~/.login_conf mechanism is flawed
snabb at epipe.com
Thu Aug 12 19:01:40 UTC 2010
On Thu, 12 Aug 2010, Mike Tancsa wrote:
> Are there any other tricks / work around people have implemented ? MACs ?
Binary patch libutil:
1. cd /lib
2. perl -pi.bak -e 's!\.login_conf!../.noexist!;' libutil.so.*
3. /etc/rc.d/sshd restart ; /etc/rc.d/ftpd restart
The above binary patch makes the login procedure to look for a file
called ".noexist" one level up from the user's home directory. If
that directory is not writable by the user (as is typically), the
patch will protect you from the potential vulnerability (by disabling
user-specific capabilities processing).
(Yes, you can use perl regular expressions to do binary patches.
They do not seem to break anything in the binary data. I have been
doing similar things for years. sed is not robust for this purpose.
Obviously you will break everything if the replacement string is
not of the same length as the original.)
I was looking at the lib/libc/db code today for some time. valgrind
reports several out-of-allocated-space accesses when db functions
are given a malicious .db file (__getbuf_crash_suspicious.db from
HI-TECH's mail attachment for example). The code is somewhat
complicated to understand, as I am not familiar with it, thus no
real solution (from me at least).
Janne Snabb / EPIPE Communications
snabb at epipe.com - http://epipe.com/
More information about the freebsd-security