Buffer Overflow in System V Derived Login

posted onDecember 13, 2001
by hitbsecnews

Source: CERT.org

Several applications use login for authentication to the system. A remotely exploitable buffer overflow exists in login derived from System V. Attackers can exploit this vulnerability to gain root access to the server.

Several implementations of login that are derived from System V allow a user to specify arguments such as environment variables to the process. An array of buffers is used to store these arguments. A flaw exists in the checking of the number of arguments accepted. This flaw permits the array of buffers to be overflowed.

On most systems, login is not suid; therefore, it runs as the user who called it. If, however, login is called by an application that runs with greater privileges than those of the user, such as telnetd or rlogind, then the user can exploit this vulnerability to gain the privileges of that program. In the case of telnetd or rlogind, root access is gained.

Since in.telnetd and in.rlogind are available over the network, a remote attacker without any previous access to the system could use this vulnerability to gain root access to the system.

If a program that invokes login is suid (or sgid) USER_A, then this can be exploited to gain the privileges of USER_A.

An exploit exists and may be circulating.

Systems Affected

  • IBM AIX versions 4.3 and 5.1
  • Hewlett-Packard's HP-UX
  • SCO OpenServer 5.0.6 and earlier
  • SGI IRIX 3.x
  • Sun Solaris 8 and earlier

    • Source

    Tags

    Networking

    You May Also Like

    Other Articles In This Section

    Recent News

    Tuesday, July 9th

    China's APT40 gang is ready to attack vulns within hours or days of public release
    AI-Powered Super Soldiers Are More Than Just a Pipe Dream
    The president ordered a board to probe a massive Russian cyberattack. It never did.
    Massive car dealer ransom attack is mostly over after 2 weeks of work-arounds

    Wednesday, July 3rd

    “RegreSSHion” vulnerability in OpenSSH gives attackers root on Linux
    Two of the German military’s new spy satellites appear to have failed in orbit

    Friday, June 28th

    Indonesian Airports, Data Centres Hit By Worst Cyberattack in Years
    Cisco Talos warns of wider security implications following Snowflake breach

    Thursday, June 27th

    I Wore Meta Ray-Bans in Montreal to Test Their AI Translation Skills. It Did Not Go Well
    Researchers upend AI status quo by eliminating matrix multiplication in LLMs
    YouTube tries convincing record labels to license music for AI song generator
    Critical MOVEit vulnerability puts huge swaths of the Internet at severe risk
    Julian Assange to plead guilty but is going home after long extradition fight

    Thursday, June 13th

    Hackers show off jailbroken checkm8-vulnerable iPad and Apple TV running iPadOS 18 & tvOS 18 respectively
    One of the major sellers of detailed driver behavioral data is shutting down
    Turkish student creates custom AI device for cheating university exam, gets arrested

    Wednesday, June 12th

    Chinese-Made Biometric Access System Has 24 Vulnerabilities
    Apple and OpenAI currently have the most misunderstood partnership in tech
    Adobe to update vague AI terms after users threaten to cancel subscriptions
    China state hackers infected 20,000 Fortinet VPNs

    Tuesday, June 11th

    Russia Is Targeting Germany With Fake Information as Europe Votes
    Apple announces macOS 15 Sequoia with window tiling, iPhone mirroring, and more
    Apple integrates ChatGPT into Siri, iOS, and macOS
    British police to scan 480,000 Formula 1 fans’ faces at Silverstone
    Hackers steal “significant volume” of data from hundreds of Snowflake customers

    Friday, June 7th

    7,000 LockBit decryption keys now in the hands of the FBI, offering victims hope
    FCC pushes ISPs to fix security flaws in Internet routing
    Can a technology called RAG keep AI models from making stuff up?
    How to Lead an Army of Digital Sleuths in the Age of AI

    Thursday, June 6th

    Mystery object waits nearly an hour between radio bursts
    Apple refused to pay bug bounty to Russian cybersecurity firm Kaspersky Lab
    Ex-Microsoft security expert torches Windows' new 'Recall' feature
    The Age of the Drone Police Is Here

    Wednesday, June 5th

    Ukrainian Systems Hit by Cobalt Strike Via a Malicious Excel File
    TikTok Hack Targets ‘High-Profile’ Users via DMs