corwin@talcott.harvard.edu (-David C. Kovar) (04/27/89)
This message is going to Sun-Spots as well as sun-nets. sun-nets readers please bear with me while I catch Sun-Spots readers up on this. The following message appeared in sun-nets on the 12th of April: ----- The login program supplied by Sun for its 386i machines accepts an argument which bypasses authentication. It was apparently added in order to allow the Sun program "logintool" to do the authentication and have login do the housekeeping. This allows any user who discovers the new argument to the login program to become root a couple of ways. An example of one method is attatched. Our 386is are running version 4.0.1 of Sun OS (SOS). While awaiting a response from Sun we intend to disable logintool and patch the login binary using the "strings" and "adb" method made famous last November. We do not have access to SOS source code and ran across this while attempting to identify another bug in "logintool". I have sent messages containing more or less the same information as contained above to the security mailing list (4/10 1808 EDT) and to the cert mailbox (4/11 1441 EDT). I have yet to receive a response of any kind. I must admit, I was expecting at least an ACK, if not a RTFM. Has this been reported before? Should I have mailed to different mboxes? Am I out in left field? Come in Rangoon, over. Mike O'Connor oconnor@sccgate.scc.com 301-840-4952 | 703-359-0172 ps: Mike Rigsby (rigsby@ctc.contel.com) tells me that at a 386i SOS administration class he attended, he was informed that this access path was a design feature put in for forgetful administrators but that the class was told to keep it a secret. I find this surprising, if true, since this is the OS that Sun claims "meets the spirit of C2 specifications." Then again, maybe I understand even less of the C2 specs than I thought I did. ----- I, unfortunately, reacted first and thought second. The reaction was a message to sun-nets that expressed anger at Sun for including a trapdoor in a production system. Then I thought about it, called Mike O'Connor, and then called various people at Sun. The general response was "It's a known *bug* and will be fixed in 4.0.2." The following mail message sums up Sun's response to date: ----- The security holes were ** NOT ** intentional, they're just bugs. They'd certainly have been fixed in a release that's out the door if they'd been known about in time. Don't believe all the rumours you hear. [Suggested fix deleted.] ----- I'm still somewhat angry at the fact that Sun is sitting on a known security hole and allowing it to go unfixed 'til the next scheduled update. While not "unethical if not illegal" as I originally suggested, it does appear to be irresponsible. Perhaps they could have sent a US Mail letter to each owner of a 386i suggesting a fix? Without all the facts I'm still guessing at things but the "bug" looks more like a trapdoor that was not removed rather than a bug that wasn't caught. The original message states that Mr. Rigsby heard about the hole in a 386i SOS administration class and was told that it was a legitmate feature. Can anyone else confirm this? I'd be very interested in hearing from you, if so. With regards to the fix, I'm reluctant to just toss it into a mail message but if you call me at (617) 495-5947 and give me some way of confirming that you work for a real company, university, or whatever, I'll happily tell you what little I know about the details and what fix Sun suggested. -David C. Kovar Technical Consultant ARPA: kovar@husc4.harvard.edu Office of Information Technology BITNET: corwin@harvarda.bitnet Harvard University MacNET: DKovar Ma Bell: 617-495-5947 "It is easier to get forgiveness than permission."