[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: SGI security problem with telnetd. TAKE IMMEDIATE ACTION!! (fwd)


===============================================================================
Robb Kambic                                Unidata Program Center
Software Engineer III                      Univ. Corp for Atmospheric Research
address@hidden             WWW: http://www.unidata.ucar.edu/
===============================================================================

---------- Forwarded message ----------
Date: Tue, 15 Aug 2000 15:27:37 -0500
From: Pete Pokrandt <address@hidden>
To: Ted Jackson <address@hidden>
Subject: Re: SGI security problem with telnetd. TAKE IMMEDIATE ACTION!! (fwd) 


In a previous message to me, you wrote: 

 >I can't say for all versions, but some versions of Irix, if the /.rhosts
 >file contains the "+ +" line as shown below, will also allow any user to
 >'su' without prompting for a password at all.
 >
 >Ted Jackson
 >

Ted and all,

What a .rhosts file with a + + in it means, is that anyone is allowed to
rlogin to your host from any other host without supplying a password.
If that .rhosts file is in root's home directory (typically /) then
anyone can rlogin to your machine as root without needing to supply
a password.

BUT..  I think that part of my original forward if confusing people.

This vulnerability is NOT about a .rhosts file with a + + in it.

It is about a vulnerablity that exists in the telnet daemon (server)
on SGI IRIX machines.

When exploited, this vulnerability gives a remote user a root shell on
your machine. From that root shell, they can do anything else, such as
installing trojan binaries, creating a renegade .rhosts file (as they
did in the original example that I had forwarded) etc.

The original notification about this vulnerability was discussed on
the Bugtraq mailing list, and includes a program which exploits the
vulnerability. A quick search of the bugtraq archive (located on
www.securityfocus.com) will get you the info *and* the exploit program.

It works.. I grabbed a copy and tested some of my machines, you run the
program and you get a root shell.

The solution for the telnet vulnerability as of right now, is to
turn off the telnet daemon on your machine by commenting it out of
the /etc/inetd.conf file, as specified in my original message.

Of course, after doing that, you can no longer telnet into your
machines, which is a hassle, but it's better than getting hacked
into.  I personally run the telnet daemon, but use tcp wrappers
to restrict what remote IPs can connect to it. It is not totally
secure, but eliminates a good portion of the risk associated
with the telnet daemon bug, without removing telnet access for
legitimate users.

Anyways... Back to the inetd.conf's on my other 20+ SGIs...

Pete

--
+>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>+<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<+
^ Pete Pokrandt                    V 1447  AOSS Bldg  1225 W Dayton St^
^ Systems Programmer               V Madison,         WI     53706    ^
^                                  V      address@hidden       ^
^ Dept of Atmos & Oceanic Sciences V (608) 262-3086 (Phone/voicemail) ^
^ University of Wisconsin-Madison  V       262-0166 (Fax)             ^
<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<+>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>+