Return-Path: <sentto-279987-4051-1008253925-fc=all.net@returns.groups.yahoo.com> Delivered-To: fc@all.net Received: from 204.181.12.215 [204.181.12.215] by localhost with POP3 (fetchmail-5.7.4) for fc@localhost (single-drop); Thu, 13 Dec 2001 06:34:07 -0800 (PST) Received: (qmail 31935 invoked by uid 510); 13 Dec 2001 14:32:20 -0000 Received: from n1.groups.yahoo.com (216.115.96.51) by all.net with SMTP; 13 Dec 2001 14:32:20 -0000 X-eGroups-Return: sentto-279987-4051-1008253925-fc=all.net@returns.groups.yahoo.com Received: from [216.115.97.165] by n1.groups.yahoo.com with NNFMP; 13 Dec 2001 14:32:04 -0000 X-Sender: fc@red.all.net X-Apparently-To: iwar@onelist.com Received: (EGP: mail-8_0_1_2); 13 Dec 2001 14:32:05 -0000 Received: (qmail 95656 invoked from network); 13 Dec 2001 14:32:04 -0000 Received: from unknown (216.115.97.167) by m11.grp.snv.yahoo.com with QMQP; 13 Dec 2001 14:32:04 -0000 Received: from unknown (HELO red.all.net) (12.232.125.69) by mta1.grp.snv.yahoo.com with SMTP; 13 Dec 2001 14:32:03 -0000 Received: (from fc@localhost) by red.all.net (8.11.2/8.11.2) id fBDEWic00713 for iwar@onelist.com; Thu, 13 Dec 2001 06:32:44 -0800 Message-Id: <200112131432.fBDEWic00713@red.all.net> To: iwar@onelist.com (Information Warfare Mailing List) Organization: I'm not allowed to say X-Mailer: don't even ask X-Mailer: ELM [version 2.5 PL3] From: Fred Cohen <fc@all.net> X-Yahoo-Profile: fcallnet Mailing-List: list iwar@yahoogroups.com; contact iwar-owner@yahoogroups.com Delivered-To: mailing list iwar@yahoogroups.com Precedence: bulk List-Unsubscribe: <mailto:iwar-unsubscribe@yahoogroups.com> Date: Thu, 13 Dec 2001 06:32:44 -0800 (PST) Subject: [iwar] [fc:Buffer.Overflow.in./bin/login] Reply-To: iwar@yahoogroups.com Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Internet Security Systems Security Advisory December 12, 2001 Buffer Overflow in /bin/login Synopsis: ISS X-Force has discovered a serious vulnerability in the "login" program present in Sun Solaris systems. Login allows users to sign on to the system by entering a username and password. This vulnerability allows remote attackers to execute arbitrary commands on a target system with superuser privilege. Systems are vulnerable to this issue only if certain types of interactive connections are allowed, such as Telnet or Rlogin. These services are enabled by default on most platforms. X-Force has learned that an exploit for this vulnerability has been made public. Affected Versions: Sun Microsystems Solaris 8 and earlier * Note: Additional SysV derived Unix operating systems may or may not be affected. Description: A static buffer overflow vulnerability is present in the Sun Solaris implementation of "login", otherwise known as "/bin/login" for its location in the file system. Login is executed to authenticate remote users as they initiate clear-text terminal connections over a network. These types of connections are ubiquitous in modern networked environments. Login incorrectly handles long environment variables passed to it by in.telnetd, in.rlogind, or any other similar daemon that operates in conjunction with login. No local account or special knowledge of the target is needed to successfully exploit this vulnerability. There are secure alternatives to using Telnet and Rlogin that are not vulnerable to this issue. Secure Shell (SSH) implements encrypted terminal connections, and it is designed to replace insecure protocols like Telnet and Rlogin. Recent versions of SSH implement their own version of the login program, and are not vulnerable. However, some versions of SSH may be configured to interact with login, and may be vulnerable in this configuration. Recommendations: There is no simple workaround for this issue. However, disabling all default terminal communications services and installing SSH will eliminate the vulnerability. ISS X-Force urges that all vulnerable machines are patched as soon as the vendor releases these updates. This advisory is being released before patches are available, because the exploit for this vulnerability has been made public. Sun Microsystems, Inc. Sun has reproduced the vulnerability and is testing a fix. Sun T-patches are now available for this vulnerability. Official patches will soon be available at the following location: <a href="http://sunsolve.sun.com/securitypatch">http://sunsolve.sun.com/securitypatch> ISS RealSecure Network Sensor customers are currently protected from this vulnerability. Support for this issue was included in X-Press Update version 3.3 as the "TelnetExcessiveTabs" signature. This signature will be included in the next RealSecure Server Sensor. ISS Internet Scanner X-Press Update 6.1 for Internet Scanner version 6.2.1 included support for this issue with the TelnetTabBO check. ISS BlackICE customers are protected from this vulnerability by the "2000902 Telnet login name overflow" signature. Additional Information: The Common Vulnerabilities and Exposures (CVE) project has assigned the name CAN-2001-0797 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems. ISS X-Force Database, <a href="http://xforce.iss.net/static/7284.php">http://xforce.iss.net/static/7284.php> CERT Vulnerabilty note, <a href="http://www.kb.cert.org/vuls/id/569272">http://www.kb.cert.org/vuls/id/569272> CERT Advisory, <a href="http://www.cert.org/advisories/CA-2001-34.html">http://www.cert.org/advisories/CA-2001-34.html> Credits: This vulnerability was discovered and researched by Mark Dowd of the ISS X-Force. Internet Security Systems would like to thank Sun Microsystems and CERT for their prompt response and handling of this vulnerability. ______ About Internet Security Systems (ISS) Internet Security Systems is a leading global provider of security management solutions for the Internet, protecting digital assets and ensuring safe and uninterrupted e-business. With its industry-leading intrusion detection and vulnerability assessment, remote managed security services, and strategic consulting and education offerings, ISS is a trusted security provider to more than 9,000 customers worldwide including 21 of the 25 largest U.S. commercial banks, the top 10 U.S. telecommunications companies, and all major branches of the U.S. Federal Government. Founded in 1994, ISS is headquartered in Atlanta, GA, with additional offices throughout North America and international operations in Asia, Australia, Europe, Latin America and the Middle East. For more information, visit the Internet Security Systems web site at www.iss.net or call 888-901-7477. Copyright (c) 2001 Internet Security Systems, Inc. All rights reserved worldwide. Permission is hereby granted for the redistribution of this Alert electronically. It is not to be edited in any way without express consent of the X-Force. If you wish to reprint the whole or any part of this Alert in any other medium excluding electronic medium, please e-mail <a href="mailto:xforce@iss.net?Subject=Re:%20[xforce@iss.net:%20ISSalert:%20ISS%20Advisory:%20Buffer%20Overflow%20in%20/bin/login]%2526In-Reply-To=%2526lt;20011212142920.Z1877@seki.acs.uci.edu">xforce@iss.net</a> for permission. Disclaimer The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk. X-Force PGP Key available at: http://xforce.iss.net/sensitive.php as well as on MIT's PGP key server and PGP.com's key server. ------------------------ Yahoo! Groups Sponsor ---------------------~--> Unlimited calling with 3-way conferencing. Only $1/Mo. with CrystalVoice! FREE trial. Click Here. http://us.click.yahoo.com/Hb1xVB/HxbDAA/ySSFAA/kgFolB/TM ---------------------------------------------------------------------~-> ------------------ http://all.net/ Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/
This archive was generated by hypermail 2.1.2 : 2001-12-31 21:00:00 PST