Bugtraq mailing list archives
Re: login -h
From: era () ucar edu (Ed Arnold)
Date: Wed, 7 Dec 94 10:54:40 MST
James Bonfield wrote:
A typical spoof would be: rlogin targethost -l -htargethost Then type in the user and password. It'll then appear to last, who and probably finger, on targethost that the user has logged in from that system, not from remotely. This bug occurs on several systems, such as DEC OSF/1 V3.0 and Concentrix 2.1. I have tried Solaris 2.3 and SunOS 4.1 which both appear to be safe from this at first glance. (We haven't got a newer SunOS 4.x unfortunately! So I've done no tests on 4.1.3U1.) I expect most other systems are safe too.
Both 4.1.3_U1 and AIX 3.2.5 appear to be safe ...
Current thread:
- login -h Bonfield James (Dec 07)
- Re: login -h Alexander Haiut (Dec 08)
- <Possible follow-ups>
- Re: login -h Pete Hartman (Dec 07)
- Re: login -h Casper Dik (Dec 07)
- Re: login -h Ed Arnold (Dec 07)
- Re: login -h Bogdan Pelc (Dec 08)
- Re: login -h Adam Shostack (Dec 08)
- Re: login -h Bogdan Pelc (Dec 08)
- Re: login -h Michael Bresnahan (Dec 07)
- Re: login -h Robert M. Haas (Dec 08)
- Re: login -h H Morrow Long (Dec 08)
- Re: login -h der Mouse (Dec 08)