Home page logo
/

bugtraq logo Bugtraq mailing list archives

Re: Solaris 2.6, 7, 8
From: Dave Ahmad <da () securityfocus com>
Date: Wed, 2 Oct 2002 11:36:05 -0600 (MDT)


I have confirmed this on a fresh Solaris 8/sparc install.

Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.

SunOS 5.8

bin c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c
c c c c c c c c c c c c c c c c c c c c c c c c c c c c c
Last login: Wed Oct  2 10:47:12 from localhost
Sun Microsystems Inc.   SunOS 5.8       Generic February 2000
$ id
uid=2(bin) gid=2(bin)

I suggest that everyone here who still uses telnet disable it immediately.

These may be fixes for this vulnerablity, however they apply to telnetd
and this vulnerability has to be in login.

Solaris 8: 110668-03
Solaris 8x86: 110669-03

Solaris 7: 107475-04
Solaris 7x86: 107476-04

Solaris 2.6: 106049-04
Solaris 2.6x86: 106050-04

Solaris 2.5.1: 103640-40
Solaris 2.5.1x86: 103641-40

If these are "band-aid" fixes that simply cause telnetd to not pass
TTYPROMPT to /bin/login, the setuid executable may still be exploitable
locally.

David Ahmad
Symantec
KeyID: 0x26005712
Fingerprint: 8D 9A B1 33 82 3D B3 D0 40 EB  AB F0 1E 67 C6 1A 26 00 57 12

On Wed, 2 Oct 2002, Jonathan S wrote:

Hello,

  Solaris 2.6, 7, and 8 /bin/login has a vulnerability involving the
environment variable TTYPROMPT.  This vulnerability has already been
reported to BugTraq and a patch has been released by Sun.
  However, a very simple exploit, which does not require any code to be
compiled by an attacker, exists.  The exploit requires the attacker to
simply define the environment variable TTYPROMPT to a 6 character string,
inside telnet. I believe this overflows an integer inside login, which
specifies whether or not the user has been authenticated (just a guess).
Once connected to the remote host, you must type the username, followed by
64 " c"s, and a literal "\n".  You will then be logged in as the user
without any password authentication.  This should work with any account
except root (unless remote root login is allowed).


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]