Vulnerability

    rlogin

Affected

    Ascend MAX/6000

Description

    Sebastian  Andersson  found  a  problem  with our Ascend Max/6000s
    (system.sysDescr.0  =  "Ascend   Max-6000  E1/PRI/BRI/DPNSS   S/N:
    8392451 Software +7.2.0+") when a dial in user connects to another
    machine via rlogin.  Some of its users dial in, get a login prompt
    and are authenticated against a radius server.  The radius  server
    tells the users to connect to a unix server via rlogind.

    Normaly rlogind authenticates  the user, sends  a NUL byte  to the
    rlogin client, forks and execs login and then it starts to  tunnel
    i/o between the login processes (or shell) and the rlogin  client.
    Sebastian  hacked  on  a  rlogind  to  authenticate,  set  up some
    environment variables  and then  fork and  exec uucico  instead of
    login.  After he made that change the rlogind program, it was able
    to send the NUL byte and  the banner text from uucico (here=  ...)
    in the same IP packet.

    After he did that,  the max sends a  lot of "crap" to  the dial in
    connection  instead  of  the  correct  text.   Running the rlogind
    program under strace makes it  all work correctly (because of  the
    extra  delay   between  the   two  writes   thus  splitting    the
    authentication  confirmation  and  the  i/o  in two packets).  The
    crap sometime contain text from other users sessions...

Solution

    Sebastian fixed the problem with a sleep after the first write.