login -h

[jkb () mrc-lmb cam ac uk (Bonfield James)]

Hello,

Remember the "rlogin -l -froot" type bugs some time ago? At the time I
mentioned that "-l -hhostname" could also be used to spoof hostnames in the
wtmp files. This is still true. The reason I haven't posted again about this
earlier is that we've been having a couple problems ourselves. Using the tcp
wrapper helps things, but it's only just been installed (despite the fact that
I've requested it numerous times).

A typical spoof would be:

rlogin targethost -l -htargethost

Then type in the user and password. It'll then appear to last, who and
probably finger, on targethost that the user has logged in from that system,
not from remotely.

This bug occurs on several systems, such as DEC OSF/1 V3.0 and Concentrix 2.1.
I have tried Solaris 2.3 and SunOS 4.1 which both appear to be safe from this
at first glance. (We haven't got a newer SunOS 4.x unfortunately! So I've done
no tests on 4.1.3U1.) I expect most other systems are safe too.

I can't see any obvious exploit of this problem unless there are other options
to login on some systems that could cause problems. I'm not sure where this -h
information is used in addition to logging. Probably for the .rhosts checks,
however as you cannot specify a legitimate user to login to this shouldn't
pose a problem.

Using tcp_wrappers means that we can log the information correctly and use
that in preference to the wtmp host information. Besides, the wtmp
information is often most unuseful when it is truncated to 16 characters.

        James

--
James Bonfield (jkb () mrc-lmb cam ac uk)   Tel: 0223 402266   Fax: 0223 412282
Medical Research Council - Laboratory of Molecular Biology,
Hills Road, Cambridge, CB2 2QH, England.