Subject: bin/620: security spoof possible with rlogin/telnet
To: None <gnats-admin@sun-lamp.cs.berkeley.edu>
From: Luke Mewburn <lukem@dodo.melb.cpr.itg.telecom.com.au>
List: netbsd-bugs
Date: 12/07/1994 21:20:06
>Number: 620
>Category: bin
>Synopsis: rlogin/telnet -l still passes names starting with '-' to login
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: bin-bug-people (Utility Bug People)
>State: open
>Class: sw-bug
>Submitter-Id: lm
>Arrival-Date: Wed Dec 7 21:20:04 1994
>Originator: Luke Mewburn
>Organization:
" Werj"
>Release: 1.0
>Environment:
System: NetBSD dodo 1.0 NetBSD 1.0 (DODO) #0: Mon Dec 5 16:44:33 EST 1994 simonb@dodo:/slab/0/src/sys/arch/i386/compile/DODO i386
>Description:
telnetd and rlogind make no check that the username they are passing
to login doesn't start with a `-'. A major security hole in other
systems a while ago was to do 'rlogin foo -l -froot' which rlogind
passed to login as `login -froot' which automagically authenticated
you as root.
whilst netbsd doesn't have this exact problem, (due to an
indirect way of protection), if you rlogin foo -l -hhohoho,
your entry in the utmp file will show you coming from the host
`hohoho' instead of your real host.
>How-To-Repeat:
% rlogin dodo -l -hohoho
(login as per normal)
% w
>Fix:
no actual patch, but the best way would be to change telnetd
and rlogind (and any other program that exec's login with
an unchecked argv) so that if a username started with `-',
or contained any character that's illegal in a username,
it gets nuked from the argv[] thats passed to login via exec
before the exec takes place. Maybe a function in libutil
that you pass a char * to containing the name to check, and it
returns either NULL (if not valid) or the name (if valid);
and then hack telnetd/rlogind to use it.
I dunno if getty has this problem - it may pay to check.
>Audit-Trail:
>Unformatted: