Path: utzoo!utgpu!news-server.csri.toronto.edu!cs.utexas.edu!uunet!maverick.ksu.ksu.edu!unmvax!nmt.edu!schlake
From: schlake@nmt.edu (William Colburn)
Newsgroups: comp.unix.wizards
Subject: Re: Old rlogin bug
Message-ID: <1990Jul25.005534.14389@nmt.edu>
Date: 25 Jul 90 00:55:34 GMT
References: <23959@adm.BRL.MIL>
Organization: New Mexico Institute of Mining and Technology
Lines: 25

In article <23959@adm.BRL.MIL> bull@itd.nrl.navy.mil writes:
>
>In November of 1988 a flaw was described in the unix-wizards bulletin
>board dealing with the rlogin program.  It seems that in some unix systems it
>was possible for a user to gain superuser access to the system by giving
>the command "rlogin host-name -l ''".  We have not been able to determine
>the specific flaw that permitted this security breach, and we would 
>appreciate any information readers of this message can provide on this point.
>


Well, a freind of mine here was rloging into a SUN 3/50 from a terminal
server.  He got the login prompt, and then decided not to login that particular
machine, so hit cntl-C cntl-D (or the reverse, I don't remember).  Rather
than terminating the connection, he got a prompt.  `whoami` returned "root".

The real root found no login records, no `lastcomm` records, no nothing.  The
problem only existed on that single sun machine, from the specific terminal
server.  They deleted the 'yp' (copyright? phfffbbbt!) entry and the problem
went away.

							Schlake
						Sys-admin
					Nethack player
				and a lousy speller.