Bugtraq mailing list archives

Re: IRIX 6.2 passwordless accounts exploit?

From: rodmur () ECST CSUCHICO EDU (D.A. Harris)
Date: Mon, 28 Sep 1998 16:14:35 -0700


On Mon, Sep 28, 1998 at 03:31:28PM -0700, Dan Stromberg wrote:

We've had a lot of script kiddies running an exploit against our campus,
that checks for accounts that are passwordless by default in IRIX 6.2 -
like 4Dgifts, EZsetup, and so on.  I've seen indications this isn't
limited to our campus...

This script has been generating hoardes of syslog entries like:

Sep 27 12:43:19 foo.bar login[16310]: failed: ?@warble.frob as 4Dgifts



I figured it was just SATAN, but I don't know.  I've seen a few of these
from a couple of large ISPs, I passed the information along to the appropriate
abuse addresses.  You just have to remember to give those accounts passwords,
or delete them altogether, since they are worthless accounts.

Actually, something that I think is a bug in IRIX, something that hasn't been
fixed in 6.5, is the behavior of login when you specify that root can
only login into /dev/console (this can be set in /etc/default/login).
Instead of immediately denying someone access when they try to telnet
or rlogin as root to a box, it lets you still attempt the password, and
only denies you access when you get the password correct.  So a hacker would
know that they have the right root password, so all he has to do is hack
a user account, probably not too difficult.  What login should do is once
root gets entered at the login prompt, it should give an error and disconnect,
that why no potential hint to the root password would be given.


--
Dale Harris       <rodmur () csuchico edu>     PGP KeyID: E26EC5FD
System Administrator                           ph.  (530) 898-4421
Computer Graphics, Instructional Media Center  fax. (530) 898-5369
California State University, Chico, California 95929-0005
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Current thread:

Re: 1+2=3, +++ATH0=Old school DoS, (continued)
- Re: 1+2=3, +++ATH0=Old school DoS *unknown* (Sep 28)
  - Re: 1+2=3, +++ATH0=Old school DoS Jason (Sep 28)
- Re: 1+2=3, +++ATH0=Old school DoS Tudor Bosman (Sep 28)
- Re: 1+2=3, +++ATH0=Old school DoS Daniel Hauck (Sep 27)
- Re: 1+2=3, +++ATH0=Old school DoS Pete Gonzalez (Sep 27)
  - Re: 1+2=3, +++ATH0=Old school DoS John M. Flinchbaugh (Sep 28)
    - SHADOW group research indicates distributed probes and attacks Patrick Oonk (Sep 28)
    - Re: 1+2=3, +++ATH0=Old school DoS Adrian Gonzalez (Sep 28)
    - Modem ATH0 thread route () RESENTMENT INFONEXUS COM (Sep 28)
    - IRIX 6.2 passwordless accounts exploit? Dan Stromberg (Sep 28)
    - Re: IRIX 6.2 passwordless accounts exploit? D.A. Harris (Sep 28)
    - Re: IRIX 6.2 passwordless accounts exploit? Eugene Bradley (Sep 28)
    - Re: Solaris non-root login (was: IRIX 6.2 pass...) Richard Yates SPG (Sep 29)
    - mountd- more info (sorry) John Caldwell (Sep 28)
    - Bay Accelar 1000 series Steven Hearon (Sep 28)
    - Re: mountd- more info (sorry) RHS Linux User (Sep 29)
    - rpc.mountd vulnerabilities tiago (Sep 29)
    - Re: rpc.mountd vulnerabilities morex .- (Sep 29)
    - Snork exploit route () RESENTMENT INFONEXUS COM (Sep 29)
    - Re: rpc.mountd vulnerabilities Alan Brown (Sep 29)
    - IRIX Mail(1)/mailx(1) Security Issues SGI Security Coordinator (Sep 29)

(Thread continues...)