Brief description: Some versions of login (1) and rlogin (1) allow a user to log in without benefit of a password by using the -f option (no space).
The base problem rises because
recognizes the argument
and logs the caller in as
without any further authentication.
The rlogin problem is derivative. You need to pass the argument to login , which rlogind calls, with the argument as an option and not a user name. How you do this depends on the specific version of
Older versions of rlogin establish a connection, allocate pseudo-ttys and call login with
-r hostname. In this case, the
-foption will be rejected unless getty , which is sometimes spawned on the pseudo-tty, takes user names that begin with a hyphen. This is rare, and the login protocol proceeds over standard input and output, not with the user as a command-line option.
Newer versions of rlogin establish the connection, allocate pseudo-ttys, and then do the rlogin protocol. If the remote user is authenticated, rlogin calls login with exec, so each token is one argument, never more:
login -p -h hostname -f usernamebut when login is not authenticated, login is called like this:
login -p -h hostname usernameNow, if
-fexpects an argument (getops string "f:"), you can specify
-fuseras a remote login name, and login is called as
login -p -h hostname -fusernamewhich is interpreted as
login -p -h hostname -f lusername
Components: login, rlogin
Systems: IBM AIX 3.2.5 (trusted), IBM AIX 3.2.4 (trusted), IBM AIX 3.2 (trusted), IBM AIX 3.1 (trusted); no version 4 or higher AIX is believed vulnerable.
Effect(s) of exploiting: User gains immediate root access
Detecting the hole:
login -frootIf you get root , you have the problem with login .
rlogin target.host -frootIf you get root on target.host, you have the problem with rlogin .
Fixing the hole:
refresh -s inetd
Other information: AIX introduced the problem with its version of rlogind.
CVE Number: CVE-1999-0113 -- Some implementations of rlogin allow root access if given a -froot parameter.
Attack: Try either
rlogin -froot target.host
Advisories: The IBM version has Security Focus database entry 458 ; see also CERT Advisory CA-94.09
Reporting: Peter <email@example.com> in BugTraq message ID: 199405211755.LAA07495@NMSU.Edu (Sat May 21 1994 11:54:58 )