- rlogin


COMMAND

rlogin

SYSTEMS AFFECTED

AIX V.?


PROBLEM

This a problem with the way login parses it arguments as passed by rlogind
allows access to the root account. The problem is the ability of login to parse the
command line option -fUSER as -f USER. Now
whether you can sneak -fUSER
to your login program depends on your rlogind. Rlogind basically comes in two
incarnations:

old_style: rologind establishes connection
allocates pty and calls login with -r .
No way to sneak something to login on the command line (except with getty

when it passes usernames starting with a -). The login program will the do the
rlogin protocol over stin/stuot.

new_style: rlogin establishes the connection
allocates pty *and* does the rlogin
protocol. If the remote user is authenticated
login is called like this (with exec
so
each token is one argument
never more)

login -p -h  -f lusername

when login is not authenticated
login is called like this:

login -p -h  lusername

Now
if -f expects an argument (getops string f:)
you can specify "-fuser" as a
remote loginname
and remote is called as

login -p -h  -flusername

this is interpreted as

login -p -h  -f lusername

when -f accepts an argument. It provokes a usage error if -f does not accept an
argument
it is accepted as an argument if argument parsing is done with
strcmp("-f"
argv[x]). The best solution would be to have rlogind (and telnetd if it
negotiates a username) call a getoptified login like this:

login  -- username

Summarizing: if your rlogind does the new protocol *AND* your login uses f: in its
getopt strings
you're hosed.


% rlogin localhost -l -froot
# whoami
root



SOLUTION

None given.