[2621] in linux-net channel archive
WARNING: libc/ruserok security hole (fwd)
daemon@ATHENA.MIT.EDU (Joel Maslak)
Sun Apr 21 23:22:13 1996
Date: Sun, 21 Apr 1996 21:15:48 -0600 (MDT)
From: Joel Maslak <j@pobox.com>
To: linux-net@vger.rutgers.edu
It looks like I forgot to send this message to this channel as well...
One addition: Jeff Coy Jr. <jcoy@jcoy-ppp.cscwc.pima.edu> stated that it
is IMPORTANT to make sure /etc/hosts.equiv DOES NOT CONTAIN ANY SITES,
INCLUDING LOCALHOST if you choose to continue running libc 5.3.9.
Joel Maslak
Motto of the Bomb Squad:
If you see us running, you better catch up.
---------- Forwarded message ----------
Date: Sun, 21 Apr 1996 15:15:40 -0600 (MDT)
From: Joel Maslak <j@pobox.com>
To: linux-security@tarsier.cv.nrao.edu, best-of-security@suburbia.net,
linux-gcc@vger.rutgers.edu, nclug@vis.colostate.edu
Subject: WARNING: libc/ruserok security hole
libc 5.3.9 has a major security bug in it. It affects rlogin/rsh.
Scope: If your system uses rlogin/rsh, local and remote users may
rsh/rlogin to an arbitrary account on your system.
Fix:
Method (1): downgrade libc. I know 5.0.9 is secure.
Method (2): add user name specifications to all .rhosts files.
I.E.: .rhosts:
plains.uwyo.edu jmaslak
NOT:
plains.uwyo.edu
Without a user specification, libc-5.3.9 IS INSECURE!!
Method (3): remove in.rlogind and in.rshd from /etc/inetd.conf
This affects ALL distributions and ALL versions of rlogin/rsh/login.
If you need more info, contact j@pobox.com.
At the bottom of this message is a transcript of a session. I telneted to
a UW system, where my user name was jmaslak. I was able to rlogin
DIRECTLY into the monitor account on blackfire.com, WITHOUT ENTERING A
PASSWORD.
The problem lies in the ruserok() function in libc.
As always, it's recommended that ALL users change their passwords on an
affected system.
Joel Maslak
Motto of the Bomb Squad:
If you see us running, you better catch up.
----
Trying 129.72.254.219...
Connected to horseman.uwyo.edu.
Escape character is '^]'.
OSF/1 (horseman.uwyo.edu) (ttyp9)
login: jmaslak
Password:
Last successful login for jmaslak: Sun Apr 21 14:31:13 1996 from 129.72.170.126
Last unsuccessful login for jmaslak: Sun Apr 21 14:40:39 1996 on ttyp9
horseman.uwyo.edu> who am i
jmaslak ttyp9 Apr 21 14:40
horseman.uwyo.edu> rlogin blackfire.com -l monitor
Last login: Sun Apr 21 14:06:57 on ttyp0 from horseman.uwyo.e
Linux 1.3.93.pentium.jcm -- Greased HeadgeHog on Steroids
No mail.
Tact is the ability to tell a man he has an open mind when he has a
hole in his head.
blackhole:~> whoami
monitor
blackhole:~> cat .rhosts
localhost
horseman.uwyo.edu
blackhole:~>
