Re: AIX rlogind

Peter Wemm (peter@gecko.dialix.oz.au)
Mon, 23 May 1994 10:20:05 +0800 (WST)

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Peter Wemm: "Re: AIX rlogind"
Previous message: Jim Thompson: "Re: AIX rlogind"
In reply to: Kevin Johnson: "Re: AIX rlogind"
Next in thread: Jim Thompson: "Re: AIX rlogind"

Kevin Johnson writes:
:
:> It seems that just about every system that has installed the "shadow"
:> password suite (the free version from John F. Haugh II. It was posted
:> on comp.sources.unix from memory.) is vulnerable with this.
:
:Hmmm... I can't seem to reproduce it with Haugh's shadow passwd package.
:
:The arg processing in lmain.c uses getopt.
:Is it a bug in some implementations of getopt?  Or are you testing an
:older version of the package than I have source code for (it appears to
:be 3.3)?

The problem is this:
........
			case 'f':
				fflg++;
				preauth_flag++;
				STRFCPY (name, optarg);
				break;
........

	/*
	 * Allow authentication bypass only if real UID is zero.
	 */

	if ((rflg || fflg) && getuid () != 0) {
		fprintf(stderr, "%s: permission denied\n", Prog);
		exit (1);
	}
........

This is from shadow-3.3.1.  As you can see, the only protection on the
-f flag, is that the real uid is required to be zero already.  The
only problem is that rlogind, telnetd and getty run login as ruid/euid
root.  So, if any of these programs (or any others on the system...)
allow the -froot to get through...  kerblam!

Our shadow-3.3.1 was *definately* vulnerable!
(nothing on our system was using -f, so we nuked it)

-Peter

-- 
Peter Wemm <peter@DIALix.oz.au> - NIC Handle: PW65 - The keeper of "NN"
      "My computer is better than your computer" - Anonymous
  (Overheard, shortly after the creation of the second computer....)

Next message: Peter Wemm: "Re: AIX rlogind"
Previous message: Jim Thompson: "Re: AIX rlogind"
In reply to: Kevin Johnson: "Re: AIX rlogind"
Next in thread: Jim Thompson: "Re: AIX rlogind"