This archive contains answers to questions sent to Unidata support through mid-2025. Note that the archive is no longer being updated. We provide the archive for reference; many of the answers presented here remain technically correct, even if somewhat outdated. For the most up-to-date information on the use of NSF Unidata software and data services, please consult the Software Documentation first.
=============================================================================== Robb Kambic Unidata Program Center Software Engineer III Univ. Corp for Atmospheric Research address@hidden WWW: http://www.unidata.ucar.edu/ =============================================================================== ---------- Forwarded message ---------- Date: Tue, 15 Aug 2000 15:27:37 -0500 From: Pete Pokrandt <address@hidden> To: Ted Jackson <address@hidden> Subject: Re: SGI security problem with telnetd. TAKE IMMEDIATE ACTION!! (fwd) In a previous message to me, you wrote: >I can't say for all versions, but some versions of Irix, if the /.rhosts >file contains the "+ +" line as shown below, will also allow any user to >'su' without prompting for a password at all. > >Ted Jackson > Ted and all, What a .rhosts file with a + + in it means, is that anyone is allowed to rlogin to your host from any other host without supplying a password. If that .rhosts file is in root's home directory (typically /) then anyone can rlogin to your machine as root without needing to supply a password. BUT.. I think that part of my original forward if confusing people. This vulnerability is NOT about a .rhosts file with a + + in it. It is about a vulnerablity that exists in the telnet daemon (server) on SGI IRIX machines. When exploited, this vulnerability gives a remote user a root shell on your machine. From that root shell, they can do anything else, such as installing trojan binaries, creating a renegade .rhosts file (as they did in the original example that I had forwarded) etc. The original notification about this vulnerability was discussed on the Bugtraq mailing list, and includes a program which exploits the vulnerability. A quick search of the bugtraq archive (located on www.securityfocus.com) will get you the info *and* the exploit program. It works.. I grabbed a copy and tested some of my machines, you run the program and you get a root shell. The solution for the telnet vulnerability as of right now, is to turn off the telnet daemon on your machine by commenting it out of the /etc/inetd.conf file, as specified in my original message. Of course, after doing that, you can no longer telnet into your machines, which is a hassle, but it's better than getting hacked into. I personally run the telnet daemon, but use tcp wrappers to restrict what remote IPs can connect to it. It is not totally secure, but eliminates a good portion of the risk associated with the telnet daemon bug, without removing telnet access for legitimate users. Anyways... Back to the inetd.conf's on my other 20+ SGIs... Pete -- +>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>+<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<+ ^ Pete Pokrandt V 1447 AOSS Bldg 1225 W Dayton St^ ^ Systems Programmer V Madison, WI 53706 ^ ^ V address@hidden ^ ^ Dept of Atmos & Oceanic Sciences V (608) 262-3086 (Phone/voicemail) ^ ^ University of Wisconsin-Madison V 262-0166 (Fax) ^ <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<+>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>+