NetBSD Problem Report #41942

From Wolfgang.Stukenbrock@nagler-company.com  Wed Aug 26 15:14:38 2009
Return-Path: <Wolfgang.Stukenbrock@nagler-company.com>
Received: from mail.netbsd.org (mail.netbsd.org [204.152.190.11])
	by www.NetBSD.org (Postfix) with ESMTP id E308863B908
	for <gnats-bugs@gnats.NetBSD.org>; Wed, 26 Aug 2009 15:14:38 +0000 (UTC)
Message-Id: <20090826151433.A5D5A4EA9FE@s012.nagler-company.com>
Date: Wed, 26 Aug 2009 17:14:33 +0200 (CEST)
From: Wolfgang.Stukenbrock@nagler-company.com
Reply-To: Wolfgang.Stukenbrock@nagler-company.com
To: gnats-bugs@gnats.NetBSD.org
Subject: telnetd(8) allows direct root login on tty marked as insecure
X-Send-Pr-Version: 3.95

>Number:         41942
>Category:       security
>Synopsis:       telnetd(8) allows direct root login on tty marked as insecure
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    security-officer
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Wed Aug 26 15:15:00 +0000 2009
>Originator:     Wolfgang Stukenbrock
>Release:        NetBSD 4.0
>Organization:
Dr. Nagler & Company GmbH

>Environment:


System: NetBSD s012 4.0 NetBSD 4.0 (NSW-S012) #9: Fri Mar 13 12:31:52 CET 2009 wgstuken@s012:/usr/src/sys/arch/amd64/compile/NSW-S012 amd64
Architecture: x86_64
Machine: amd64
>Description:
	telnetd supports some features to allow automatic login etc. and instructs login(1) to do just "the rest of the authentication".
	So e.g. the SRA stuff will ask for the user and password and after successfull authentication, login(1) is started to do
	additional checks.
	But login(1) does not check /etc/ttys in this case and so it is possible to login as root from any network address!
	This is very bad, because any user can now become root, even if he is not in the wheel group - su(1) would check this.
	Next bad thing is, that in the last-log only the hostname is documented. So it is impossible to see who has gained
	root access on the machine.
>How-To-Repeat:
	enable telnetd in inetd.conf e.g. as delivered with "-a valid" by the distribution.
	Check  that the pty's are not marked secure in /etc/ttys.
	Then telnet to the system from somewhere to the machine and try a root login.
	If you know (or guess) the correct password, you will get a shell.
>Fix:
	I have only a workaround for the problem for now:
	change the telnetd lines in /etc/inetd.conf in the following way.
	... telnetd -X SRA
	This will disable the whole AUTH stuff in telnetd and use "normal" login(1) functionality ...
	remark: this seems to be the only option to disable the auth stuff "-a off" seems to do nothing ...
		This looks another bug to me, but perhaps 

	In order to fix this, /etc/ttys needs to be checked in any case before allowing root access to the system.
	So either telnetd(8) needs to check this prior allowing root (uid == 0) access from a remote side, or a similar
	options as in sshd(8) to completly disable logins for uid == 0 is needed. (e.g. an additional command line option) 
	An other way may be to change login(1) and check /etc/ttys even on "forced" logins.

	I'm not shure about the better sollution, because changing login(1) looks easier but may break some other assumptions.
	The current situation is not acceptable because anybody may login as root from remote if he knows the password.
	So either telned cannot be used at all or at least the auth-stuff in telnetd must be disabled. (e.g. with my workaround above)

>Unformatted:

NetBSD Home
NetBSD PR Database Search

(Contact us) $NetBSD: query-full-pr,v 1.39 2013/11/01 18:47:49 spz Exp $
$NetBSD: gnats_config.sh,v 1.8 2006/05/07 09:23:38 tsutsui Exp $
Copyright © 1994-2007 The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.