jkp@sauna.hut.fi (Jyrki Kuoppala) (06/13/89)
I reported this problem to hotline@sun.com on May 21, but as they haven't responded I'm reporting this to Sun-Spots. If somebody knows a better address at Sun to report security bugs, please let me know. There's a security problem associated with the 'rwall' command (actually the /usr/etc/rpc.rwalld program) in SunOS (at least up till 4.0.1, later ones I haven't seen). By the combination of the following facts anyone in the same tcp/ip network (meaning the whole Internet on most University computer installations) can easily get root access on a Sun which is configured like the distribution version: - rpc.rwalld is run as root - rwalld doesn't check if the terminal user is on actually is a terminal - /etc/utmp is world-writable - tftp is enabled by default If tftp is disabled or configured to do chroot, it isn't as easy to get to the machine from outside. This doesn't cure the real problem, though. All of the above four things should be fixed to make the system acceptable. Repeat-by: [i took this section out - vrd] On some systems (at least 386i Sunos 4.0.1) the method doesn't seem to work if the file /.rhosts doesn't exist. However, you can still write to any existing file, so the existense of /.rhosts is not relevant; it's possible to figure out some other while to write to. Fix: - run rwalld as the user nobody (edit /etc/inetd.conf) or disable it if you don't think you need it. - write protect /etc/utmp At least one of these need to be done. //Jyrki Jyrki Kuoppala Helsinki University of Technology, Finland. Internet : jkp@cs.hut.fi [128.214.3.119] BITNET : jkp@fingate.bitnet Gravity is a myth, the Earth sucks!