Bugtraq: Re: Solaris 2.6, 7, 8

Nmap Security Scanner

Intro

Ref Guide

Install Guide

Download

Changelog

Book

Docs
Security Lists

Bugtraq

Basics

More
Security Tools

More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

Bugtraq mailing list archives

Re: Solaris 2.6, 7, 8

From: buzheng <bu_zheng () sina com>
Date: Wed, 02 Oct 2002 12:00:38 -0400

I do not think this is a new bug. 

Actually, the overflow is not at changing the ttyprompt remotely.
in fact, if you just use "a", instead of "abcdef",  as TTYPROMPT, it will
still work.
the overflow is that long user name with multiple space, all the "c "
will be taken as environment. it is the very bug of SYS V derived login
buffer overflow. bid:3681. 

But, the remote setting of TTYPROMPT does matter. you can not succeed in
login without remotely changing the TTYPROMPT. This is also the bug
mentioned in Jonathan's original letter (bid:5531).

If you have applied patches for these 2 bugs, you are safe now.

BTW: you can change multiple "c "s to "a=b"s, actually, since SYS V
login treat " " as environ var separator, you can also use >=64 words
separated by " " or "\t". they will all work.

-- 
bu,zheng <buzheng2001 () yahoo com>

By Date By Thread

Current thread:

Solaris 2.6, 7, 8 Jonathan S (Oct 02)
- Re: Solaris 2.6, 7, 8 Dave Ahmad (Oct 02)
  - Re: Solaris 2.6, 7, 8 buzheng (Oct 02)
    - Re: Solaris 2.6, 7, 8 tb0b (Oct 03)
    - Re: Solaris 2.6, 7, 8 Marco Ivaldi (Oct 03)
    - Re: Solaris 2.6, 7, 8 Sebastian (Oct 05)
  - Re: Solaris 2.6, 7, 8 Christopher X. Candreva (Oct 02)
  - Re: Solaris 2.6, 7, 8 Gert-Jan Hagenaars (Oct 03)