rlogin authentication bug

Aleph One (aleph1@DFW.NET)
Wed, 01 Oct 1997 10:32:21 -0500

---------- Forwarded message ----------
Date: Tue, 30 Sep 1997 11:03:05 -0500
From: "Jacob A. Langford" <langford@karman.tam.uiuc.edu>
To: linux-security@redhat.com
Subject: [linux-security] rlogin authentication bug

Hi,

I have discovered a bug in the rhost module of Linux-PAM-0.57. This
bug leads to a vulnerability in the remote login authentication, with
the effect that ordinary user accounts may not be password protected.

There is only one case when the bug causes a vulnerability:

The problem case is when the user's .rhost file has the name of a machine
with *more than one IP address* as the *final* entry.

To be explicit, here are two example .rhost files: One of them
leaves an account wide open, the other does not.

CAUSES PROBLEMS DOES NOT CAUSE PROBLEMS
---------------- -----------------------

karman.tam.uiuc.edu vn.nas.nasa.gov
vn.nas.nasa.gov karman.tam.uiuc.edu

Note that vn.nas.nasa.gov has two IP addresses. Thus, as the final
entry of a .rhost file, it leaves the user's account wide open, i.e.
any other user of the same name can log in to that account from any
machine without a password.

The problem is in the rhost module of PAM. The module calls
gethostbyname() in two locations, once for the connecting machine,
then once for each named entry in the .rhosts file. The call returns
a structure with a pointer to a list of IP addresses stored as unsigned
longs. Since there may be multiple IP addresses, the PAM code uses a
while loop over the addresses of the connecting machine, then another
while loop over the addresses of the machines named in .rhosts.
These while loops are terminated by a null pointer in the address list.
Apparently gethostbyname does not allocate new memory for the unsigned
longs each time it is called. Thus the calls to gethostbyname() for
the .rhosts entries clobber the subsequent IP addresses of the connecting
machine. If the final .rhost entry is a name with multiple IP addresses,
the the null terminator gets replaced with the second IP address of the
final entry in the .rhost file. The second iteration of the while loop
on the connecting machine now sets the IP number of the connecting machine
to the IP number of the final entry in the .rhosts file. A match follows
and the account is open.

WHO IS AFFECTED?

Unfortunately, the effects of this vulnerability reach beyond the Linux
community. For example, users named langford have been able to walk
into my Linux account for months. From that Linux account, user langford
could freely rlogin to other departmental machines and NASA government
machines. In particular, administrators of sites with multiple IP
addresses might consider disabling rlogin access to their machines, with
the understanding that not all Linux users will fix the rlogin problem
immediately.

HOW TO FIX IT?

I removed the loop that goes over IP numbers of the connecting machine.
IMO this is not particularly important. The only case is if I have .rhost
entry by IP number, not name, of a machine I connect *from* with multiple
IP addresses. If I refer to the connecting machine by *name* in the .rhost
file, the remaining while loop takes care of everything for me. One of the
IP addresses will still match. For me this fix is suitable, although I
hope someone can fix the PAM module in a better way.

Until the PAM module is updated, users should check that the last entry
of their .rhost file only has one IP address. They can use the command
nslookup, for example.

Jacob Langford
langford@uiuc.edu

--
----------------------------------------------------------------------
Please refere to the information about this list as well as general
information about Linux security at http://www.aoy.com/Linux/Security.
----------------------------------------------------------------------

To unsubscribe: mail -s unsubscribe test-list-request@redhat.com < /dev/null