search for: fd2p

...manual page says, that rcmd() is only to be used by root's processes. On other OSes (Solaris, AIX), trying to call rcmd() without being root simply fails. FreeBSD, however, tries to be helpful and invokes rcmdsh in this case, which is inefficient and leaves the stderr's filedescriptor (fd2p) unfilled. Why? My understanding is, this is to make it harder for would-be attackers to attack machines with .rhosts-based security. But that is nothing more than a bad band-aid anyway -- attacker's own implementation of rcmd() (without the geteuid() checks) is trivial... So, without pro...

...bytes. The hp->h_length variable is taken directly from the DNS reply packet. If we now look at how rcmd() declares it''s variables, and after looking through rlogin with a debugger, we can determine that this is a dangerous situation. int rcmd(ahost, rport, locuser, remuser, cmd, fd2p) char **ahost; u_short rport; const char *locuser, *remuser, *cmd; int *fd2p; { struct hostent *hp; struct sockaddr_in sin, from; fd_set reads; On further testing, and implementation of exploitation code, we can verify that this is indeed...