From owner-freebsd-security Tue Aug 13 00:54:42 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id AAA28500 for security-outgoing; Tue, 13 Aug 1996 00:54:42 -0700 (PDT) Received: from atena.eurocontrol.fr (atena.uneec.eurocontrol.fr [147.196.69.10]) by freefall.freebsd.org (8.7.5/8.7.3) with SMTP id AAA28495 for ; Tue, 13 Aug 1996 00:54:39 -0700 (PDT) Received: by atena.eurocontrol.fr; (5.65v3.2/1.3/10May95) id AA17465; Tue, 13 Aug 1996 09:54:37 +0200 Received: from mozart.eurocontrol.fr by eurocontrol.fr with ESMTP (1.37.109.16/16.2) id AA198942528; Tue, 13 Aug 1996 09:48:48 +0200 Message-Id: <199608130748.AA198942528@euro.eurocontrol.fr> Received: by mozart.eurocontrol.fr (1.37.109.16/16.2) id AA130732527; Tue, 13 Aug 1996 09:48:47 +0200 Date: Tue, 13 Aug 1996 09:48:47 +0200 From: ollivier.robert@eurocontrol.fr (Ollivier Robert) To: freebsd-security@freebsd.org Subject: Re: SECURITY: LSF Update#11: Vulnerability of rlogin X-Mailer: Mutt 0.39 Mime-Version: 1.0 Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk We are vulnerable. I've just look at rlogin.c. ------- start of forwarded message ------- From: deraadt@theos.com (Theo de Raadt) Newsgroups: comp.os.linux.networking,comp.security.unix Subject: Re: SECURITY: LSF Update#11: Vulnerability of rlogin Date: 10 Aug 1996 17:37:06 GMT In article Olaf Titz writes: Alexander O. Yuriev wrote: > A vulnerability exists in the rlogin program of NetKitB-0.6 > This vulnerability affects several widely used Linux > distributions, including RedHat Linux 2.0, 2.1 and derived > systems including Caldera Network Desktop, Slackware 3.0 and > others. This vulnerability is not limited to Linux or any > other free UNIX systems. Both the information about this *Big sigh* Now it has finally come that the Linux community puts out security bulletins in exact CERT style which give no information on what is wrong, no information on how to check whether the own system is affected, and no source patches. :-( Yeah, that sucks. Full disclosure makes sure no group misses fixing the problem. There's been a lot of bugs in system utilities of late. A bunch of people have been looking closely. There's exploitable buffer overflows all over the place. The problem is a buffer overflow of a dynamic buffer in main() using the environment variable TERM. If your rlogin.c sources have strcpy() in them you probably have the bug. Here's one way to fix it; this patch is from OpenBSD. It also truncates the passed buffer to 64 so that rlogind will never see an overlong string (in which cause it won't see the baud rate), and tries not to pass a truncated baud rate spec to the remote end (ie. 1920 instead of 19200.) Index: rlogin.c =================================================================== RCS file: /cvs/src/usr.bin/rlogin/rlogin.c,v retrieving revision 1.3 retrieving revision 1.5 diff -b -c -r1.3 -r1.5 *** rlogin.c 1996/04/17 07:15:21 1.3 --- rlogin.c 1996/06/20 03:19:22 1.5 *************** *** 156,162 **** struct termios tty; long omask; int argoff, ch, dflag, one, uid; ! char *host, *p, *user, term[1024]; argoff = dflag = 0; one = 1; --- 156,162 ---- struct termios tty; long omask; int argoff, ch, dflag, one, uid; ! char *host, *p, *user, term[64]; argoff = dflag = 0; one = 1; *************** *** 256,265 **** exit(1); } ! (void)strcpy(term, (p = getenv("TERM")) ? p : "network"); if (tcgetattr(0, &tty) == 0) { ! (void)strcat(term, "/"); ! (void)sprintf(term + strlen(term), "%d", cfgetospeed(&tty)); } (void)get_window_size(0, &winsize); --- 256,275 ---- exit(1); } ! (void)strncpy(term, (p = getenv("TERM")) ? p : "network", ! sizeof(term) - 1); ! term[sizeof(term) - 1] = '\0'; ! ! /* ! * Add "/baud" only if there is room left; ie. do not send "/19" ! * for 19200 baud with a particularily long $TERM ! */ if (tcgetattr(0, &tty) == 0) { ! char baud[20]; /* more than enough.. */ ! ! (void)sprintf(baud, "/%d", cfgetospeed(&tty)); ! if (strlen(term) + strlen(baud) < sizeof(term) - 1) ! (void)strcat(term, baud); } (void)get_window_size(0, &winsize); -- This space not left unintentionally unblank. deraadt@theos.com ------- end of forwarded message ------- -- Ollivier ROBERT -=- Eurocontrol EEC/TIS -=- Ollivier.Robert@eurocontrol.fr