>Someone over on the firewalls mailing list just threw out this tidbit: > > rlogin aix.machine -l -froot > >For instance: > > rlogin foobar -l -froot > >This gives you root access on any AIX 3.2.X machine. > >Does anyone have any history on this trapdoor? Apparently >it also existed in Linux several generations ago. > >>>>>>>Ericw This popped up some weeks ago. This rlogind bug has been around for a long time; it's also in AIX 3.1.X. Here's IBM statement: ----------------------------------------------------------------- {URGENT - AIX SECURITY EXPOSURE} May 20, 1994 IBM has just become aware of an AIX security exposure that makes it possible to remote login to any AIX Version 3 system as the root user without a password. As described below, a workaround is immediately available which eliminates the security exposure by disabling remote login. An emergency fix is also available immediately to rectify the AIX problem so that remote login can be enabled with no security exposure. An APAR has been opened and an official PTF will be made available, in approximately two weeks, for installed AIX systems and included in all new AIX shipments. IBM hopes its efforts to respond rapidly to this problem will allow customers to eliminate this security exposure with minimal disruption. {IMMEDIATE WORKAROUND:} The recommended workaround is to disable rlogin in the /etc/inetd.conf file using the following procedure: 1. As root, edit /etc/inetd.conf 2. Comment out the line 'login ... rlogin' 3. Run 'inetimp' 4. Run 'refresh -s inetd' {EMERGENCY FIX:} Emergency Fixes for the different levels of AIX affected by this exposure will be available via anonymous ftp from software.watson.ibm.com. The files will be located in /pub/rlogin in compressed tar format. {OFFICIAL FIX:} The official fix for this problem can be ordered as Authorized Program Analysis Report (APAR) IX44254. To order an APAR from IBM in the U.S. call 1-800-237-5511 and ask for shipment as soon as it is available. APARs may be obtained outside the U.S. by contacting your local IBM representative. For questions regarding this information, please contact Frank Karner (KARNER at AUSTIN; TL/793-5950; 512-823-5950). ----------------------------------------------------------------- When I told one of our on-site IBM droids about this, he didn't believe it. "No way, the goverment buys these machines because they're Class B secure!" So I showed him... . I also saw an IBM spokesperson describe this in a trade publication as requiring "a complex series of commands". Hell, it's easier than logging in the usual way, with the password. Mark Scheuern Chrysler Corp. "I don't speak for Chrysler"