Bugtraq mailing list archives

Re: -froot??? (AIX rlogin bug)

From: mgscheue () vela acs oakland edu (Mark G. Scheuern)
Date: Sat, 30 Jul 1994 07:52:22 -0400

Someone over on the firewalls mailing list just threw out this tidbit:

  rlogin aix.machine -l -froot

For instance:

  rlogin foobar -l -froot

This gives you root access on any AIX 3.2.X machine.

Does anyone have any history on this trapdoor?  Apparently
it also existed in Linux several generations ago.

Ericw


This popped up some weeks ago.  This rlogind bug has been around
for a long time;  it's also in AIX 3.1.X.  Here's IBM statement:

-----------------------------------------------------------------

 {URGENT - AIX SECURITY EXPOSURE}

 May 20, 1994

 IBM has just become aware of an AIX security exposure that
 makes it possible to remote login to any AIX Version 3
 system as the root user without a password.

 As described below, a workaround is immediately available
 which eliminates the security exposure by disabling remote
 login.  An emergency fix is also available immediately
 to rectify the AIX problem so that remote login can be
 enabled with no security exposure.

 An APAR has been opened and an official PTF will be
 made available, in approximately two weeks, for installed
 AIX systems and included in all new AIX shipments.

 IBM hopes its efforts to respond rapidly to this problem will
 allow customers to eliminate this security exposure with
 minimal disruption.

 {IMMEDIATE WORKAROUND:}

 The recommended workaround is to disable rlogin in the /etc/inetd.conf
 file using the following procedure:

             1. As root, edit /etc/inetd.conf
             2. Comment out the line 'login ... rlogin'
             3. Run 'inetimp'
             4. Run 'refresh -s inetd'

 {EMERGENCY FIX:}

 Emergency Fixes for the different levels of AIX affected by
 this exposure will be available via anonymous ftp from
 software.watson.ibm.com.  The files will be located
 in /pub/rlogin in compressed tar format.

 {OFFICIAL FIX:}

 The official fix for this problem can be ordered as
 Authorized Program Analysis Report (APAR) IX44254.
 To order an APAR from IBM in the U.S. call 1-800-237-5511
 and ask for shipment as soon as it is available.  APARs
 may be obtained outside the U.S. by contacting your local
 IBM representative.

 For questions regarding this information, please contact
 Frank Karner (KARNER at AUSTIN; TL/793-5950; 512-823-5950).


-----------------------------------------------------------------

When I told one of our on-site IBM droids about this, he didn't
believe it.  "No way, the goverment buys these machines because
they're Class B secure!"  So I showed him... .  I also saw an
IBM spokesperson describe this in a trade publication as requiring
"a complex series of commands".  Hell, it's easier than logging
in the usual way, with the password.

Mark Scheuern
Chrysler Corp.
"I don't speak for Chrysler"

Current thread:

Re: Bad Advise, (continued)
- - - Re: Bad Advise Philip Yzarn de Louraille (Jul 27)
    - Re: Bad Advise jim () Tadpole COM (Jul 26)
    - Re: Re: Bad Advise Pete Hartman (Jul 26)
    - Re: Bad Advise Evil Pete (Jul 26)
    - Re: Bad Advise David Lawrence Oppenheimer (Jul 26)
    - Re: Bad Advise Harold van Aalderen (Jul 26)
    - Re: Bad Advise Christopher Klaus (Jul 26)
    - Re: Bad Advise Timothy Newsham (Jul 27)
    - -froot??? (AIX rlogin bug) Eric Wedaa (Jul 29)
    - Re: -froot??? (AIX rlogin bug) Aaron Eppert (Jul 29)
    - Re: -froot??? (AIX rlogin bug) Mark G. Scheuern (Jul 30)
    - Re: -froot??? (AIX rlogin bug) Alexander Haiut (Jul 30)
    - Re: -froot??? (AIX rlogin bug) Baba Z Buehler (Jul 30)
    - Solaris problems? James W. Abendschan (Jul 29)
    - Re: Solaris problems? Steve Davis (Jul 30)
    - Re: Solaris problems? jsz (Jul 30)
    - Re: Solaris problems? Casper Dik (Jul 31)
  - Re: coredumps on setuid programs. Andrew Beckett (Jul 25)