[8090] in bugtraq
Re: IRIX 6.2 passwordless accounts exploit?
daemon@ATHENA.MIT.EDU (Kevin Hawkins)
Wed Sep 30 13:35:56 1998
Date: Wed, 30 Sep 1998 11:51:35 -0500
Reply-To: Kevin Hawkins <khawkins@NCSA.UIUC.EDU>
From: Kevin Hawkins <khawkins@NCSA.UIUC.EDU>
X-To: "D.A. Harris" <rodmur@ECST.CSUCHICO.EDU>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <19980928161435.A4581@ecst.csuchico.edu>
HP-UX exhibits the same behavior. Actually, when I questioned this
behavior on comp.sys.hp.hpux a while back (look for the subject
"Better remote access denial than securetty?" through DejaNews if
you're interested), the only response I got took the approach that
it was more of a feature than a bug. But I didn't think the arguments
given were a strong enough case against just dropping root login
attempts that weren't at the console.
So maybe the vendors don't see it as a bug? I certainly do.
Kevin
At 04:14 PM 9/28/98 -0700, D.A. Harris wrote:
>
>Actually, something that I think is a bug in IRIX, something that hasn't been
>fixed in 6.5, is the behavior of login when you specify that root can
>only login into /dev/console (this can be set in /etc/default/login).
>Instead of immediately denying someone access when they try to telnet
>or rlogin as root to a box, it lets you still attempt the password, and
>only denies you access when you get the password correct. So a hacker would
>know that they have the right root password, so all he has to do is hack
>a user account, probably not too difficult. What login should do is once
>root gets entered at the login prompt, it should give an error and
disconnect,
>that why no potential hint to the root password would be given.
>
>
>--
>Dale Harris <rodmur@csuchico.edu> PGP KeyID: E26EC5FD
>System Administrator ph. (530) 898-4421
>Computer Graphics, Instructional Media Center fax. (530) 898-5369
>California State University, Chico, California 95929-0005
>~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>
--
Kevin Hawkins - NCSA Security
email: khawkins@ncsa.uiuc.edu
PGP: http://www.ncsa.uiuc.edu/People/khawkins/pgp.html
