[3038] in bugtraq
Re: Zolaris 2.5 Exploited.
daemon@ATHENA.MIT.EDU (Jeff Wolfe)
Fri Jul 26 18:07:00 1996
Date: Fri, 26 Jul 1996 16:09:41 -0400
Reply-To: Bugtraq List <BUGTRAQ@NETSPACE.ORG>
From: Jeff Wolfe <wolfe@ems.psu.edu>
To: Multiple recipients of list BUGTRAQ <BUGTRAQ@NETSPACE.ORG>
In-Reply-To: wightman's message of Fri, 26 Jul 1996 12:53:44 -0500.
<9607261753.AA03840@sol.acs.uwosh.edu>
In message <9607261753.AA03840@sol.acs.uwosh.edu>, "Brian T. Wightman" writes:
> Not true. The script created a file /.rhosts. This file is the only
> file used to verify root rlogins. ~/.rhosts and /etc/hosts.equiv are
> used to authenticate other users (this of course is not taking into
> account a feature of some r{login,sh}d programs that disable
> ~/.rhosts). The symlink creates that file if it does not exist on the
> workstation.
>
> The /etc/hosts.equiv file does not exist here either.
It appears that the exploit only works when there is no .rhosts file.
I haven't been able to get the kcms utils to change the permissions on an
existing .rhosts file.
> However, this point becomes meaningless when you look at admintool and
> see that the same type of exploit can be used (also posted previously).
The same conditions apply to the admintool exploit. If the file exists, it
won't work, but if the file does not exist, the exploit will create the file
owned by root with mode 666 permissions.
> Nothing personal, just don't want anyone getting a false sense of
> security from this.
-Jeff
