Re: AIX rlogind

[peter () gecko dialix oz au (Peter Wemm)]

Kevin Johnson writes:
:
:> It seems that just about every system that has installed the "shadow"
:> password suite (the free version from John F. Haugh II. It was posted
:> on comp.sources.unix from memory.) is vulnerable with this.
:
:Hmmm... I can't seem to reproduce it with Haugh's shadow passwd package.
:
:The arg processing in lmain.c uses getopt.
:Is it a bug in some implementations of getopt?  Or are you testing an
:older version of the package than I have source code for (it appears to
:be 3.3)?

The problem is this:
........
                        case 'f':
                                fflg++;
                                preauth_flag++;
                                STRFCPY (name, optarg);
                                break;
........

        /*
         * Allow authentication bypass only if real UID is zero.
         */

        if ((rflg || fflg) && getuid () != 0) {
                fprintf(stderr, "%s: permission denied\n", Prog);
                exit (1);
        }
........

This is from shadow-3.3.1.  As you can see, the only protection on the
-f flag, is that the real uid is required to be zero already.  The
only problem is that rlogind, telnetd and getty run login as ruid/euid
root.  So, if any of these programs (or any others on the system...)
allow the -froot to get through...  kerblam!

Our shadow-3.3.1 was *definately* vulnerable!
(nothing on our system was using -f, so we nuked it)

-Peter

-- 
Peter Wemm <peter () DIALix oz au> - NIC Handle: PW65 - The keeper of "NN"
      "My computer is better than your computer" - Anonymous
  (Overheard, shortly after the creation of the second computer....)