Xref: utzoo comp.unix.wizards:23086 alt.security:1196
Path: utzoo!utgpu!news-server.csri.toronto.edu!cs.utexas.edu!yale!mintaka!gnu!dzenc
From: dzenc@gnu.ai.mit.edu (Dan Zenchelsky)
Newsgroups: comp.unix.wizards,alt.security
Subject: Re: Old rlogin bug
Message-ID: <1990Jul26.023647.13918@mintaka.lcs.mit.edu>
Date: 26 Jul 90 02:36:47 GMT
References: <23959@adm.BRL.MIL> <13409@smoke.BRL.MIL> <DJM.90Jul25190101@frob.eng.umd.edu>
Sender: daemon@mintaka.lcs.mit.edu (Lucifer Maleficius)
Organization: MIT Laboratory for Computer Science
Lines: 24

In article <DJM.90Jul25190101@frob.eng.umd.edu> djm@eng.umd.edu (David J. MacKenzie) writes:
>
>So I login to a host and run this like so:
>exec "login -r localhost"
>and stick this on logins stdin: "root\0root\0sun/9600"
>
>And I get a root shell.  They took this auth code out of login in 4.3T
>and make rlogind do it.

Except that all of the logins I've seen make sure getuid()==0 before allowing
this to happen.  So, the only way to do this is to already be root.

>--
>David J. MacKenzie <djm@eng.umd.edu> <djm@ai.mit.edu>

-Dan
--
 ___________________________________________________________________________
|  _______                         |________________________________________|
| ||    |o|     Dan Zenchelsky     |                                        |
| ||____| |                        |    Any sufficiently advanced bug is    |
| |  ___  |  dzenc@gnu.ai.mit.edu  |    indistinguishable from a feature.   |
| |_|___|_|                        |______________-- Rich Kulawiec__________|
|__________________________________|________________________________________|