It gets worse.
> > Upon it's release (April) I ordered the minimum Corel Linux.
> >
> > It's install is great for Windows users, and if they get theiur hands on
> it
> > they can get to Netscape on the web in 27 minutes.
> >
> > If they accept the defaults, they also have a blank root password and
> > telnet server enabled.
You'll also notice that by default the system owner username you enter
makes up the default hostname. So telnet to a user running Corel Linux 1.1,
the login banner appears with the hostname such as:
suid57 login:
In this case system owner username is "suid".
If the user chooses to login as root and never access this account they
are not forced to set a password. It remains passwordless.
Once on the system the 2 exploits i discovered in Corel Linux 1.0 way
back in Feburary 2000 still work. I posted these to bugtraq, corel and
my own website. No response from Corel.
www.suid.kg/advisories/ for these.
Looks to me like Corel arent listening or dont care, perhaps both.
suid_at_suid.kg
Received on Jun 01 2000
Intro
