Bugtraq mailing list archives
Re: Sol2.x Mouse EXPLOIT info - CORRECTION
From: bicknell () ussenterprise async vt edu (Leo Bicknell)
Date: Wed, 18 Jan 1995 10:24:41 -0500 (EST)
Why DEC ships off Ultrix 4.X with a weirdo /.rhosts which contains -- "# @(#).rhosts 8.1 Ultrix 9/18/92" (taken out of 4.4 ult)What the writer was referring to (I assume) is the problem that ruserok() doesn't interpret leading #'s or "#'s as comments: thus, (presumbly) all I need to do is create a machine in my domain with the name "#.princeton.edu, hack rlogin to claim that my username is @(#).rhosts, and then hacked-rlogin -l root ultrix-box will give me root on an ultrix-box. If this is true (and I haven't confirmed it myself), it's on the same level as putting + + in /etc/hosts.equiv. This *is* a rather esoteric hole, I must admit. :-)
Ok, I'll point out a few things. "#" is not a valid charactor in a host name, and a good bind server will not return it. I was unable to get my bind server to return a hostname with a # in it, so even if someone hacked the bind server for your site it wouldn't matter. Also, if someone was able to hack the bind server you would have much bigger problems, like all the user .rhosts, and any other (valid) entries in root's .rhosts. Another thing not considered, is that by default under Ultrix all the network tty's are _unsecure_ meaning root cannot log in on them no matter what .rhosts says. Unless you have changed this it is absolutely not possible for this to be a problem. It's been pointed out to me that several of the free unix's available (FreeBSD for instance) also come with such a file. If I've missed something and am wrong about this, please let me know. -- Leo Bicknell - bicknell () vt edu | Make a little birdhouse bicknell () csugrad cs vt edu | in your soul...... bicknell () ussenterprise async vt edu | They Might http://ussenterprise.async.vt.edu/~bicknell/ | Be Giants
Current thread:
- Re: Sol2.x Mouse EXPLOIT info - CORRECTION Leo Bicknell (Jan 18)
- Re: Sol2.x Mouse EXPLOIT info - CORRECTION David Barr (Jan 18)
- Re: Sol2.x Mouse EXPLOIT info - CORRECTION Doug Siebert (Jan 18)
- Re: Sol2.x Mouse EXPLOIT info - CORRECTION Timothy Newsham (Jan 19)
- O/S holes Matthew Harding (Jan 19)
- Re: Sol2.x Mouse EXPLOIT info - CORRECTION Doug Siebert (Jan 18)
- Attach on DES paper??? Robert Moskowitz (Jan 18)
- Re: Attach on DES paper??? Perry E. Metzger (Jan 19)
- Re: Attach on DES paper??? Alexander Haiut (Jan 19)
- Re: Sol2.x Mouse EXPLOIT info - CORRECTION Timothy Newsham (Jan 19)
- Re: Sol2.x Mouse EXPLOIT info - CORRECTION David Barr (Jan 18)