Bugtraq mailing list archives

Re: rshd gives away usernames

From: eric () AIMNET NET (Eric)
Date: Fri, 13 Jun 1997 10:59:40 -0700


Well sendmail has always done the more or less the same thing.

say I telnetted to port 25 of some.mailhost.com

220 some.mailhost.com ESMTP Sendmail 8.8.5/8.7.1; Fri, 13 Jun 1997
10:56:20 -0700 (PDT)

HELO A
250 some.mailhost.com Hello userid () some mailor com [1.2.3.4], pleased to
meet you

MAIL FROM:me
250 me... Sender ok

RCPT TO:nosuchguy
550 nosuchguy... User unknown

RCPT TO:root
250 root... Recipient ok

....

So how would you propose that get fixed?  Patch up sendmail so people
don't know if they mailed the wrong address?

---
Eric Kmetz                             Phone - 408/567.3800
Systems Programmer                    E-Mail - eric () aimnet net
Aimnet Corporation

On Fri, 13 Jun 1997, David Holland wrote:

Try 'rsh victimhost -l realuser' and 'rsh victimhost -l nosuchuser'.
The error reported is different.

Therefore, it's possible to determine which account names are valid.
This is an issue only for particularly paranoid sites that probably
already have rshd disabled, but I thought it would be worth issuing a
warning anyway.

A cursory investigation of some local machines showed the following:

Affected: Linux, NetBSD, Digital Unix 4.0
Not affected: HP-UX, Solaris

Linux's rsh client also seems to have a bug where the second of the
above cases prints random error strings. This will all be fixed in the
next release (unfortunately, not yesterday's release...)

--
   - David A. Holland             |    VINO project home page:
     dholland () eecs harvard edu    | http://www.eecs.harvard.edu/vino

Current thread:

Re: CERT Advisory CA-97.18 - Vulnerability in the at(1) program, (continued)
- - - Re: CERT Advisory CA-97.18 - Vulnerability in the at(1) program Adam Morrison (Jun 15)
    - Netscape Exploit root (Jun 14)
    - Bug in SGI's /cgi-bin/handler Razvan Dragomirescu (Jun 14)
    - Re: Bug in SGI's /cgi-bin/handler Yaron Yanay (Jun 15)
    - sendmail 8.8.6 released Eric Allman (Jun 14)
    - Re: Netscape Exploit Roger Espel Llima (Jun 14)
    - Re: Netscape Exploit Micah Brandon (Jun 14)
    - Re: Netscape Exploit Manoj Kasichainula (Jun 15)
    - rshd gives away usernames David Holland (Jun 13)
    - Re: rshd gives away usernames Erik Troan (Jun 13)
    - Re: rshd gives away usernames Eric (Jun 13)
    - Re: rshd gives away usernames Todd C. Miller (Jun 13)
    - Re: rshd gives away usernames Alan Brown (Jun 14)
    - Changing default UMASK for all daemons Dax Kelson (Jun 13)
    - Re: Changing default UMASK for all daemons Joe Traister (Jun 14)
    - Re: Changing default UMASK for all daemons Michael Helm (Jun 14)
    - Re: Changing default UMASK for all daemons Tomasz R. Surmacz (Jun 16)
    - Re: rshd gives away usernames Christophe Kalt (Jun 14)
    - Netscape update on their web site Robert Watson (Jun 13)
    - Re: Netscape update on their web site Manoj Kasichainula (Jun 13)
    - Netscape Exploit... with technical details. Rusty Conover (Jun 13)

(Thread continues...)