Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!

TUCoPS :: Unix :: General :: login_ex.txt

A Nasty buffer overflow problem, likely exploitable

From the-concourse-on-high Sun Dec 22 21:44:11 1996

Pale-Mute-White-Guy-Version: 1.0
X-Mailer: ELM [version 2.4 PL25]
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Approved-By:  Joe Zbiciak <im14u2c@CEGT201.BRADLEY.EDU>
Message-ID:  <>
Date:         Sun, 22 Dec 1996 09:27:24 -0600
Reply-To: Joe Zbiciak <>
Sender: Bugtraq List <BUGTRAQ@NETSPACE.ORG>
From: Joe Zbiciak <>
Subject:      Buffer overflow in Linux's login program
To: Multiple recipients of list BUGTRAQ <BUGTRAQ@NETSPACE.ORG>

Hello all,

I was browsing through my local copy of the util-linux-2.[56] sources
and found a very nasty buffer-overflow problem.  Although I haven't
written an exploit (no time--moving from Illinois to Texas), it appears
that the standard stack-smashing techniques should prove workable.

The "login" program checks the username length when the user is asked
to type in the login name.  However, if the user *provides* a login
name with the "-f" flag, no such check is made.  I can successfully
get a segv with my binary with just over 1064 characters pushed into
-f's argument.

Here's a short diff which patches the problem:

<               (void)strcpy(tbuf, username);
>               (void)strncpy(tbuf, username, sizeof(tbuf)-2);
>               tbuf[sizeof(tbuf)-1]=0;

Interim fix:  remove SUID bit on /bin/login:  chmod a-s /bin/login

Long-term fix:  download util-linux-2.6, and apply the above patch.

Basically, by removing the SUID bit on /bin/login, users won't be able
to re-login by typing "exec login .........", and also won't be able
to compromise your host.  Normal login/logout should still work.  (Tried
it on my own systems, works just fine.)

I do not know if this is remotely exploitable.  My guess is not; however,
my common sense tells me not to discount this likelihood.

I am CC'ing this to the util-linux maintainer.


:======= Joe Zbiciak =======:
:- - - -:         "An ounce of image is worth
: - - - - - http: - - - - - :          a pound of performance."
:======= DISCLAIMER: =======:                  -- Laurence J. Peter
:   It's all right... -  - --
-- -  -   I didn't do it!   :
(550:835 11:15)

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2015 AOH