COMMAND
rlogin/term
SYSTEMS AFFECTED
Systems running rlogin
PROBLEM
The rlogin program provided by many UNIX systems, as well as some
non-UNIX systems, is described in RFC 1282. Here is an excerpt
from that RFC that describes its elemental functionality:
"The rlogin facility provides a remote-echoed, locally flow-
controlled virtual terminal with proper flushing of output.
It is widely used between Unix hosts because it provides
transport of more of the Unix terminal environment semantics
than does the Telnet protocol, and because on many Unix hosts
it can be configured not to require user entry of passwords
when connections originate from trusted hosts."
The key point from this description is that the rlogin program
passes the terminal type description from the local host to the
remote host. This functionality allows terminal-aware programs
such as full-screen text editors to operate properly across a
computer-to-computer connection created with rlogin.
To do this, the rlogin program uses the current terminal
definition as identified by the TERM environment variable. The
protocol described in RFC 1282 explains how this terminal
information is transferred from the local machine where the
rlogin client program is running to the remote machine where
service is sought.
Unfortunately, many implementations of the rlogin program contain
a defect whereby the value of the TERM environment variable is
copied to an internal buffer without due care. The buffer holding
the copied value of TERM can be overflowed. In some
implementations, the buffer is a local variable, meaning that the
subroutine call stack can be overwritten and arbitrary code
executed. The executed code is under the control of the user
running the rlogin program.
In addition, the rlogin program is set-user-id root. rlogin
requires these increased privileges so it can allocate a port in
the required range, as described in the in.rlogind (or rlogind)
manual page:
"The server checks the client's source port. If the port is
not in the range 0-1023, the server aborts the connection."
In summary, rlogin is a set-user-id root program that in many
implementations contains a programming defect whereby an internal
buffer can be overflowed and arbitrary code can be executed as
root. Users can become root if they have access to an account on
the system.
Credit for this goes to the CERT Coordination Center and AUSCERT
and DFN-CERT.
SOLUTION
Install a patch from your vendor if one is available.
Berkeley Software Design, Inc. (BSDI) - patch available
ftp://ftp.bsdi.com/bsdi/patches/patches-2.1/U210-021
Cray Research - A Silicon Graphics Company
This problem has been corrected in all currently supported
versions of Unicos.
Digital Equipment Corporation - patch available
DIGITAL UNIX V3.2c, V3.2de1/de2, V3.2g, V3.2g, V4.0, V4.0a, V4.0b.
DIGITAL ULTRIX V4.4 VAX & MIPS, V4.5 VAX and MIPS
FreeBSD, Inc.
This vulnerability is present in FreeBSD 2.1.5 and previous
versions. It was fixed in all FreeBSD source and binary
distributions dated after 1996/07/25.
The following source code patch may be applied to FreeBSD
2.1.5 based distributions, and should work in previous
distributions. Users unable to apply this patch and
recompile the rlogin binary are encouraged to use the wrapper
provided by CERT.
Index: rlogin.c
==============================================================
RCS file: /home/ncvs/src/usr.bin/rlogin/rlogin.c,v
retrieving revision 1.5.4.1
retrieving revision 1.5.4.2
diff -c -r1.5.4.1 -r1.5.4.2
*** rlogin.c 1996/06/23 13:08:27 1.5.4.1
--- rlogin.c 1996/07/25 18:29:35 1.5.4.2
***************
*** 102,107 ****
--- 102,108 ----
char *speeds[] = {
"0", "50", "75", "110", "134", "150", "200", "300", "600", "1200",
"1800", "2400", "4800", "9600", "19200", "38400", "57600", "115200"
+ #define MAX_SPEED_LENGTH (sizeof("115200") - 1)
};
#ifdef OLDSUN
***************
*** 259,265 ****
exit(1);
}
! (void)strcpy(term, (p = getenv("TERM")) ? p : "network");
if (ioctl(0, TIOCGETP, &ttyb) == 0) {
(void)strcat(term, "/");
(void)strcat(term, speeds[(int)ttyb.sg_ospeed]);
--- 260,270 ----
exit(1);
}
! #define MAX_TERM_LENGTH (sizeof(term) - 1 - MAX_SPEED_LENGTH - 1)
!
! (void)strncpy(term, (p = getenv("TERM")) ? p : "network",
! MAX_TERM_LENGTH);
! term[MAX_TERM_LENGTH] = '\0';
if (ioctl(0, TIOCGETP, &ttyb) == 0) {
(void)strcat(term, "/");
(void)strcat(term, speeds[(int)ttyb.sg_ospeed]);
Hewlett-Packard Corporation - patch available
Apply patch:
PHNE_8807 to HP-UX 10.20 on S700/800
PHNE_8806 to HP-UX 10.10, 10.0X on S700/800
PHNE_8805 to HP-UX 9.X on S700/800
IBM Corporation
Apply the following fix to your system (for AIX 3.2):
APAR - IX57724 (PTF - U442613)
Apply the following fix to your system (for AIX 4.1):
APAR - IX57972
Linux Systems
Linux Netkit 0.08 has rlogin fixed. All Linux systems using
older NetKits should upgrade to NetKit 0.09.
NEC Corporation
UX/4800 Not vulnerable for all versions.
EWS-UX/V(Rel4.2MP) Not vulnerable for all versions.
EWS-UX/V(Rel4.2) Not vulnerable for all versions.
UP-UX/V(Rel4.2MP) Not vulnerable for all versions.
NeXT Software, Inc.
This problem is fixed in OpenStep/Mach release 4.1 and later.
The Open Group
This problem was fixed in OSF's OSF/1 R1.3.3 maintenance
release.
The Santa Cruz Operation (SCO)
SCO is investigating this problem and should a patch be
necessary, SCO will provide updated information.
Until you are able to install the appropriate patch, we recommend
one of the following workarounds:
1. Turn off rlogin (eklogin, klogin).
2. Replace the rlogin program with a wrapper.
URL ftp://info.cert.org/pub/tools/rlogin_wrapper/rlogin_wrapper.c