Re: AIX rlogind

[casper () fwi uva nl (Casper Dik)]

> The rlogind on my machine (a Motorola r32 box) using the shadow 3.3.x
> package does not exhibit the bug.  I'm wondering if it's a composite
> bug between certain implementations of rlogind and login.  I am of the
> opinion that this is an important point to resolve due to the variety
> of alternative implementations of rlogind and login out there...
>
> bugtraqers,
>
> Has anyone checked to see if Wietse Venema's rlogind in his logdaemon
> package exhibits the same behavior with shadow 3.3.x login?


If Wietse's logdaemon is compiled with OLD_LOGIN (the default
if you don't define NEW_LOGIN), you can use it with shadow's
/bin/login.  In that case the username argument is not passed
on the commandline, instead it is read from stdin by login.

So it depends on your rlogin daemon: if the rlogin daemon does
the protocol bit of the rlogin protocol, you might be vulnerable
as it needs to call a login that understands the -f option and
it needs to pass the username on the command line.
If your login program does the rlogin protocol, you're
not vulnerable.  Some trick with a funny hostname spring to
mind, but the hostname is always preceded with a -h so
it is never interpreted other than a character string that
is a hostname.

Casper