From: Steve Grubb <sgrubb@redhat.com>
Date: Sat, 19 Apr 2008 15:49:02 +0000 (-0400)
Subject: login: audit log injection attack via login
X-Git-Url: https://err.no/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=ed485e1653dbe297f85e845256082ef13c797942;p=util-linux

login: audit log injection attack via login

A while back I found a couple audit log injection attacks which became
CVE-2007-3102. I forgot to look at login to see if its vulnerable and Mirek
found that it is. To verify the problem, type:

root addr=xyz.com

for the account name while logging in. It will look like root logged in with
an address of xyz.com.

Signed-off-by: Steve Grubb <sgrubb@redhat.com>
---

diff --git a/login-utils/login.c b/login-utils/login.c
index 1af87925..fec8da33 100644
--- a/login-utils/login.c
+++ b/login-utils/login.c
@@ -324,7 +324,6 @@ static void
 logaudit(const char *tty, const char *username, const char *hostname,
 					struct passwd *pwd, int status)
 {
-	char buf[64];
 	int audit_fd;
 
 	audit_fd = audit_open();
@@ -332,13 +331,10 @@ logaudit(const char *tty, const char *username, const char *hostname,
 		return;
 	if (!pwd && username)
 		pwd = getpwnam(username);
-	if (pwd)
-		snprintf(buf, sizeof(buf), "uid=%d", pwd->pw_uid);
-	else
-		snprintf(buf, sizeof(buf), "acct=%s", username ? username : "(unknown)");
 
-	audit_log_user_message(audit_fd, AUDIT_USER_LOGIN,
-		buf, hostname, NULL, tty, status);
+	audit_log_acct_message(audit_fd, AUDIT_USER_LOGIN,
+		NULL, "login", username ? username : "(unknown)",
+		pwd ? pwd->pw_uid : -1, hostname, NULL, tty, status);
 
 	close(audit_fd);
 }