Multiple Unix Vendor rlogin -froot Remote Authentication Bypass

1994-05-21T00:00:00
ID OSVDB:1007
Type osvdb
Reporter Pug(pug@arlut.utexas.edu)
Modified 1994-05-21T00:00:00

Description

Vulnerability Description

The rlogin command of multiple Unix vendor contains a flaw that may allow a remote attacker to bypass authentication settings. The issue is triggered when using the '-froot' parameter, which allows a remote attacker to gain root access on a system without being prompted for a password resulting in a loss of integrity.

Technical Description

The flaw is a result of the way login parses its arguments as passed by rlogind. The problem is that login parses the command line option -fUSER as -f USER when using the getopt() function with the 'f:' opt string. An unauthenticated user can gain root access through rlogin by simply specifying '-froot' as a remote loginname which will be interpreted by rlogin as '-f root'.

Solution Description

Contact your vendor for an appropriate patch. It is also possible to correct the flaw by implementing the following workaround: comment out the 'rlogin' line in /etc/inetd.conf and restart the inetd process.

Short Description

The rlogin command of multiple Unix vendor contains a flaw that may allow a remote attacker to bypass authentication settings. The issue is triggered when using the '-froot' parameter, which allows a remote attacker to gain root access on a system without being prompted for a password resulting in a loss of integrity.

Manual Testing Notes

$ rlogin [victim] -l -froot

References:

Nessus Plugin ID:10161 Mail List Post: http://archives.neohapsis.com/archives/bugtraq/1994_2/0279.html Mail List Post: http://archives.neohapsis.com/archives/bugtraq/1994_2/0281.html Mail List Post: http://archives.neohapsis.com/archives/bugtraq/1994_3/0100.html Mail List Post: http://archives.neohapsis.com/archives/bugtraq/1994_2/0274.html Mail List Post: http://archives.neohapsis.com/archives/bugtraq/1994_2/0283.html Mail List Post: http://archives.neohapsis.com/archives/bugtraq/1994_2/0289.html Mail List Post: http://archives.neohapsis.com/archives/bugtraq/1994_2/0280.html Mail List Post: http://archives.neohapsis.com/archives/bugtraq/1994_2/0292.html Keyword: fruit Keyword: APAR IX44254 Keyword: FROOT ISS X-Force ID: 104 CVE-1999-0113 CERT: CA-1994-09 Bugtraq ID: 458