Buffer Overflow in System V Derived Login
Source: CERT.org
Several applications use login for authentication to the system. A remotely exploitable buffer overflow exists in login derived from System V. Attackers can exploit this vulnerability to gain root access to the server.
Several implementations of login that are derived from System V allow a user to specify arguments such as environment variables to the process. An array of buffers is used to store these arguments. A flaw exists in the checking of the number of arguments accepted. This flaw permits the array of buffers to be overflowed.
On most systems, login is not suid; therefore, it runs as the user who called it. If, however, login is called by an application that runs with greater privileges than those of the user, such as telnetd or rlogind, then the user can exploit this vulnerability to gain the privileges of that program. In the case of telnetd or rlogind, root access is gained.
Since in.telnetd and in.rlogind are available over the network, a remote attacker without any previous access to the system could use this vulnerability to gain root access to the system.
If a program that invokes login is suid (or sgid) USER_A, then this can be exploited to gain the privileges of USER_A.
An exploit exists and may be circulating.
Systems Affected