COMMAND
/usr/bin/login
SYSTEMS AFFECTED
IRIX 5.x, IRIX 6.2
PROBLEM
login(1) is a program used at the beginning of each terminal
session that allows users to identify themselves to the session.
Under current versions of IRIX this functionality is supplied by
the program /usr/lib/iaf/scheme. The login program is a symbolic
link to /usr/lib/iaf/scheme.
Due to insufficient bounds checking on arguments which are
supplied by users, it is possible to overwrite the internal stack
space of the scheme program while it is executing. By supplying
a carefully designed argument to the scheme program, intruders
may be able to force scheme to execute arbitrary commands. As
scheme is setuid root, this may allow intruders to run arbitrary
commands with root privileges.
The login program is installed in /usr/bin/login. Under default
configurations this is a symbolic link to /usr/lib/iaf/scheme.
SOLUTION
Patches are:
OS Version Vulnerable? Patch # Other Actions
---------- ----------- ------- -------------
IRIX 3.x no
IRIX 4.x no
IRIX 5.0.x yes not avail Note
IRIX 5.1.x yes not avail Note
IRIX 5.2 yes not avail Note
IRIX 5.3 yes 2216
IRIX 6.0.x yes not avail Note
IRIX 6.1 yes not avail Note
IRIX 6.2 yes 2181
IRIX 6.3 yes 2232
IRIX 6.4 yes 2233
Note means to apply temp solution above.
As for temp solution you may remove setuid and non-root execute
permissions:
# chmod 500 /usr/lib/iaf/scheme
# ls -l /usr/lib/iaf/scheme
-r-x------ 1 root sys 58324 Nov 28 1996 /usr/lib/iaf/scheme
As for solutions -- it's wrappers time. AUSCERT wrapper can be
found at:
ftp://ftp.auscert.org.au/pub/auscert/tools/overflow_wrapper/overflow_wrapper.c
or
http://cegt201.bradley.edu/~im14u2c/wrapper/