CERT Advisory: Buffer Overflow in System V Derived Login
This CERT advisory describes a potential login-based security hole in Solaris 8 and better (as well as several other System V-based OSes). It also describes how you can patch the hole on your Solaris systems.
"Several implementations of login that are derived from System V allow a user to specify arguments such as environment variables to the process. An array of buffers is used to store these arguments. A flaw exists in the checking of the number of arguments accepted. This flaw permits the array of buffers to be overflowed. From CERT: Several applications use login for authentication to the system. A remotely exploitable buffer overflow exists in login derived from System V [including Solaris 8 and higher]. Attackers can exploit this vulnerability to gain root access to the server.
"On most systems, login is not suid; therefore, it runs as the user who called it. If, however, login is called by an application that runs with greater privileges than those of the user, such as telnetd or rlogind, then the user can exploit this vulnerability to gain the privileges of that program. In the case of telnetd or rlogind, root access is gained....
"This vulnerability can be remotely exploited to gain privileges of the invoker of login. In the case of a program such as telnetd, rlogind, or other suid root programs, root access is gained."