From rafi@tavor.openu.ac.il  Tue Jun  4 05:34:44 1996
Received: from sol.cs.openu.ac.il (rafi@sol.cs.openu.ac.il [147.233.32.35]) by suburbia.net (8.7.4/Proff-950810) with SMTP id FAA20825 for <best-of-security@suburbia.net>; Tue, 4 Jun 1996 05:34:19 +1000
Received: from localhost by sol.cs.openu.ac.il with SMTP id AA15814
  (5.67b/IDA-1.5 for <best-of-security@suburbia.net>); Mon, 3 Jun 1996 22:34:32 +0300
Date: Mon, 3 Jun 1996 22:34:31 +0300 (IDT)
From: Rafi Sadowsky <rafi@tavor.openu.ac.il>
X-Sender: rafi@sol.cs.openu.ac.il
To: Best Of Security List <best-of-security@suburbia.net>
Subject: Re: BoS: [linux-alert] Serious Security hole in getpwnam () [Forwarded e-mail from Jeff Uphoff] (fwd)
In-Reply-To: <Pine.SOL.3.93.960603220943.14534L-100000@sol.cs.openu.ac.il>
Message-Id: <Pine.SOL.3.93.960603223103.14534P-100000@sol.cs.openu.ac.il>
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII

sorry - mistake
I guess it's just my like that the mistake made it through on the 20% non
moderated quota ( I was forwarding it someone else )

Sorry Again
	Rafi ( ILAN-CERT )

P.S proff I hope your'e not going to kick a FIRST team coordinator off the
list for this ;-(


-- 
Rafi Sadowsky                                   rafi@tavor.openu.ac.il
[postmaster@openu.ac.il]  VoiceMail: +972-3-6460592    FAX: +972-3-6460744
Network Manager           | IsraeLi-Academic-Net-CERT(CERT-L@VM.TAU.AC.IL)
Open University of Israel |            Technical coordinator
(PGP key availble by finger) 


On Mon, 3 Jun 1996, Rafi Sadowsky wrote:

