Bugtraq mailing list archives
Re: IRIX 6.2 passwordless accounts exploit?
From: eugene.bradley () erols com (Eugene Bradley)
Date: Tue, 29 Sep 1998 00:20:44 -0400
On 28 Sep 98, @ 16:14, D.A. Harris <rodmur () ECST CSUCHICO EDU> wrote:
Actually, something that I think is a bug in IRIX, something that hasn't been fixed in 6.5, is the behavior of login when you specify that root can only login into /dev/console (this can be set in /etc/default/login). Instead of immediately denying someone access when they try to telnet or rlogin as root to a box, it lets you still attempt the password, and only denies you access when you get the password correct. So a hacker would know that they have the right root password, so all he has to do is hack a user account, probably not too difficult. What login should do is once root gets entered at the login prompt, it should give an error and disconnect, that why no potential hint to the root password would be given.
This login bug also exists on every version of Solaris that I've worked with, from 2.3 all the way to 2.6 HW 5/98 -- all with the relevant login patches installed. My bosses at this job and at my previous one have contacted Sun about this problem for nearly three years but with no results. At this point I don't know if this login bug exists in Solaris 2.7, which if my sources are correct, is due out next month. I am not in the Solaris 2.7 beta program so I couldn't test this for sure. Anyway it'll be just one more thing on my long list of "did Sun really fix this bug in Solaris 2.7 like they claimed they would do in previous Solaris releases?" things I'll be checking for when I get my Solaris 2.7 CDs. <rant> You would think that with Sun's size, resources, and market share in terms of UNIX workstations, servers, and OS, that they would learn from the security vulnerabilities found in other operating systems and release stable and secure software instead of making SAs patch the thing every other week... </rant> -- Eugene Bradley -- Just Another Random UNIX administrator eugene.bradley () erols com | I don't work for Erol's -- they're just my ISP to me. Get my PGP key by replying with "GET KEY" in the Subject: line. homepage is @ http://www.geocities.com/SiliconValley/Haven/9323/
Current thread:
- Re: 1+2=3, +++ATH0=Old school DoS, (continued)
- Re: 1+2=3, +++ATH0=Old school DoS Jason (Sep 28)
- Re: 1+2=3, +++ATH0=Old school DoS Tudor Bosman (Sep 28)
- Re: 1+2=3, +++ATH0=Old school DoS Daniel Hauck (Sep 27)
- Re: 1+2=3, +++ATH0=Old school DoS Pete Gonzalez (Sep 27)
- Re: 1+2=3, +++ATH0=Old school DoS John M. Flinchbaugh (Sep 28)
- SHADOW group research indicates distributed probes and attacks Patrick Oonk (Sep 28)
- Re: 1+2=3, +++ATH0=Old school DoS Adrian Gonzalez (Sep 28)
- Modem ATH0 thread route () RESENTMENT INFONEXUS COM (Sep 28)
- IRIX 6.2 passwordless accounts exploit? Dan Stromberg (Sep 28)
- Re: IRIX 6.2 passwordless accounts exploit? D.A. Harris (Sep 28)
- Re: IRIX 6.2 passwordless accounts exploit? Eugene Bradley (Sep 28)
- Re: Solaris non-root login (was: IRIX 6.2 pass...) Richard Yates SPG (Sep 29)
- mountd- more info (sorry) John Caldwell (Sep 28)
- Bay Accelar 1000 series Steven Hearon (Sep 28)
- Re: mountd- more info (sorry) RHS Linux User (Sep 29)
- rpc.mountd vulnerabilities tiago (Sep 29)
- Re: rpc.mountd vulnerabilities morex .- (Sep 29)
- Snork exploit route () RESENTMENT INFONEXUS COM (Sep 29)
- Re: rpc.mountd vulnerabilities Alan Brown (Sep 29)
- IRIX Mail(1)/mailx(1) Security Issues SGI Security Coordinator (Sep 29)
- Re: 1+2=3, +++ATH0=Old school DoS John M. Flinchbaugh (Sep 28)
- IRIX On-Line Customer Registration Vulnerabilities SGI Security Coordinator (Sep 29)