[230] in Best-of-Security
BoS: rshd gives away usernames
daemon@ATHENA.MIT.EDU (David Holland)
Fri Jun 13 20:10:26 1997
Date: Fri, 13 Jun 1997 07:17:11 -0400
Reply-To: David Holland <dholland@EECS.HARVARD.EDU>
From: David Holland <dholland@EECS.HARVARD.EDU>
Errors-To: best-of-security-request@suburbia.net
To: best-of-security@suburbia.net
Resent-From: best-of-security@suburbia.net
Try 'rsh victimhost -l realuser' and 'rsh victimhost -l nosuchuser'.
The error reported is different.
Therefore, it's possible to determine which account names are valid.
This is an issue only for particularly paranoid sites that probably
already have rshd disabled, but I thought it would be worth issuing a
warning anyway.
A cursory investigation of some local machines showed the following:
Affected: Linux, NetBSD, Digital Unix 4.0
Not affected: HP-UX, Solaris
Linux's rsh client also seems to have a bug where the second of the
above cases prints random error strings. This will all be fixed in the
next release (unfortunately, not yesterday's release...)
--
- David A. Holland | VINO project home page:
dholland@eecs.harvard.edu | http://www.eecs.harvard.edu/vino
