OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
Bugtraq archives for 2nd quarter (Apr-Jun) 1994: Re: AIX rlogind

Re: AIX rlogind

Casper Dik (casperfwi.uva.nl)
Sun, 22 May 94 19:38:03 +0200

>> It seems that just about every system that has installed the "shadow"
>> password suite (the free version from John F. Haugh II. It was posted
>> on comp.sources.unix from memory.) is vulnerable with this.
>
>Hmmm... I can't seem to reproduce it with Haugh's shadow passwd package.
>
>The arg processing in lmain.c uses getopt.
>Is it a bug in some implementations of getopt?  Or are you testing an
>older version of the package than I have source code for (it appears to
>be 3.3)?

AIX login also uses getopt and both AIX and shadow use "f:" in the opt
string.  This f: is exactly the problem.  Rlogind will allow you to
pass one argument you get to choose.  Both appear to have the same
person involved (JF Haugh II)

If login uses getopt with -f:, it will interpret an argument like -fuser
the same as -f user, which is what causes the problem on AIX and
it appears that the same problem exists in shadow 3.3.1.

BSD versions of login either don't use getopt but require the options
seperated by spaces (i.e., -pf fails, but -p -f is ok) or they
use getopt but the -f option doesn't accept an argument.

I have no idea whether shadow 3.3.x really has this problem,
because I don't run it here.

Casper