rlogin(1) security bug in ISC UNIX
Conor P. Cahill
cpcahil at virtech.uucp
Tue Mar 19 11:40:00 AEST 1991
There exists a bug in the rlogin daemon on ISC UNIX 2.2 which under
certain conditions will allow a non-privileged user to become root.
Before I go into details, the work around is as follows:
1. don't put other hosts in /etc/hosts.equiv (i.e. don't trust
other systems).
or
2. ensure that every login in the /etc/passwd file has a valid
existing login directory. This *should* be on the local HD and
not an NFS partition, because if the NFS server goes down it
may appear that the user doesn't have a login directory.
Anyway, the problem is that if rlogin believes that the password is
not necessary for a user to login and the login directory for the user
does not exist, the user will be refused the login, but will be given
an opportunity to specify another login name. The bug is that since
rlogin decided no password was needed for the first attempt, it merrily
decides that no password is needed for the second attempt, no matter
what the login is (including root).
To reproduce:
1. creat user account jerry on system 1 with valid login directory
2. creat user account jerry on system 2 with a login directory that
doesn't exist
3. place system 1 into system 2's /etc/host.equiv file
4. login on system 1 as jerry
5. rlogin to system 2. (you will get the following message:
Unable to change directory to "/login/directory"
login:
6. At this prompt, enter root and have fun.
We found this when we ran rlogin to a system that had the NFS partition
unmounted and therefore the user (me in this case) got that message. I
then wanted to login as root so that I could change the location of the
login directory and was fairly suprised when I obtained root access without
being asked for a password.
ISC has been notified of the problem and has assigned a bug tracking number
so it will probably be fixed in a future release. Since there are simple
work-arounds, I wouldn't expect a special patch.
--
Conor P. Cahill (703)430-9247 Virtual Technologies, Inc.
uunet!virtech!cpcahil 46030 Manekin Plaza, Suite 160
Sterling, VA 22170
More information about the Comp.unix.sysv386
mailing list