COMMAND

    rlogin

SYSTEMS AFFECTED

    SunOS 5.5.1,  5.5.1_x86, 5.5,  5.5_x86, 5.4,  5.4_x86, 5.3, 4.1.4,
    4.1.3_U1

PROBLEM

    The  rlogin  program  establishes  a  remote login session. Due to
    insufficient bounds checking on  arguments supplied to rlogin,  it
    is possible  to overwrite  the internal  data space  of the rlogin
    program.   As rlogin  is setuid  root, this  vulnerability may  be
    exploited to gain root access.

    L.  Granquist  found  that  with  #105260-01  as  a patch to SunOS
    4.1.4's rlogin program, and the installation instructions as given
    are insufficient.  Patch Installation Instructions:

        1) As root, save a copy of the original file:
           mv /usr/ucb/rlogin /usr/ucb/rlogin.fcs

        2) Copy the new file from the patch directory:
           cp rlogin /usr/ucb
           chown root.staff /usr/ucb/rlogin
           chmod 4755 /usr/ucb/rlogin

    which,  of  course,  leaves  rlogin.fcs  still suid root and still
    exploitable.

SOLUTION

    The vulnerability is  fixed in Solaris  2.6. The vulnerability  in
    rlogin is fixed by the following patches:

        OS version          Patch ID
        __________          ________
        SunOS 5.5.1         104650-02
        SunOS 5.5.1_x86     104651-02
        SunOS 5.5           104669-02
        SunOS 5.5_x86       104670-02
        SunOS 5.4           105254-01
        SunOS 5.4_x86       105255-01
        SunOS 5.3           105253-01
        SunOS 4.1.4         105260-01
        SunOS 4.1.3_U1      105259-01