and derived
> systems including Caldera Network Desktop, Slackware 3.0 and
> others. This vulnerability is not limited to Linux or any
> other free UNIX systems. Both the information about this
*Big sigh*
Now it has finally come that the Linux community puts out security
bulletins in exact CERT style which give no information on what is
wrong, no information on how to check whether the own system is
affected, and no source patches.
:-(
Yeah, that sucks. Full disclosure makes sure no group misses fixing
the problem. There's been a lot of bugs in system utilities of late.
A bunch of people have been looking closely. There's exploitable
buffer overflows all over the place.
The problem is a buffer overflow of a dynamic buffer in main() using
the environment variable TERM. If your rlogin.c sources have strcpy()
in them you probably have the bug.
Here's one way to fix it; this patch is from OpenBSD. It also
truncates the passed buffer to 64 so that rlogind will never see an
overlong string (in which cause it won't see the baud rate), and tries
not to pass a truncated baud rate spec to the remote end (ie. 1920
instead of 19200.)
Index: rlogin.c
===================================================================
RCS file: /cvs/src/usr.bin/rlogin/rlogin.c,v
retrieving revision 1.3
retrieving revision 1.5
diff -b -c -r1.3 -r1.5
*** rlogin.c 1996/04/17 07:15:21 1.3
--- rlogin.c 1996/06/20 03:19:22 1.5
***************
*** 156,162 ****
struct termios tty;
long omask;
int argoff, ch, dflag, one, uid;
! char *host, *p, *user, term[1024];
argoff = dflag = 0;
one = 1;
--- 156,162 ----
struct termios tty;
long omask;
int argoff, ch, dflag, one, uid;
! char *host, *p, *user, term[64];
argoff = dflag = 0;
one = 1;
***************
*** 256,265 ****
exit(1);
}
! (void)strcpy(term, (p = getenv("TERM")) ? p : "network");
if (tcgetattr(0, &tty) == 0) {
! (void)strcat(term, "/");
! (void)sprintf(term + strlen(term), "%d", cfgetospeed(&tty));
}
(void)get_window_size(0, &winsize);
--- 256,275 ----
exit(1);
}
! (void)strncpy(term, (p = getenv("TERM")) ? p : "network",
! sizeof(term) - 1);
! term[sizeof(term) - 1] = '\0';
!
! /*
! * Add "/baud" only if there is room left; ie. do not send "/19"
! * for 19200 baud with a particularily long $TERM
! */
if (tcgetattr(0, &tty) == 0) {
! char baud[20]; /* more than enough.. */
!
! (void)sprintf(baud, "/%d", cfgetospeed(&tty));
! if (strlen(term) + strlen(baud) < sizeof(term) - 1)
! (void)strcat(term, baud);
}
(void)get_window_size(0, &winsize);
--
This space not left unintentionally unblank. deraadt@theos.com
------- end of forwarded message -------
--
Ollivier ROBERT -=- Eurocontrol EEC/TIS -=- Ollivier.Robert@eurocontrol.fr
help
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199608130748.AA198942528>