rlogin(1) security bug in ISC UNIX

Conor P. Cahill cpcahil at virtech.uucp
Tue Mar 19 11:40:00 AEST 1991 

There exists a bug in the rlogin daemon on ISC UNIX 2.2 which under
certain conditions will allow a non-privileged user to become root.

Before I go into details, the work around is as follows:

	1. don't put other hosts in /etc/hosts.equiv (i.e. don't trust
	   other systems).
	
	or

	2. ensure that every login in the /etc/passwd file has a valid
	   existing login directory.  This *should* be on the local HD and
	   not an NFS partition, because if the NFS server goes down it
	   may appear that the user doesn't have a login directory.

Anyway, the problem is that if rlogin believes that the password is
not necessary for a user to login and the login directory for the user
does not exist, the user will be refused the login, but will be given
an opportunity to specify another login name.  The bug is that since
rlogin decided no password was needed for the first attempt, it merrily
decides that no password is needed for the second attempt, no matter
what the login is (including root).

To reproduce:

	1. creat user account jerry on system 1 with valid login directory
	2. creat user account jerry on system 2 with a login directory that
	   doesn't exist
	3. place system 1 into system 2's /etc/host.equiv file
	4. login on system 1 as jerry
	5. rlogin to system 2.  (you will get the following message:
	
		Unable to change directory to "/login/directory"
		login:

	6. At this prompt, enter root and have fun.


We found this when we ran rlogin to a system that had the NFS partition 
unmounted and therefore the user (me in this case) got that message. I 
then wanted to login as root so that I could change the location of the
login directory and was fairly suprised when I obtained root access without
being asked for a password.

ISC has been notified of the problem and has assigned a bug tracking number
so it will probably be fixed in a future release.  Since there are simple
work-arounds, I wouldn't expect a special patch.
-- 
Conor P. Cahill            (703)430-9247        Virtual Technologies, Inc.
uunet!virtech!cpcahil                           46030 Manekin Plaza, Suite 160
                                                Sterling, VA 22170

More information about the Comp.unix.sysv386 mailing list