Bugtraq mailing list archives
Re: AIX rlogind
From: peter () gecko dialix oz au (Peter Wemm)
Date: Mon, 23 May 1994 10:20:05 +0800 (WST)
Kevin Johnson writes: : :> It seems that just about every system that has installed the "shadow" :> password suite (the free version from John F. Haugh II. It was posted :> on comp.sources.unix from memory.) is vulnerable with this. : :Hmmm... I can't seem to reproduce it with Haugh's shadow passwd package. : :The arg processing in lmain.c uses getopt. :Is it a bug in some implementations of getopt? Or are you testing an :older version of the package than I have source code for (it appears to :be 3.3)? The problem is this: ........ case 'f': fflg++; preauth_flag++; STRFCPY (name, optarg); break; ........ /* * Allow authentication bypass only if real UID is zero. */ if ((rflg || fflg) && getuid () != 0) { fprintf(stderr, "%s: permission denied\n", Prog); exit (1); } ........ This is from shadow-3.3.1. As you can see, the only protection on the -f flag, is that the real uid is required to be zero already. The only problem is that rlogind, telnetd and getty run login as ruid/euid root. So, if any of these programs (or any others on the system...) allow the -froot to get through... kerblam! Our shadow-3.3.1 was *definately* vulnerable! (nothing on our system was using -f, so we nuked it) -Peter -- Peter Wemm <peter () DIALix oz au> - NIC Handle: PW65 - The keeper of "NN" "My computer is better than your computer" - Anonymous (Overheard, shortly after the creation of the second computer....)
Current thread:
- Re: AIX rlogind, (continued)
- Re: AIX rlogind matthew green (May 22)
- Re: AIX rlogind Paul A Vixie (May 23)
- Fix for Linux/AIX login hole Karyn Pichnarczyk (May 23)
- Re: Fix for Linux/AIX login hole Rens Troost (May 23)
- Re: AIX rlogind Bonfield James (May 24)
- Fix for Linux/AIX login hole Doug McLaren (May 22)
- Re: Fix for Linux/AIX login hole Tony Jago (May 23)
- Re: AIX rlogind Wietse Venema (May 23)
- AIX Fix Mark Fullmer (May 22)
- various rlogind stuff, plus new telnetd stuff (was Re: AIX rlogind) matthew green (May 22)
- Re: AIX rlogind Peter Wemm (May 22)