CVE-1999-0113
CVSS10.0
发布时间 :1994-05-23 00:00:00
修订时间 :2008-09-09 08:33:46
NMCOE    

[原文]Some implementations of rlogin allow root access if given a -froot parameter.


[CNNVD]AIX login登录参数处理漏洞(CNNVD-199405-004)

        rlogin的一些实现中存在漏洞。攻击者利用该漏洞用‘-froot’参数,根权限访问。

- CVSS (基础分值)

CVSS分值: 10 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/o:ibm:aix:3.2.5IBM AIX 3.2.5
cpe:/o:ibm:aix:3.2IBM AIX 3.2
cpe:/o:ibm:aix:3.1IBM AIX 3.1
cpe:/o:ibm:aix:3.2.4IBM AIX 3.2.4

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0113
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-1999-0113
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-199405-004
(官方数据源) CNNVD

- 其它链接及资源

http://www.securityfocus.com/bid/458
(UNKNOWN)  BID  458

- 漏洞信息

AIX login登录参数处理漏洞
危急
1994-05-23 00:00:00 2012-11-28 00:00:00
远程  
        rlogin的一些实现中存在漏洞。攻击者利用该漏洞用‘-froot’参数,根权限访问。

- 公告与补丁

        临时解决方法:
        如果您不能立刻安装补丁或者升级,CNNVD建议您采取以下措施以降低威胁:
        * H Morrow Long <long-morrow@cs.yale.edu>提供如下脚本解决这个问题:
        #!/bin/sh
        #
        # H. Morrow Long, Yale CSCF
        #
        # Version "tsm-3.2.0".
        AIX_VERSION="tsm-3.2.0"
        #
        # Patch path directory /cs/local/src/AIX/rlogin/
        AIX_PATCH_DIR="/cs/local/src/AIX/rlogin"
        AIX_TSM_PATCH="$AIX_PATCH_DIR/$AIX_VERSION"
        # Root should NOT be allowed to rlogin as user ROOT anyway! DISABLE root rlogin
        #
        chuser rlogin='false' root
        #
        #
        # 1. As root, edit /etc/inetd.conf
        # Comment out the line 'login ... rlogin'
        sed 's/^login/# login/' /etc/inetd.conf > /tmp/inetd.conf.NEW
        cp -p /etc/inetd.conf /etc/inetd.conf.BACKUP
        cp /tmp/inetd.conf.NEW /etc/inetd.conf
        # 2. Run 'inetimp'
        inetimp
        # 3. Run 'refresh -s inetd'
        refresh -s inetd
        #
        #
        #
        # APAR IX44254 -- rlogin security hole
        #
        # This document describes how to apply the emergency patch for APAR
        # IX44254. This emergency patch is not the permanent solution to this
        # problem, it merely provides a means to restore rlogin functionality
        # in a more secure manner.
        #
        # Begin by identifying the correct level for your system. The command
        # "oslevel" may be used for this purpose on AIX v3.2 systems. For AIX
        # v3.1 systems you must know the last maintenance level which was
        # applied.
        #
        # If the "oslevel" command returns "oslevel: not found" or a similar
        # message from the shell, you must use "tsm-3.2.0".
        #
        # If the "oslevel" command returns "<3240" or "<>3240", you must use
        # "tsm-3.2.0".
        #
        # If the "oslevel" command returns "=3240", ">3240", "<3250" or "<>3250",
        # you must use "tsm-3.2.4".
        #
        # If the "oslevel" command returns "=3250" or ">3250", you must use
        # "tsm-3.2.5".
        #
        #
        # Once you have determined the correct version, execute the following
        # steps.
        #
        # 1). "cd /usr/sbin"
        cd /usr/sbin
        # 2). If the file "tsm.ix44254" does not exist, execute "mv tsm tsm.ix44254"
        mv tsm tsm.ix44254
        # 3). "cp tsm" where "" was figured out above.
        # "tsm-3.2.0".
        # cp /cs/local/src/AIX/rlogin/tsm-3.2.0 ./tsm
        cp "${AIX_TSM_PATCH}" ./tsm
        # 3). "rm -f login getty"
        rm -f login getty
        # 4). "chown root.security tsm"
        chown root.security tsm
        # 5). "chmod 4554 tsm"
        chmod 4554 tsm
        # 6). "ln tsm login"
        ln tsm login
        # 7). "ln tsm getty"
        ln tsm getty
        # 8). "chmod a-x tsm.ix44254"
        chmod a-x tsm.ix44254
        #
        cp -p /etc/inetd.conf.BACKUP /etc/inetd.conf
        # 2. Run 'inetimp'
        inetimp
        # 3. Run 'refresh -s inetd'
        refresh -s inetd
        #
        #
        # You may verify that the new login command is working correctly with the
        # command
        #
        # rlogin localhost
        rlogin localhost
        厂商补丁:
        IBM
        ---
        IBM AIX 4.1及以上版本已经不存在这个漏洞,请联系厂商:
        
        http://www.ers.ibm.com/

- 漏洞信息 (19348)

IBM AIX <= 3.2.5 login(1) Vulnerability (EDBID:19348)
aix remote
1996-12-04 Verified
0 Anonymous
N/A [点击下载]
source: http://www.securityfocus.com/bid/458/info

A problem with the way login parses arguments as passed by rlogind that may allow access to the root account. 

%rlogin -froot targethost.com 		

- 漏洞信息

1007
Multiple Unix Vendor rlogin -froot Remote Authentication Bypass
Remote / Network Access, Local / Remote Input Manipulation
Loss of Integrity Patch / RCS
Exploit Public Uncoordinated Disclosure, Discovered in the Wild

- 漏洞描述

The rlogin command of multiple Unix vendor contains a flaw that may allow a remote attacker to bypass authentication settings. The issue is triggered when using the '-froot' parameter, which allows a remote attacker to gain root access on a system without being prompted for a password resulting in a loss of integrity.

- 时间线

1994-05-21 1994-01-01
1994-05-21 Unknow

- 解决方案

Contact your vendor for an appropriate patch. It is also possible to correct the flaw by implementing the following workaround: comment out the 'rlogin' line in /etc/inetd.conf and restart the inetd process.

- 相关参考

- 漏洞作者

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站