cpcahil@virtech.uucp (Conor P. Cahill) (03/19/91)
There exists a bug in the rlogin daemon on ISC UNIX 2.2 which under certain conditions will allow a non-privileged user to become root. Before I go into details, the work around is as follows: 1. don't put other hosts in /etc/hosts.equiv (i.e. don't trust other systems). or 2. ensure that every login in the /etc/passwd file has a valid existing login directory. This *should* be on the local HD and not an NFS partition, because if the NFS server goes down it may appear that the user doesn't have a login directory. Anyway, the problem is that if rlogin believes that the password is not necessary for a user to login and the login directory for the user does not exist, the user will be refused the login, but will be given an opportunity to specify another login name. The bug is that since rlogin decided no password was needed for the first attempt, it merrily decides that no password is needed for the second attempt, no matter what the login is (including root). To reproduce: 1. creat user account jerry on system 1 with valid login directory 2. creat user account jerry on system 2 with a login directory that doesn't exist 3. place system 1 into system 2's /etc/host.equiv file 4. login on system 1 as jerry 5. rlogin to system 2. (you will get the following message: Unable to change directory to "/login/directory" login: 6. At this prompt, enter root and have fun. We found this when we ran rlogin to a system that had the NFS partition unmounted and therefore the user (me in this case) got that message. I then wanted to login as root so that I could change the location of the login directory and was fairly suprised when I obtained root access without being asked for a password. ISC has been notified of the problem and has assigned a bug tracking number so it will probably be fixed in a future release. Since there are simple work-arounds, I wouldn't expect a special patch. -- Conor P. Cahill (703)430-9247 Virtual Technologies, Inc. uunet!virtech!cpcahil 46030 Manekin Plaza, Suite 160 Sterling, VA 22170
mckim@mildred.lerc.nasa.gov (Jim McKim) (03/19/91)
In article <1991Mar19.014000.7582@virtech.uucp> cpcahil@virtech.uucp (Conor P. Cahill) writes: >There exists a bug in the rlogin daemon on ISC UNIX 2.2 which under >certain conditions will allow a non-privileged user to become root. Our unix (not ISC, not 2.2) also has the bug. Might be worth checking into regardless of your version. -- ---------------- Jim McKim / Internet: mckim@mildred.lerc.nasa.gov "" - Phone: +1 216 891 2977 / Packet: kb8dcr@kb8dcr.ampr.org Needermeyer ----------------
peter@ficc.ferranti.com (Peter da Silva) (03/21/91)
In article <1991Mar19.014000.7582@virtech.uucp> cpcahil@virtech.uucp (Conor P. Cahill) writes: > There exists a bug in the rlogin daemon on ISC UNIX 2.2 which under > certain conditions will allow a non-privileged user to become root. We had the same problem in Intel V.3.2u. It doesn't exist in the latest Intel. Yet another reason to dread getting kicked over to ISC. -- Peter da Silva. `-_-' peter@ferranti.com +1 713 274 5180. 'U` "Have you hugged your wolf today?"