Bugtraq mailing list archives

Re: IRIX 6.2 passwordless accounts exploit?

From: eugene.bradley () erols com (Eugene Bradley)
Date: Tue, 29 Sep 1998 00:20:44 -0400


On 28 Sep 98, @ 16:14, D.A. Harris <rodmur () ECST CSUCHICO EDU> wrote:

Actually, something that I think is a bug in IRIX, something that hasn't
been fixed in 6.5, is the behavior of login when you specify that root can
only login into /dev/console (this can be set in /etc/default/login).
Instead of immediately denying someone access when they try to telnet or
rlogin as root to a box, it lets you still attempt the password, and only
denies you access when you get the password correct.  So a hacker would
know that they have the right root password, so all he has to do is hack a
user account, probably not too difficult.  What login should do is once
root gets entered at the login prompt, it should give an error and
disconnect, that why no potential hint to the root password would be
given.


This login bug also exists on every version of Solaris that I've
worked with, from 2.3 all the way to 2.6 HW 5/98 -- all with the
relevant login patches installed.  My bosses at this job and at my
previous one have contacted Sun about this problem for nearly three
years but with no results.

At this point I don't know if this login bug exists in Solaris 2.7,
which if my sources are correct, is due out next month.  I am not in
the Solaris 2.7 beta program so I couldn't test this for sure.
Anyway it'll be just one more thing on my long list of "did Sun
really fix this bug in Solaris 2.7 like they claimed they would do in
previous Solaris releases?" things I'll be checking for when I get my
Solaris 2.7 CDs.

<rant>
You would think that with Sun's size, resources, and market share in
terms of UNIX workstations, servers, and OS, that they would learn
from the security vulnerabilities found in other operating systems
and release stable and secure software instead of making SAs patch
the thing every other week...
</rant>
--
Eugene Bradley -- Just Another Random UNIX administrator
eugene.bradley () erols com | I don't work for Erol's -- they're just my ISP
to me. Get my PGP key by replying with "GET KEY" in the Subject: line.
homepage is @ http://www.geocities.com/SiliconValley/Haven/9323/

Current thread:

Re: 1+2=3, +++ATH0=Old school DoS, (continued)
- - Re: 1+2=3, +++ATH0=Old school DoS Jason (Sep 28)
- Re: 1+2=3, +++ATH0=Old school DoS Tudor Bosman (Sep 28)
- Re: 1+2=3, +++ATH0=Old school DoS Daniel Hauck (Sep 27)
- Re: 1+2=3, +++ATH0=Old school DoS Pete Gonzalez (Sep 27)
  - Re: 1+2=3, +++ATH0=Old school DoS John M. Flinchbaugh (Sep 28)
    - SHADOW group research indicates distributed probes and attacks Patrick Oonk (Sep 28)
    - Re: 1+2=3, +++ATH0=Old school DoS Adrian Gonzalez (Sep 28)
    - Modem ATH0 thread route () RESENTMENT INFONEXUS COM (Sep 28)
    - IRIX 6.2 passwordless accounts exploit? Dan Stromberg (Sep 28)
    - Re: IRIX 6.2 passwordless accounts exploit? D.A. Harris (Sep 28)
    - Re: IRIX 6.2 passwordless accounts exploit? Eugene Bradley (Sep 28)
    - Re: Solaris non-root login (was: IRIX 6.2 pass...) Richard Yates SPG (Sep 29)
    - mountd- more info (sorry) John Caldwell (Sep 28)
    - Bay Accelar 1000 series Steven Hearon (Sep 28)
    - Re: mountd- more info (sorry) RHS Linux User (Sep 29)
    - rpc.mountd vulnerabilities tiago (Sep 29)
    - Re: rpc.mountd vulnerabilities morex .- (Sep 29)
    - Snork exploit route () RESENTMENT INFONEXUS COM (Sep 29)
    - Re: rpc.mountd vulnerabilities Alan Brown (Sep 29)
    - IRIX Mail(1)/mailx(1) Security Issues SGI Security Coordinator (Sep 29)
    - IRIX On-Line Customer Registration Vulnerabilities SGI Security Coordinator (Sep 29)

(Thread continues...)