COMMAND
/etc/default/login
SYSTEMS AFFECTED
IRIX 5.3, 6.2
PROBLEM
Under the IRIX operating system, there is a file
/etc/default/login which contains default security logging
configuration options. If the parameter LOCKOUT is included in
this file, and is set to a value greater than zero, it causes
accounts to be locked after a specified number of consecutive
unsuccessful login attempts by the same user.
flaps@dgp.toronto.edu posted following vulnerability. Several
modern unixes provide configuration options for security and
logging in a file called /etc/default/login. Irix, and I assume
some others but perhaps it's an Irix invention, includes a
variable "LOCKOUT" which causes an account with a specified
number of incorrect login attempts in a row to be locked (one
successful login resets the count). This seems like a really
good idea, especially if you set the variable high enough that no
one would ever be locked out through mistakes whereas any
automated password guessing program (which ran over the net by
telnetting in) would be stopped. Since one successful login
clears the record, people are not able to accumulate the
requisite number of failures over an extended period of time so
as to be suddenly surprised one day. It should be good, if not
for the following serious security flaw, at least in Irix,
checked in both 5.3 and 6.2.
Sites can determine if this functionality is enabled by using the
command:
% grep '^LOCKOUT' /etc/default/login
LOCKOUT=3
If the number on the same line as LOCKOUT is greater than zero the
vulnerability may be exploited.
Login maintains the LOCKOUT-related data in the directory
/var/adm/badlogin, which it creates when first needed. Each
logname gets a one byte file; that byte is the number of failed
login attempts.
Some time after turning it on, I looked again at /var/adm/badlogin
and was astonished to find quite a lot of stuff in there. It
seems that whatever you type to "login:" gets counted as a
logname for LOCKOUT purposes. So this directory contained
misspellings, and garbage, and line noise, AND passwords...
But that's not all. Since it doesn't check the logname, you can
type pathnames. Try this:
IRIX (loser.net)
login: ../../../etc/something
Password:
UX:login: ERROR: Login incorrect
You've now created an /etc/something. This works.
You can't always overwrite existing files; flaps's not sure why
because sometimes he can. But it doesn't truncate the file, it
just increments the first byte. So the exploit is not obvious.
SOLUTION
Disable the LOCKOUT parameter in /etc/default/logins on Irixes by
setting it to zero or commenting it out (that's how it ships),
and on whatever other unix platforms have it and have this
security problem. It's easily tested by telnetting as in the
above example and then checking for the existence of
/etc/something.
Patches are:
OS Version Vulnerable? Patch # Other Actions
---------- ----------- ------- -------------
IRIX 3.x no
IRIX 4.x no
IRIX 5.0.x yes not avail Note
IRIX 5.1.x yes not avail Note
IRIX 5.2 yes not avail Note
IRIX 5.3 yes 2216
IRIX 6.0.x yes not avail Note
IRIX 6.1 yes not avail Note
IRIX 6.2 yes 2181
IRIX 6.3 yes 2232
IRIX 6.4 yes 2233
Note means to apply temp solution above.