[27284] in bugtraq
Re: Solaris 2.6, 7, 8
daemon@ATHENA.MIT.EDU (Marco Ivaldi)
Thu Oct 3 21:17:38 2002
Date: Wed, 2 Oct 2002 21:42:04 +0200 (CEST)
From: Marco Ivaldi <raptor@0xdeadbeef.eu.org>
To: <bugtraq@securityfocus.com>
In-Reply-To: <20021002115909.E8CB.BU_ZHENG@sina.com>
Message-ID: <Pine.BSO.4.33.0210022134570.27613-100000@anarch0.rewt.mil>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
On Wed, 2 Oct 2002, buzheng wrote:
> I do not think this is a new bug.
I completely agree.
> But, the remote setting of TTYPROMPT does matter. you can not succeed in
> login without remotely changing the TTYPROMPT. This is also the bug
> mentioned in Jonathan's original letter (bid:5531).
That's why this bug is not exploitable using remote applications like
rlogin, ssh (at least if you are not crazy enough to enable UseLogin
option) or X.25 pad: rlogin and pad aren't able to pass env vars others
than TERM, while ssh normally don't uses /bin/login for user authentication.
> If you have applied patches for these 2 bugs, you are safe now.
>
> BTW: you can change multiple "c "s to "a=b"s, actually, since SYS V
> login treat " " as environ var separator, you can also use >=64 words
> separated by " " or "\t". they will all work.
Agreed as well.
:raptor
Antifork Research, Inc. ITBH Italian Black Hats
http://www.0xdeadbeef.eu.org http://elite.blackhats.it
