Path: utzoo!utgpu!news-server.csri.toronto.edu!cs.utexas.edu!sdd.hp.com!uakari.primate.wisc.edu!aplcen!haven!adm!smoke!gwyn
From: gwyn@smoke.BRL.MIL (Doug Gwyn)
Newsgroups: comp.unix.wizards
Subject: Re: Old rlogin bug
Message-ID: <13409@smoke.BRL.MIL>
Date: 25 Jul 90 19:15:57 GMT
References: <23959@adm.BRL.MIL>
Organization: U.S. Army Ballistic Research Laboratory, APG, MD.
Lines: 14

In article <23959@adm.BRL.MIL> bull@itd.nrl.navy.mil writes:
>In November of 1988 a flaw was described in the unix-wizards bulletin
>board dealing with the rlogin program.  It seems that in some unix systems it
>was possible for a user to gain superuser access to the system by giving
>the command "rlogin host-name -l ''".  We have not been able to determine
>the specific flaw that permitted this security breach, and we would 
>appreciate any information readers of this message can provide on this point.

This is not a flaw in "rlogin"/rlogind as such, but rather a reflection
of the fact that many BSD-based systems would create an /etc/passwd entry
	::0:0:::
when updating passwords, etc., if there happened to be an incorrectly-
formatted entry in the file.  The actual bug was in a library function,
and has been fixed in UNIX System V implementations for many years now.