首页 -> 安全研究

安全研究

安全漏洞
AIX login登录参数处理漏洞

发布日期:1996-12-04
更新日期:1999-06-01

受影响系统:
IBM AIX rlogin
    - IBM AIX 3.2.5
    - IBM AIX 3.2.4
    - IBM AIX 3.2
    - IBM AIX 3.1
不受影响系统:
IBM AIX rlogin
    - IBM AIX 4.3.2
IBM AIX rlogin
    - IBM AIX 4.3
IBM AIX rlogin
    - IBM AIX 4.2.1
IBM AIX rlogin
    - IBM AIX 4.2
IBM AIX rlogin
    - IBM AIX 4.1.5
IBM AIX rlogin
    - IBM AIX 4.1.4
IBM AIX rlogin
    - IBM AIX 4.1.3
IBM AIX rlogin
    - IBM AIX 4.1.2
IBM AIX rlogin
    - IBM AIX 4.1.1
IBM AIX rlogin
    - IBM AIX 4.1
描述:
BUGTRAQ  ID: 458
CVE(CAN) ID: CVE-1999-0113

IBM AIX的login在处理其参数的时候存在漏洞,远程攻击者能够使用rlogind可以获得root账号控制权限。

login把命令行参数-fUSER处理成-f USER。Rlogind有两种主要实现方式:

老式:rlogind建立连接,分配pty并且用-r <hostname>调用login,这种方式无法利用。

新式:rlogin建立连接,分配pty并且使用rlogin协议,如果远程用户通过验证,login通过如下调用:

login -p -h <hostname> -f lusername

如果没有通过验证,login通过如下调用:

login -p -h <hostname> lusername

由于login -p -h <hostname> -flusername会被解析为login -p -h <hostname> -f lusername,所以使用rlogin -froot targethost.com就能以root的身份登陆targethost.com服务器。

<*来源:Linux Usenet Admin group
  
  链接:http://online.securityfocus.com/archive/1/646
*>

测试方法:

警 告

以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!

%rlogin -froot targethost.com

建议:
临时解决方法:

如果您不能立刻安装补丁或者升级,NSFOCUS建议您采取以下措施以降低威胁:

* H Morrow Long <long-morrow@cs.yale.edu>提供如下脚本解决这个问题:

#!/bin/sh
#
# H. Morrow Long, Yale CSCF
#
# Version "tsm-3.2.0".
AIX_VERSION="tsm-3.2.0"
#
# Patch path directory /cs/local/src/AIX/rlogin/
AIX_PATCH_DIR="/cs/local/src/AIX/rlogin"

AIX_TSM_PATCH="$AIX_PATCH_DIR/$AIX_VERSION"

# Root should NOT be allowed to rlogin as user ROOT anyway! DISABLE root rlogin
#
chuser rlogin='false' root
#
#
# 1. As root, edit /etc/inetd.conf
# Comment out the line 'login ... rlogin'

sed 's/^login/# login/' /etc/inetd.conf > /tmp/inetd.conf.NEW
cp -p /etc/inetd.conf /etc/inetd.conf.BACKUP
cp /tmp/inetd.conf.NEW /etc/inetd.conf

# 2. Run 'inetimp'
inetimp
# 3. Run 'refresh -s inetd'
refresh -s inetd
#
#
#
# APAR IX44254 -- rlogin security hole
#
# This document describes how to apply the emergency patch for APAR
# IX44254. This emergency patch is not the permanent solution to this
# problem, it merely provides a means to restore rlogin functionality
# in a more secure manner.
#
# Begin by identifying the correct level for your system. The command
# "oslevel" may be used for this purpose on AIX v3.2 systems. For AIX
# v3.1 systems you must know the last maintenance level which was
# applied.
#
# If the "oslevel" command returns "oslevel: not found" or a similar
# message from the shell, you must use "tsm-3.2.0".
#
# If the "oslevel" command returns "<3240" or "<>3240", you must use
# "tsm-3.2.0".
#
# If the "oslevel" command returns "=3240", ">3240", "<3250" or "<>3250",
# you must use "tsm-3.2.4".
#
# If the "oslevel" command returns "=3250" or ">3250", you must use
# "tsm-3.2.5".
#
#
# Once you have determined the correct version, execute the following
# steps.
#
# 1). "cd /usr/sbin"
cd /usr/sbin
# 2). If the file "tsm.ix44254" does not exist, execute "mv tsm tsm.ix44254"
mv tsm tsm.ix44254
# 3). "cp <version> tsm" where "<version>" was figured out above.
# "tsm-3.2.0".

# cp /cs/local/src/AIX/rlogin/tsm-3.2.0 ./tsm
cp "${AIX_TSM_PATCH}" ./tsm

# 3). "rm -f login getty"
rm -f login getty
# 4). "chown root.security tsm"
chown root.security tsm
# 5). "chmod 4554 tsm"
chmod 4554 tsm
# 6). "ln tsm login"
ln tsm login
# 7). "ln tsm getty"
ln tsm getty
# 8). "chmod a-x tsm.ix44254"
chmod a-x tsm.ix44254
#

cp -p /etc/inetd.conf.BACKUP /etc/inetd.conf

# 2. Run 'inetimp'
inetimp
# 3. Run 'refresh -s inetd'
refresh -s inetd
#

#
# You may verify that the new login command is working correctly with the
# command
#
# rlogin localhost
rlogin localhost

厂商补丁:

IBM
---
IBM AIX 4.1及以上版本已经不存在这个漏洞,请联系厂商:

http://www.ers.ibm.com/

浏览次数:12594
严重程度:0(网友投票)
本安全漏洞由绿盟科技翻译整理,版权所有,未经许可,不得转载
绿盟科技给您安全的保障
关于我们
公司介绍
公司荣誉
公司新闻
联系我们
公司总部
分支机构
海外机构
快速链接
绿盟云
绿盟威胁情报中心NTI
技术博客