COMMAND

    login

SYSTEMS AFFECTED

    Red Hat 3.0.3, Debian 1.2 (maybe others)

PROBLEM

    The following denial of service attack seems to work on the  above
    systems with the standard login application.

        joe$ nvi /var/log/wtmp

        [ Now no-one else can log in ]

    This is a problem with advisory locking. The fact that anyone  can
    create an exclusive  lock on a  file they can  only read! The  bug
    exists through the recently released util-linux-2.6.

    The problem with locking of /var/log/wtmp by nvi affects not  only
    "login".   This also  works on  agetty and  mingetty even when the
    "login"  bug  is  fixed.   A  simple  user  can  lock wtmp by "nvi
    /var/log/wtmp" without having write permission on it.

    If  you  have  fixed  it  for  "login",  you can still log in your
    system, but if  you try to  log _out_, the  tty is dead  until the
    lock is removed.

SOLUTION

    Here  is  a  patch  which  removes  the  locking  (by  Nuno  Andre
    Henriques Loureiro / nloureir@irc.ualg.pt).

--- util-linux-2.6/login-utils/login.c.orig     Thu Nov  7 06:26:15 1996
+++ util-linux-2.6/login-utils/login.c  Fri Nov 29 16:12:24 1996
@@ -628,9 +628,10 @@
                endutent();

                if((wtmp = open(_PATH_WTMP, O_APPEND|O_WRONLY)) >= 0) {
-                       flock(wtmp, LOCK_EX);
+/* Locking wtmp allows for trivial denial of service attack by nvi */
+/*                     flock(wtmp, LOCK_EX); */
                        write(wtmp, (char *)&ut, sizeof(ut));
-                       flock(wtmp, LOCK_UN);
+/*                     flock(wtmp, LOCK_UN); */
                        close(wtmp);
                }
        }

[mod: WARNING: UNTESTED CODE, MANUALLY FABRICATED PATCH AHEAD.
Anybody dare to test the following?:

--- util-linux-2.6/login-utils/login.c.orig     Thu Nov  7 06:26:15 1996
+++ util-linux-2.6/login-utils/login.c  Sat Nov 30 11:22:15 1996
@@ -628,6 +628,8 @@
                endutent();

                if((wtmp = open(_PATH_WTMP, O_APPEND|O_WRONLY)) >= 0) {
+/* Locking wtmp allows for trivial denial of service attack by nvi */
+                       alarm (3);
                        flock(wtmp, LOCK_EX);
                        write(wtmp, (char *)&ut, sizeof(ut));
                        flock(wtmp, LOCK_UN);

    This is the simple "force the  lock if we can't get it"  solution.
    If your  wtmp is  on an  ext2fs, it  is pretty  unlikely that  the
    solution "without  locking" will  corrupt anything.  However there
    are  race  conditions  in  the  ext2fs_write_file  code that would
    allow an entry to get overwritten in special circumstances.