corwin@talcott.harvard.edu (-David C. Kovar) (04/27/89)
This message is going to Sun-Spots as well as sun-nets. sun-nets readers
please bear with me while I catch Sun-Spots readers up on this.
The following message appeared in sun-nets on the 12th of April:
-----
The login program supplied by Sun for its 386i machines accepts an argument
which bypasses authentication. It was apparently added in order to allow
the Sun program "logintool" to do the authentication and have login do the
housekeeping. This allows any user who discovers the new argument to the
login program to become root a couple of ways. An example of one method is
attatched. Our 386is are running version 4.0.1 of Sun OS (SOS). While
awaiting a response from Sun we intend to disable logintool and patch the
login binary using the "strings" and "adb" method made famous last November.
We do not have access to SOS source code and ran across this while
attempting to identify another bug in "logintool".
I have sent messages containing more or less the same information
as contained above to the security mailing list (4/10 1808 EDT) and to the
cert mailbox (4/11 1441 EDT). I have yet to receive a response of any kind.
I must admit, I was expecting at least an ACK, if not a RTFM.
Has this been reported before? Should I have mailed to different
mboxes? Am I out in left field? Come in Rangoon, over.
Mike O'Connor
oconnor@sccgate.scc.com
301-840-4952 | 703-359-0172
ps: Mike Rigsby (rigsby@ctc.contel.com) tells me that at a 386i SOS
administration class he attended, he was informed that this access path
was a design feature put in for forgetful administrators but that the
class was told to keep it a secret. I find this surprising, if true,
since this is the OS that Sun claims "meets the spirit of C2
specifications." Then again, maybe I understand even less of the C2
specs than I thought I did.
-----
I, unfortunately, reacted first and thought second. The reaction was a
message to sun-nets that expressed anger at Sun for including a trapdoor in a
production system. Then I thought about it, called Mike O'Connor, and then
called various people at Sun. The general response was "It's a known *bug*
and will be fixed in 4.0.2." The following mail message sums up Sun's
response to date:
-----
The security holes were ** NOT ** intentional, they're just bugs.
They'd certainly have been fixed in a release that's out the door if
they'd been known about in time. Don't believe all the rumours you
hear.
[Suggested fix deleted.]
-----
I'm still somewhat angry at the fact that Sun is sitting on a known
security hole and allowing it to go unfixed 'til the next scheduled update.
While not "unethical if not illegal" as I originally suggested, it does
appear to be irresponsible. Perhaps they could have sent a US Mail letter
to each owner of a 386i suggesting a fix?
Without all the facts I'm still guessing at things but the "bug" looks
more like a trapdoor that was not removed rather than a bug that wasn't
caught. The original message states that Mr. Rigsby heard about the
hole in a 386i SOS administration class and was told that it was a
legitmate feature. Can anyone else confirm this? I'd be very interested
in hearing from you, if so.
With regards to the fix, I'm reluctant to just toss it into a mail message
but if you call me at (617) 495-5947 and give me some way of confirming
that you work for a real company, university, or whatever, I'll happily
tell you what little I know about the details and what fix Sun suggested.
-David C. Kovar
Technical Consultant ARPA: kovar@husc4.harvard.edu
Office of Information Technology BITNET: corwin@harvarda.bitnet
Harvard University MacNET: DKovar
Ma Bell: 617-495-5947
"It is easier to get forgiveness than permission."