cvs commit: src/sbin/nologin Makefile nologin.c
David Schultz
das at FreeBSD.ORG
Sun Feb 22 18:57:08 PST 2004
On Sun, Feb 22, 2004, Tim Kientzle wrote:
> Colin Percival wrote:
> >
> > Modified files:
> > sbin/nologin Makefile nologin.c
> > Log:
> > Report login attempts to syslog. Due to the statically-linked nature of
> > nologin(8) ...
>
> Why is nologin statically linked?
>
> Nothing else in /sbin is statically linked now.
Because of environment-poisoning attacks such as the following:
das at VARK:~> \login -p test
Password:
Last login: Sun Feb 22 16:25:26 on ttypf
<VARK>
This account is currently not available.
das at VARK:~> setenv LD_LIBRARY_PATH /home/das/exploit
das at VARK:~> \login -p test
Password:
Last login: Sun Feb 22 18:55:40 on ttypf
<VARK>
This account is currently not available.
Exploit worked. Executing a shell.
$ unset LD_LIBRARY_PATH
$ whoami
test
$
This attack was executed with a dynamically-linked /sbin/nologin
and a special libc.so.5 in the /home/das/exploit directory that
replaces the _exit() stub with a routine that spawns a shell.
Note that this attack also works with OpenSSH provided that the
locked out user has a ~/.ssh/environment file.[1]
Admittedly, making /sbin/nologin static is a kludgy solution.[2]
It would be far better if we had a link option or something that
altered the behavior of rtld in the same way as setting the setuid
bit, but at link time.
[1] I think Theo might have changed his mind about this
questionable feature and disabled it by default in
recent versions of OpenSSH. See the PermitUserEnvironment
option in sshd_config(5).
[2] One could also argue that /sbin/nologin itself is a kludgy
solution because it only mediates shell access, and that a
PAM module is a much more appropriate way to address the
problem.
More information about the cvs-all
mailing list