Re: Sol2.x Mouse EXPLOIT info - CORRECTION

[bicknell () ussenterprise async vt edu (Leo Bicknell)]

> > > Why DEC ships off Ultrix 4.X with a weirdo /.rhosts which contains --
> > > "#       @(#).rhosts     8.1     Ultrix  9/18/92"  (taken out of 4.4 ult)
>
> What the writer was referring to (I assume) is the problem
> that ruserok() doesn't interpret leading #'s or "#'s as
> comments: thus, (presumbly) all I need to do is create a
> machine in my domain with the name "#.princeton.edu, hack
> rlogin to claim that my username is @(#).rhosts, and then
>
> hacked-rlogin -l root ultrix-box
>
> will give me root on an ultrix-box.  If this is true (and
> I haven't confirmed it myself), it's on the same level as
> putting + + in /etc/hosts.equiv.
>
> This *is* a rather esoteric hole, I must admit. :-)

        Ok, I'll point out a few things.  "#" is not a valid charactor
in a host name, and a good bind server will not return it.  I was
unable to get my bind server to return a hostname with a # in it,
so even if someone hacked the bind server for your site it wouldn't
matter.  

        Also, if someone was able to hack the bind server you would
have much bigger problems, like all the user .rhosts, and any other
(valid) entries in root's .rhosts.

        Another thing not considered, is that by default under Ultrix
all the network tty's are _unsecure_ meaning root cannot log in on
them no matter what .rhosts says.  Unless you have changed this it
is absolutely not possible for this to be a problem.

        It's been pointed out to me that several of the free unix's
available (FreeBSD for instance) also come with such a file.

        If I've missed something and am wrong about this, please
let me know.

-- 
Leo Bicknell - bicknell () vt edu                     | Make a little birdhouse
               bicknell () csugrad cs vt edu          | in your soul......
               bicknell () ussenterprise async vt edu | They Might
http://ussenterprise.async.vt.edu/~bicknell/       | Be Giants