> this regards linux with YOP
> 
> 	Rafi
> 
> 
> -- 
> Rafi Sadowsky                                   rafi@tavor.openu.ac.il
> [postmaster@openu.ac.il]  VoiceMail: +972-3-6460592    FAX: +972-3-6460744
> Network Manager           | IsraeLi-Academic-Net-CERT(CERT-L@VM.TAU.AC.IL)
> Open University of Israel |            Technical coordinator
> (PGP key availble by finger) 
> 
> 
> ---------- Forwarded message ----------
> Date: Mon, 3 Jun 1996 11:20:57 -0400
> From: Jeff Uphoff <juphoff@tarsier.cv.nrao.edu>
> To: bugtraq@crimelab.com, best-of-security@suburbia.net
> Subject: BoS: [linux-alert] Serious Security hole in getpwnam () [Forwarded e-mail from Jeff Uphoff]
> Resent-Date: Tue, 4 Jun 1996 01:21:17 +1000
> Resent-From: best-of-security@suburbia.net
> 
> ------- start of forwarded message (RFC 934 encapsulation) -------
> From: Jeff Uphoff <juphoff@tarsier.cv.nrao.edu>
> Sender: owner-linux-alert@tarsier.cv.nrao.edu
> To: linux-alert@tarsier.cv.nrao.edu, linux-security@tarsier.cv.nrao.edu
> Subject: [linux-alert] Serious Security hole in getpwnam ()
> Date: Tue, 28 May 1996 11:02:41 -0400
> Reply-To: linux-security@tarsier.cv.nrao.edu
> 
> - -----BEGIN PGP SIGNED MESSAGE-----
> 
> This is a *very* serious hole that affects Linux-based NIS client
> systems.  A more formal alert will be posted once a fixed version of
> libc has been officially released.
> 
> For those that don't want to (or can't) patch and recompile their own
> fixed version of libc, I recommend the *immediate* removal of all "stub"
> NIS username entries, of the forms described in the attached message,
> from /etc/passwd.
> 
> - - --Up.
> 
> [Please note that the PGP and forwarding encapsulations have modified
> the MIME headers and the diff/patch segment.]
> 
> - - ------- start of forwarded message (RFC 934 encapsulation) -------
> From: Arno Schaefer <aschaefe@crcg.edu>
> Sender: schaefer@crcg.edu
> Organization: Fraunhofer CRCG, Inc.
> To: juphoff@nrao.edu
> Subject: Serious Security hole in getpwnam ()
> Date: Fri, 24 May 1996 15:37:54 -0400
> 
> This is a multi-part message in MIME format.
> 
> - - - --------------63DB9C7E36AD404B638D1437
> Content-Type: text/plain; charset=us-ascii
> Content-Transfer-Encoding: 7bit
> 
>  Jeff,
> 
>  I just discovered a major security hole in the getpwnam() function
>  in the current libc (5.3.12, probably present in all previous
>  versions). It can be exploited if there is an entry in the form
> 
>  +username::::::
>  or
>  -username::::::
> 
>  or similar in /etc/passwd (an entry to admit or exclude a single user
>  from the NIS passwd file).
> 
>  By typing 'su +username' or 'su -- -username' resp. you become root
>  without being asked for a passwd.
> 
>  'login' is not vulnerable, so only users with shell access to the
>  machine can exploit the bug.
> 
>  I tried it on two different systems that used NIS, both running
>  Slackware 3.0, libc 5.3.12 and 5.0.9, resp. It can only be used
>  if an entry of the form described above is present, so many systems
>  that do not use NIS or that have only a standard '+' entry are safe
>  against this attack.
> 
>  This apparently has been know for a long time, since the source for
>  'login' reads:
> 
>                /* Dirty patch to fix a gigantic security hole when using 
>                   yellow pages. This problem should be solved by the
>                   libraries, and not by programs, but this must be fixed
>                   urgently! If the first char of the username is '+', we 
>                   avoid login success.
>                   Feb 95 <alvaro@etsit.upm.es> */
> 
>                 if (username[0] == '+') {
>                     puts("Illegal username");
>                     badlogin(username);
>                     sleepexit(1);
>                 }
> 
>  but probably due to bad communication it was not fixed in libc.
>  A similar bug in the same function was fixed over a year ago
>  ('su +' or 'su +@netgroup'), but strangely nobody thought about
>  'su +username'.
> 
>  I attach a patch that fixes the hole - it was taken against libc
>  5.3.12, but should be easily adaptable to other versions. I was
>  already in contact with H.J. Lu and expect that the next version
>  of libc will contain this patch.
> 
>  I think this info should be forwarded to the linux-alert mailing
>  list.
> 
>  Regards,
> 
>  Arno
> 
>  -- 
>  Arno Schaefer - aschaefe@crcg.edu
>  Fraunhofer Center for Research in Computer Graphics, Providence RI
>  -- Opinions expressed are my own and not those of Fraunhofer CRCG --
>  Never attribute to malice that which can be adequately explained by
>  stupidity
> 
> - - - --------------63DB9C7E36AD404B638D1437
> Content-Type: text/plain; charset=us-ascii
> Content-Transfer-Encoding: 7bit
> Content-Disposition: inline; filename="getpwnam.patch"
> 
> Index: getpwnam.c
> ===================================================================
> RCS file: /home/work/cvs/linux/libc/pwd/getpwnam.c,v
> retrieving revision 1.5
> diff -c -r1.5 getpwnam.c
> *** getpwnam.c	1996/05/22 15:49:37	1.5
> - - - --- getpwnam.c	1996/05/23 06:59:32
> ***************
> *** 53,58 ****
> - - - --- 53,63 ----
>     register FILE *stream;
>     register struct passwd *p;
>   
> + #ifdef YP
> +   if (name[0] == '-' || name[0] == '+')
> +     return NULL;
> + #endif
> + 
>     if (info == NULL)
>       {
>         info = __pwdalloc();
> 
> - - - --------------63DB9C7E36AD404B638D1437--
> - - ------- end -------
> 
> [Mod: I have also verified the existence of this hole in libc-4.6.27
> (a.out).  --Jeff.]
> 
> - -----BEGIN PGP SIGNATURE-----
> Version: 2.6.2
> Comment: Processed by Mailcrypt 3.2, an Emacs/PGP interface
> 
> iQCVAwUBMasUZnoDqzGe1QXFAQHvzwQAp0qBxFtHl/+4RkxbvK3HETdpT6n/OOFA
> B15kmXdkgcbCtIF5slfgXbB244KMGf3sebNjtC/IBtNRfyDP7e/P+v4poeEEmcyu
> BJfc2UxoiE5yK9/L/PgAUgm9exYMVyNT8N9balb509q7eI5gWjhxK9vDb1P0MyI8
> NFf2QC7D5mI=
> =exlk
> - -----END PGP SIGNATURE-----
> ------- end -------
> 
> 
>