The 'Security Digest' Archives (TM)

Archive: About | Browse | Search | Contributions | Feedback
Site: Help | Index | Search | Contact | Notices | Changes

ARCHIVE: 'Phage List' - Archives (1988 - 1989)
DOCUMENT: phage #378 [Security hole in 386i login] (1 message, 1115 bytes)
SOURCE: http://securitydigest.org/exec/display?f=phage/archive/378.txt&t=text/plain
NOTICE: securitydigest.org recognises the rights of all third-party works.

START OF DOCUMENT

From: oconnor@sccgate.scc.com (Mike O'Connor)
To: phage
Date: Wed 12:18:49 12/04/1989 EST
Subject: Security hole in 386i login
References: [Thread Prev: 377] [Thread Next: 379] [Message Prev: 376] [Message Next: 379]

The login program supplied by Sun for its 386i machines accepts an argument
which bypasses authentication.  It was apparently added in order to allow
the Sun program "logintool" to do the authentication and have login do the
housekeeping.  This allows any user who discovers the new argument to the
login program to become root a couple of ways.  An example of one method is
attatched.  Our 386is are running version 4.0.1 of Sun OS (SOS).  While
awaiting a response from Sun we intend to disable logintool and patch the
login binary using the "strings" and "adb" method made famous last November.
	We do not have access to SOS source code and ran across this while
attempting to identify another bug in "logintool".


	I have sent messages containing more or less the same information
as contained above to the security mailing list (4/10 1808 EDT) and to the
cert mailbox (4/11 1441 EDT).  I have yet to receive a response of any kind.
I must admit, I was expecting at least an ACK, if not a RTFM.

	Has this been reported before?  Should I have mailed to different
mboxes?  Am I out in left field?  Come in Rangoon, over.


			Mike O'Connor
			oconnor@sccgate.scc.com
			301-840-4952 | 703-359-0172


ps:  Mike Rigsby (rigsby@ctc.contel.com) tells me that at a 386i SOS
     administration class he attended, he was informed that this access path
     was a design feature put in for forgetful administrators but that the
     class was told to keep it a secret.  I find this surprising, if true,
     since this is the OS that Sun claims "meets the spirit of C2
     specifications."  Then again, maybe I understand even less of the C2
     specs than I thought I did.

END OF DOCUMENT