Old rlogin bug

Dan Zenchelsky dzenc at gnu.ai.mit.edu
Thu Jul 26 12:36:47 AEST 1990


In article <DJM.90Jul25190101 at frob.eng.umd.edu> djm at eng.umd.edu (David J. MacKenzie) writes:
>
>So I login to a host and run this like so:
>exec "login -r localhost"
>and stick this on logins stdin: "root\0root\0sun/9600"
>
>And I get a root shell.  They took this auth code out of login in 4.3T
>and make rlogind do it.

Except that all of the logins I've seen make sure getuid()==0 before allowing
this to happen.  So, the only way to do this is to already be root.

>--
>David J. MacKenzie <djm at eng.umd.edu> <djm at ai.mit.edu>

-Dan
--
 ___________________________________________________________________________
|  _______                         |________________________________________|
| ||    |o|     Dan Zenchelsky     |                                        |
| ||____| |                        |    Any sufficiently advanced bug is    |
| |  ___  |  dzenc at gnu.ai.mit.edu  |    indistinguishable from a feature.   |
| |_|___|_|                        |______________-- Rich Kulawiec__________|
|__________________________________|________________________________________|



More information about the Comp.unix.wizards mailing list