[194] in linux-security and linux-alert archive

home help back first fref pref prev next nref lref last post

/etc/hosts.equiv in Slackware 2.2.0 and earlier

daemon@ATHENA.MIT.EDU (Erik Nygren)
Thu Apr 6 20:38:40 1995

To: linux-security@tarsier.cv.nrao.edu, volkerdi@mhd1.moorhead.msus.edu
Cc: waltje@uwalt.nl.mugnet.org, marthag@MIT.EDU
Date: Thu, 06 Apr 1995 19:44:54 -0400
From: Erik Nygren <nygren@MIT.EDU>


Hello,

The default /etc/hosts.equiv file in Slackware 2.2.0 and
in earlier versions contains comment lines which
are not parsed by the parser in libc.  As a result, any machine
with the hostname "#" can gain unauthorized remote root access
to any affected machine in the domain.  I have not been able
to test this so my conclusion may not be accurate.

Looking at libc-linux/inet/rcmd.c which parses this file, I can find
no attempts to handle lines starting with "#" in any special matter.
It is likely that such lines will be taken as specifying trusted
hostnames.  The hostname "#" is not RFC-compliant but that
does not mean that someone can't use it.

Here is the contents of hosts.equiv in Slackware 2.2.0.
A very similar file is used in Slackware 2.0.0:

----------- START /etc/hosts.equiv -----------
#
# hosts.lpd     This file describes the names of the hosts which are
#               to be considered "equivalent", i.e. which are to be
#               trusted enought for allowing rsh(1) commands.
#
# Version:      @(#)/etc/hosts.lpd      2.00    04/30/93
#
# Author:       Fred N. van Kempen, <waltje@uwalt.nl.mugnet.org
#
#

localhost

# End of hosts.lpd.
----------- END /etc/hosts.equiv -----------

The immediate solution is to remove all comment lines in
/etc/hosts.equiv.  If someone can verify this as being a problem they
may want to send mail to linux-alert.

	--- Erik

___________________________________________________________________________
Erik Nygren        \ \ \  Massachusetts Institute of Technology
450 Memorial Drive  \ \ \  Email: nygren@mit.edu  Voice: 617/225-9297
Cambridge, MA 02139  \ \ \  http://www.mit.edu:8001/people/nygren/home.html


[Mod: Anyone out there care to try and verify this one way or the other,
posting a reply to the list? --Jeff.]
home help back first fref pref prev next nref lref last post