[4680] in bugtraq
Re: rshd gives away usernames
daemon@ATHENA.MIT.EDU (Eric)
Fri Jun 13 21:37:09 1997
Date: Fri, 13 Jun 1997 10:59:40 -0700
Reply-To: Eric <eric@AIMNET.NET>
From: Eric <eric@AIMNET.NET>
X-To: David Holland <dholland@EECS.HARVARD.EDU>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <199706131117.HAA03109@burgundy.eecs.harvard.edu>
Well sendmail has always done the more or less the same thing.
say I telnetted to port 25 of some.mailhost.com
220 some.mailhost.com ESMTP Sendmail 8.8.5/8.7.1; Fri, 13 Jun 1997
10:56:20 -0700 (PDT)
HELO A
250 some.mailhost.com Hello userid@some.mailor.com [1.2.3.4], pleased to
meet you
MAIL FROM:me
250 me... Sender ok
RCPT TO:nosuchguy
550 nosuchguy... User unknown
RCPT TO:root
250 root... Recipient ok
....
So how would you propose that get fixed? Patch up sendmail so people
don't know if they mailed the wrong address?
---
Eric Kmetz Phone - 408/567.3800
Systems Programmer E-Mail - eric@aimnet.net
Aimnet Corporation
On Fri, 13 Jun 1997, David Holland wrote:
> Try 'rsh victimhost -l realuser' and 'rsh victimhost -l nosuchuser'.
> The error reported is different.
>
> Therefore, it's possible to determine which account names are valid.
> This is an issue only for particularly paranoid sites that probably
> already have rshd disabled, but I thought it would be worth issuing a
> warning anyway.
>
> A cursory investigation of some local machines showed the following:
>
> Affected: Linux, NetBSD, Digital Unix 4.0
> Not affected: HP-UX, Solaris
>
> Linux's rsh client also seems to have a bug where the second of the
> above cases prints random error strings. This will all be fixed in the
> next release (unfortunately, not yesterday's release...)
>
> --
> - David A. Holland | VINO project home page:
> dholland@eecs.harvard.edu | http://www.eecs.harvard.edu/vino
>
