Re: AIX rlogind

casperfwi.uva.nl

• Messages sorted by: [ date ][ thread ][ subject ][ author ]
• Next message: matthew green: "various rlogind stuff, plus new telnetd stuff (was Re: AIX rlogind)"
• Previous message: Kevin Johnson: "Re: AIX rlogind"
• In reply to: Kevin Johnson: "Re: AIX rlogind"
• Next in thread: Kevin Johnson: "Re: AIX rlogind"

>> It seems that just about every system that has installed the "shadow"
>> password suite (the free version from John F. Haugh II. It was posted
>> on comp.sources.unix from memory.) is vulnerable with this.
>
>Hmmm... I can't seem to reproduce it with Haugh's shadow passwd package.
>
>The arg processing in lmain.c uses getopt.
>Is it a bug in some implementations of getopt?  Or are you testing an
>older version of the package than I have source code for (it appears to
>be 3.3)?

AIX login also uses getopt and both AIX and shadow use "f:" in the opt
string.  This f: is exactly the problem.  Rlogind will allow you to
pass one argument you get to choose.  Both appear to have the same
person involved (JF Haugh II)

If login uses getopt with -f:, it will interpret an argument like -fuser
the same as -f user, which is what causes the problem on AIX and
it appears that the same problem exists in shadow 3.3.1.

BSD versions of login either don't use getopt but require the options
seperated by spaces (i.e., -pf fails, but -p -f is ok) or they
use getopt but the -f option doesn't accept an argument.

I have no idea whether shadow 3.3.x really has this problem,
because I don't run it here.

Casper

• Next message: matthew green: "various rlogind stuff, plus new telnetd stuff (was Re: AIX rlogind)"
• Previous message: Kevin Johnson: "Re: AIX rlogind"
• In reply to: Kevin Johnson: "Re: AIX rlogind"
• Next in thread: Kevin Johnson: "Re: AIX rlogind"