rlogin, login -f option

Vulnerability Description

Brief description: Some versions of login (1) and rlogin (1) allow a user to log in without benefit of a password by using the -f option (no space).

Full description: The base problem rises because login recognizes the argument -fuser and logs the caller in as user without any further authentication.

The rlogin problem is derivative. You need to pass the argument to login , which rlogind calls, with the argument as an option and not a user name. How you do this depends on the specific version of

rlogin .

Older versions of rlogin establish a connection, allocate pseudo-ttys and call login with

-r hostname . In this case, the -f option will be rejected unless getty , which is sometimes spawned on the pseudo-tty, takes user names that begin with a hyphen. This is rare, and the login protocol proceeds over standard input and output, not with the user as a command-line option.

Newer versions of rlogin establish the connection, allocate pseudo-ttys, and then do the rlogin protocol. If the remote user is authenticated, rlogin calls login with exec, so each token is one argument, never more:

login -p -h hostname -f username
but when login is not authenticated, login is called like this: 
login -p -h hostname username
Now, if -f expects an argument (getops string "f:"), you can specify -fuser as a remote login name, and login is called as 
login -p -h hostname -fusername
which is interpreted as 
login -p -h hostname -f lusername

Components: login, rlogin

Systems: IBM AIX 3.2.5 (trusted), IBM AIX 3.2.4 (trusted), IBM AIX 3.2 (trusted), IBM AIX 3.1 (trusted); no version 4 or higher AIX is believed vulnerable.

Effect(s) of exploiting: User gains immediate root access

Detecting the hole:

    1. Try the commands.
    1. Try the following command: 
      login -froot
      If you get root , you have the problem with login .
    2. Try the following command: 
      rlogin target.host -froot
      If you get root on target.host, you have the problem with rlogin .

Fixing the hole:

    1. The patch for the IBM rlogin daemon is APAR# IX44254. After installing this, check to see if you are vulnerable through login
    2. To disable the rlogin daemon on AIX:
    1. Comment the line for rlogind in /etc/inetd.conf
    2. Run inetimp (8)
    3. Run refresh -s inetd

Other information: AIX introduced the problem with its version of rlogind.

Keywords

Cataloguing

PA Classification(s):

RISOS Classification(s):

DCS Classification(s):

CVE Number: CVE-1999-0113 -- Some implementations of rlogin allow root access if given a -froot parameter.

Exploit Information

Attack: Try either 

login -froot
or 
rlogin -froot target.host

Related Information

Advisories: The IBM version has Security Focus database entry 458 ; see also CERT Advisory CA-94.09

Related Vulnerabilities:

Reportage

Reporting: Peter <peter@freedom.nmsu.edu> in BugTraq message ID: 199405211755.LAA07495@NMSU.Edu (Sat May 21 1994 11:54:58 )

Revision Number 1

  1. Homer Briggs (6/26/2000):
    Created entry