Re: Fix for Linux/AIX login hole

• Messages sorted by: [ date ][ thread ][ subject ][ author ]
• Next message: der Mouse: "Re: AIX rlogind"
• Previous message: H Morrow Long: "Re: Fix for Linux/AIX login hole"
• In reply to: Doug Siebert: "Re: Fix for Linux/AIX login hole"
• Next in thread: Rens Troost: "Re: Fix for Linux/AIX login hole"

> 
> 
> 
> 
> That would be a very poor fix, as it would only keep out people using the
> hole to access 'root'.  rsh machine -l -fbin would still work, and if AIX is
> like most Unixes, getting access to bin, daemon, or one of the other system
> users leaves little work left to get root.  Plus you can login as any real
> user on the system, passwords are meaningless.
> 

I tried doing rlogin -l -fbin, -fdaemon, etc.  It only worked for accounts
that had their passwords set, such as root and regular accounts.  Since bin
and daemon had their passwords as * instead of a real password, I assume
login didnt check getty or something was diverting it from letting you gain
access.  So, its just a matter of fingering the aix machine to find other
accounts to log in as.  




-- 
Christopher William Klaus  <cklaus@shadow.net>  <iss@shadow.net>
Internet Security Systems, Inc.   
2209 Summit Place Drive,
Atlanta,GA 30350-2430. (404)998-5871.

• Next message: der Mouse: "Re: AIX rlogind"
• Previous message: H Morrow Long: "Re: Fix for Linux/AIX login hole"
• In reply to: Doug Siebert: "Re: Fix for Linux/AIX login hole"
• Next in thread: Rens Troost: "Re: Fix for Linux/AIX login hole"