Subject: bin/620: security spoof possible with rlogin/telnet
To: None <>
From: Luke Mewburn <>
List: netbsd-bugs
Date: 12/07/1994 21:20:06
>Number:         620
>Category:       bin
>Synopsis:       rlogin/telnet -l still passes names starting with '-' to login
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    bin-bug-people (Utility Bug People)
>State:          open
>Class:          sw-bug
>Submitter-Id:   lm
>Arrival-Date:   Wed Dec  7 21:20:04 1994
>Originator:     Luke Mewburn
"	Werj"
>Release:        1.0
System: NetBSD dodo 1.0 NetBSD 1.0 (DODO) #0: Mon Dec 5 16:44:33 EST 1994 simonb@dodo:/slab/0/src/sys/arch/i386/compile/DODO i386

	telnetd and rlogind make no check that the username they are passing
	to login doesn't start with a `-'. A major security hole in other
	systems a while ago was to do 'rlogin foo -l -froot' which rlogind
	passed to login as `login -froot' which automagically authenticated
	you as root.
	whilst netbsd doesn't have this exact problem, (due to an
	indirect way of protection), if you rlogin foo -l -hhohoho,
	your entry in the utmp file will show you coming from the host
	`hohoho' instead of your real host.

	% rlogin dodo -l -hohoho
	(login as per normal)
	% w

	no actual patch, but the best way would be to change telnetd
	and rlogind (and any other program that exec's login with
	an unchecked argv) so that if a username started with `-',
	or contained any character that's illegal in a username,
	it gets nuked from the argv[] thats passed to login via exec
	before the exec takes place. Maybe a function in libutil
	that you pass a char * to containing the name to check, and it
	returns either NULL (if not valid) or the name (if valid);
	and then hack telnetd/rlogind to use it.
	I dunno if getty has this problem - it may pay to check.