]> err.no Git - util-linux/commitdiff
login: audit log injection attack via login
authorSteve Grubb <sgrubb@redhat.com>
Sat, 19 Apr 2008 15:49:02 +0000 (11:49 -0400)
committerKarel Zak <kzak@redhat.com>
Mon, 21 Apr 2008 11:34:31 +0000 (13:34 +0200)
A while back I found a couple audit log injection attacks which became
CVE-2007-3102. I forgot to look at login to see if its vulnerable and Mirek
found that it is. To verify the problem, type:

root addr=xyz.com

for the account name while logging in. It will look like root logged in with
an address of xyz.com.

Signed-off-by: Steve Grubb <sgrubb@redhat.com>
login-utils/login.c

index aad27794327c60391b5148b367d2c79338fc6ee4..230121316d953c59e7842c1325f6e9f326a37608 100644 (file)
@@ -324,7 +324,6 @@ static void
 logaudit(const char *tty, const char *username, const char *hostname,
                                        struct passwd *pwd, int status)
 {
-       char buf[64];
        int audit_fd;
 
        audit_fd = audit_open();
@@ -332,13 +331,10 @@ logaudit(const char *tty, const char *username, const char *hostname,
                return;
        if (!pwd && username)
                pwd = getpwnam(username);
-       if (pwd)
-               snprintf(buf, sizeof(buf), "uid=%d", pwd->pw_uid);
-       else
-               snprintf(buf, sizeof(buf), "acct=%s", username ? username : "(unknown)");
 
-       audit_log_user_message(audit_fd, AUDIT_USER_LOGIN,
-               buf, hostname, NULL, tty, status);
+       audit_log_acct_message(audit_fd, AUDIT_USER_LOGIN,
+               NULL, "login", username ? username : "(unknown)",
+               pwd ? pwd->pw_uid : -1, hostname, NULL, tty, status);
 
        close(audit_fd);
 }