Bugtraq mailing list archives

Insta-root via bsd-ish rlogind (Re: Security hole in AIX rlogin)

From: Richard.Johnson () colorado edu (Richard Johnson)
Date: Sat, 21 May 1994 13:59:52 -0600


IBM's emergency patch for the rlogin <host> -l -f... password check
disable problem is available as:

ftp://software.watson.ibm.com/pub/rlogin/rlogin.tar.Z

Note that this hole is supposedly present in many bsd-ish systems.  My
HP/UX (9.0) and SunOs (4.1.{2|3} & 5.3) systems are OK, but my hp-bsd
systems appear to allow a -f.  Your mileage may vary.

Here's the first part of IBM's readme:

 APAR IX44254 -- rlogin security hole

 This document describes how to apply the emergency patch for APAR
 IX44254.  This emergency patch is not the permanent solution to this
 problem, it merely provides a means to restore rlogin functionality
 in a more secure manner.

 ...



Richard

Current thread:

Fun! (fwd) Pug (May 21)
- Insta-root via bsd-ish rlogind (Re: Security hole in AIX rlogin) Richard Johnson (May 21)
- rlogind on Pyramid systems. Paul Daw (May 21)