Re: AIX rlogind

casperfwi.uva.nl

• Messages sorted by: [ date ][ thread ][ subject ][ author ]
• Next message: Jim Thompson: "Re: AIX rlogind"
• Previous message: Mark Fullmer: "AIX Fix"
• In reply to: Kevin Johnson: "Re: AIX rlogind"
• Next in thread: Peter Wemm: "Re: AIX rlogind"

>The rlogind on my machine (a Motorola r32 box) using the shadow 3.3.x
>package does not exhibit the bug.  I'm wondering if it's a composite
>bug between certain implementations of rlogind and login.  I am of the
>opinion that this is an important point to resolve due to the variety
>of alternative implementations of rlogind and login out there...
>
>bugtraqers,
>
>Has anyone checked to see if Wietse Venema's rlogind in his logdaemon
>package exhibits the same behavior with shadow 3.3.x login?


If Wietse's logdaemon is compiled with OLD_LOGIN (the default
if you don't define NEW_LOGIN), you can use it with shadow's
/bin/login.  In that case the username argument is not passed
on the commandline, instead it is read from stdin by login.

So it depends on your rlogin daemon: if the rlogin daemon does
the protocol bit of the rlogin protocol, you might be vulnerable
as it needs to call a login that understands the -f option and
it needs to pass the username on the command line.
If your login program does the rlogin protocol, you're
not vulnerable.  Some trick with a funny hostname spring to
mind, but the hostname is always preceded with a -h so
it is never interpreted other than a character string that
is a hostname.

Casper

• Next message: Jim Thompson: "Re: AIX rlogind"
• Previous message: Mark Fullmer: "AIX Fix"
• In reply to: Kevin Johnson: "Re: AIX rlogind"
• Next in thread: Peter Wemm: "Re: AIX rlogind"