[442] in bugtraq
Re: login -h
daemon@ATHENA.MIT.EDU (Alexander Haiut)
Thu Dec 8 23:03:09 1994
Date: Thu, 8 Dec 1994 12:25:47 +0200 (GMT+0200)
From: Alexander Haiut <alx@black.BGU.AC.IL>
To: Bonfield James <jkb@mrc-lmb.cam.ac.uk>
Cc: bugtraq@fc.net
In-Reply-To: <9412071018.AA07415@al.mrc-lmb.cam.ac.uk>
On Wed, 7 Dec 1994, Bonfield James wrote:
> ...
> Remember the "rlogin -l -froot" type bugs some time ago? At the time I
> mentioned that "-l -hhostname" could also be used to spoof hostnames in the
> wtmp files. This is still true. The reason I haven't posted again about this
> earlier is that we've been having a couple problems ourselves. Using the tcp
> wrapper helps things, but it's only just been installed (despite the fact that
> I've requested it numerous times).
>
> A typical spoof would be:
>
> rlogin targethost -l -htargethost
>
> Then type in the user and password. It'll then appear to last, who and
> probably finger, on targethost that the user has logged in from that system,
> not from remotely.
> ...
okay, 4.1.3_u1 works correct (read: "safe" ;-) in this case,
but if talking about spoofing, why not to use the simple
trick with C-shell: rsh hostname /bin/csh -bif
it logs you in without tty, but also without any entries in
[wu]tmp files..
that's all.. --alex.
---
Alexander L. Haiut
Ben-Gurion University of the Negev,
Beer-Sheva, Israel
________________________________________
e-mail : alx@cs.bgu.ac.il
voice : +972-7-461658
