From ed485e1653dbe297f85e845256082ef13c797942 Mon Sep 17 00:00:00 2001 From: Steve Grubb Date: Sat, 19 Apr 2008 11:49:02 -0400 Subject: [PATCH] login: audit log injection attack via login A while back I found a couple audit log injection attacks which became CVE-2007-3102. I forgot to look at login to see if its vulnerable and Mirek found that it is. To verify the problem, type: root addr=xyz.com for the account name while logging in. It will look like root logged in with an address of xyz.com. Signed-off-by: Steve Grubb --- login-utils/login.c | 10 +++------- 1 file changed, 3 insertions(+), 7 deletions(-) diff --git a/login-utils/login.c b/login-utils/login.c index 1af87925..fec8da33 100644 --- a/login-utils/login.c +++ b/login-utils/login.c @@ -324,7 +324,6 @@ static void logaudit(const char *tty, const char *username, const char *hostname, struct passwd *pwd, int status) { - char buf[64]; int audit_fd; audit_fd = audit_open(); @@ -332,13 +331,10 @@ logaudit(const char *tty, const char *username, const char *hostname, return; if (!pwd && username) pwd = getpwnam(username); - if (pwd) - snprintf(buf, sizeof(buf), "uid=%d", pwd->pw_uid); - else - snprintf(buf, sizeof(buf), "acct=%s", username ? username : "(unknown)"); - audit_log_user_message(audit_fd, AUDIT_USER_LOGIN, - buf, hostname, NULL, tty, status); + audit_log_acct_message(audit_fd, AUDIT_USER_LOGIN, + NULL, "login", username ? username : "(unknown)", + pwd ? pwd->pw_uid : -1, hostname, NULL, tty, status); close(audit_fd); } -- 2.39.5