Bugtraq mailing list archives
login -h
From: jkb () mrc-lmb cam ac uk (Bonfield James)
Date: Wed, 7 Dec 94 10:18:32 WET
Hello, Remember the "rlogin -l -froot" type bugs some time ago? At the time I mentioned that "-l -hhostname" could also be used to spoof hostnames in the wtmp files. This is still true. The reason I haven't posted again about this earlier is that we've been having a couple problems ourselves. Using the tcp wrapper helps things, but it's only just been installed (despite the fact that I've requested it numerous times). A typical spoof would be: rlogin targethost -l -htargethost Then type in the user and password. It'll then appear to last, who and probably finger, on targethost that the user has logged in from that system, not from remotely. This bug occurs on several systems, such as DEC OSF/1 V3.0 and Concentrix 2.1. I have tried Solaris 2.3 and SunOS 4.1 which both appear to be safe from this at first glance. (We haven't got a newer SunOS 4.x unfortunately! So I've done no tests on 4.1.3U1.) I expect most other systems are safe too. I can't see any obvious exploit of this problem unless there are other options to login on some systems that could cause problems. I'm not sure where this -h information is used in addition to logging. Probably for the .rhosts checks, however as you cannot specify a legitimate user to login to this shouldn't pose a problem. Using tcp_wrappers means that we can log the information correctly and use that in preference to the wtmp host information. Besides, the wtmp information is often most unuseful when it is truncated to 16 characters. James -- James Bonfield (jkb () mrc-lmb cam ac uk) Tel: 0223 402266 Fax: 0223 412282 Medical Research Council - Laboratory of Molecular Biology, Hills Road, Cambridge, CB2 2QH, England.
Current thread:
- login -h Bonfield James (Dec 07)
- Re: login -h Alexander Haiut (Dec 08)
- <Possible follow-ups>
- Re: login -h Pete Hartman (Dec 07)
- Re: login -h Casper Dik (Dec 07)
- Re: login -h Ed Arnold (Dec 07)
- Re: login -h Bogdan Pelc (Dec 08)
- Re: login -h Adam Shostack (Dec 08)
- Re: login -h Bogdan Pelc (Dec 08)
- Re: login -h Michael Bresnahan (Dec 07)
- Re: login -h Robert M. Haas (Dec 08)
- Re: login -h H Morrow Long (Dec 08)
- Re: login -h der Mouse (Dec 08)