Subject: bin/620: security spoof possible with rlogin/telnet
To: None <firstname.lastname@example.org>
From: Luke Mewburn <email@example.com>
Date: 12/07/1994 21:20:06
>Synopsis: rlogin/telnet -l still passes names starting with '-' to login
>Responsible: bin-bug-people (Utility Bug People)
>Arrival-Date: Wed Dec 7 21:20:04 1994
>Originator: Luke Mewburn
System: NetBSD dodo 1.0 NetBSD 1.0 (DODO) #0: Mon Dec 5 16:44:33 EST 1994 simonb@dodo:/slab/0/src/sys/arch/i386/compile/DODO i386
telnetd and rlogind make no check that the username they are passing
to login doesn't start with a `-'. A major security hole in other
systems a while ago was to do 'rlogin foo -l -froot' which rlogind
passed to login as `login -froot' which automagically authenticated
you as root.
whilst netbsd doesn't have this exact problem, (due to an
indirect way of protection), if you rlogin foo -l -hhohoho,
your entry in the utmp file will show you coming from the host
`hohoho' instead of your real host.
% rlogin dodo -l -hohoho
(login as per normal)
no actual patch, but the best way would be to change telnetd
and rlogind (and any other program that exec's login with
an unchecked argv) so that if a username started with `-',
or contained any character that's illegal in a username,
it gets nuked from the argv thats passed to login via exec
before the exec takes place. Maybe a function in libutil
that you pass a char * to containing the name to check, and it
returns either NULL (if not valid) or the name (if valid);
and then hack telnetd/rlogind to use it.
I dunno if getty has this problem - it may pay to check.