[
Date Prev][
Date Next][
Thread Prev][
Thread Next][
Date Index][
Thread Index]
Re: SGI security problem with telnetd. TAKE IMMEDIATE ACTION!! (fwd)
- Subject: Re: SGI security problem with telnetd. TAKE IMMEDIATE ACTION!! (fwd)
- Date: Tue, 15 Aug 2000 16:12:21 -0600 (MDT)
===============================================================================
Robb Kambic Unidata Program Center
Software Engineer III Univ. Corp for Atmospheric Research
address@hidden WWW: http://www.unidata.ucar.edu/
===============================================================================
---------- Forwarded message ----------
Date: Tue, 15 Aug 2000 15:27:37 -0500
From: Pete Pokrandt <address@hidden>
To: Ted Jackson <address@hidden>
Subject: Re: SGI security problem with telnetd. TAKE IMMEDIATE ACTION!! (fwd)
In a previous message to me, you wrote:
>I can't say for all versions, but some versions of Irix, if the /.rhosts
>file contains the "+ +" line as shown below, will also allow any user to
>'su' without prompting for a password at all.
>
>Ted Jackson
>
Ted and all,
What a .rhosts file with a + + in it means, is that anyone is allowed to
rlogin to your host from any other host without supplying a password.
If that .rhosts file is in root's home directory (typically /) then
anyone can rlogin to your machine as root without needing to supply
a password.
BUT.. I think that part of my original forward if confusing people.
This vulnerability is NOT about a .rhosts file with a + + in it.
It is about a vulnerablity that exists in the telnet daemon (server)
on SGI IRIX machines.
When exploited, this vulnerability gives a remote user a root shell on
your machine. From that root shell, they can do anything else, such as
installing trojan binaries, creating a renegade .rhosts file (as they
did in the original example that I had forwarded) etc.
The original notification about this vulnerability was discussed on
the Bugtraq mailing list, and includes a program which exploits the
vulnerability. A quick search of the bugtraq archive (located on
www.securityfocus.com) will get you the info *and* the exploit program.
It works.. I grabbed a copy and tested some of my machines, you run the
program and you get a root shell.
The solution for the telnet vulnerability as of right now, is to
turn off the telnet daemon on your machine by commenting it out of
the /etc/inetd.conf file, as specified in my original message.
Of course, after doing that, you can no longer telnet into your
machines, which is a hassle, but it's better than getting hacked
into. I personally run the telnet daemon, but use tcp wrappers
to restrict what remote IPs can connect to it. It is not totally
secure, but eliminates a good portion of the risk associated
with the telnet daemon bug, without removing telnet access for
legitimate users.
Anyways... Back to the inetd.conf's on my other 20+ SGIs...
Pete
--
+>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>+<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<+
^ Pete Pokrandt V 1447 AOSS Bldg 1225 W Dayton St^
^ Systems Programmer V Madison, WI 53706 ^
^ V address@hidden ^
^ Dept of Atmos & Oceanic Sciences V (608) 262-3086 (Phone/voicemail) ^
^ University of Wisconsin-Madison V 262-0166 (Fax) ^
<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<+>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>+
