From: Bob.Kelley@BRINKSINC.COM
Date: Tue Sep 30 2003 - 12:40:59 EDT
I deleted that post about the lost remote root password, but here's
something to try:
- rlogin
COMMAND
rlogin
SYSTEMS AFFECTED
AIX V.?
PROBLEM
This a problem with the way login parses it arguments as passed by rlogind
allows access to the root account. The problem is the ability of login to
parse the
command line option -fUSER as -f USER. Now
whether you can sneak -fUSER
to your login program depends on your rlogind. Rlogind basically comes in
two
incarnations:
old_style: rologind establishes connection
allocates pty and calls login with -r .
No way to sneak something to login on the command line (except with getty
when it passes usernames starting with a -). The login program will the do
the
rlogin protocol over stin/stuot.
new_style: rlogin establishes the connection
allocates pty *and* does the rlogin
protocol. If the remote user is authenticated
login is called like this (with exec
so
each token is one argument
never more)
login -p -h -f lusername
when login is not authenticated
login is called like this:
login -p -h lusername
Now
if -f expects an argument (getops string f:)
you can specify "-fuser" as a
remote loginname
and remote is called as
login -p -h -flusername
this is interpreted as
login -p -h -f lusername
when -f accepts an argument. It provokes a usage error if -f does not
accept an
argument
it is accepted as an argument if argument parsing is done with
strcmp("-f"
argv[x]). The best solution would be to have rlogind (and telnetd if it
negotiates a username) call a getoptified login like this:
login -- username
Summarizing: if your rlogind does the new protocol *AND* your login uses f:
in its
getopt strings
you're hosed.
% rlogin localhost -l -froot
# whoami
root
SOLUTION
None given.
Bobby Kelley
BRINKS
972-877-5341
This archive was generated by hypermail 2.1.7 : Wed Apr 09 2008 - 22:17:15 EDT