Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
Bugtraq archives for 2nd quarter (Apr-Jun) 1994: Re: AIX rlogind

Re: AIX rlogind

Peter Wemm (petergecko.dialix.oz.au)
Mon, 23 May 1994 10:20:05 +0800 (WST)

Kevin Johnson writes:
:> It seems that just about every system that has installed the "shadow"
:> password suite (the free version from John F. Haugh II. It was posted
:> on comp.sources.unix from memory.) is vulnerable with this.
:Hmmm... I can't seem to reproduce it with Haugh's shadow passwd package.
:The arg processing in lmain.c uses getopt.
:Is it a bug in some implementations of getopt?  Or are you testing an
:older version of the package than I have source code for (it appears to
:be 3.3)?

The problem is this:
			case 'f':
				STRFCPY (name, optarg);

	 * Allow authentication bypass only if real UID is zero.

	if ((rflg || fflg) && getuid () != 0) {
		fprintf(stderr, "%s: permission denied\n", Prog);
		exit (1);

This is from shadow-3.3.1.  As you can see, the only protection on the
-f flag, is that the real uid is required to be zero already.  The
only problem is that rlogind, telnetd and getty run login as ruid/euid
root.  So, if any of these programs (or any others on the system...)
allow the -froot to get through...  kerblam!

Our shadow-3.3.1 was *definately* vulnerable!
(nothing on our system was using -f, so we nuked it)


Peter Wemm <peterDIALix.oz.au> - NIC Handle: PW65 - The keeper of "NN"
      "My computer is better than your computer" - Anonymous
  (Overheard, shortly after the creation of the second computer....)