Home page logo

pen-test logo Penetration Testing mailing list archives

Re: Bypassing Authentication through Telnet / SSH
From: Marco Ivaldi <raptor () mediaservice net>
Date: Sat, 5 Jan 2008 21:45:14 +0100 (ora solare Europa occidentale)


On Sat, 29 Dec 2007, Chadha, Sachin wrote:

HI All,

How can we bypass Authentication (with out giving password) in
Solaris/Linux server using Telnet/SSH and gaining root privileges.

Is there any Exploit Available.?

I know one for Solaris 10. Any other?

Just a couple of hints off the top of my head:

http://milw0rm.com/exploits/3293 <- probably the one you mention
http://milw0rm.com/exploits/57 <- one of my personal all time favs;)

Beside these obvious examples, there are dozens of different tricks to bypass authentication with Telnet, SSH, and other services as well, depending on target configuration: think about PAM (i recall a nasty bug specific to OpenSSH 3.7.1p1 that allowed remote authentication bypass, if some simple conditions were met), Kerberos, hosts.equiv and .rhosts, SSH pubkeys, and all kinds of implicit or explicit trusts... Not to mention pre-authentication overflows and the like.

Finally, specially on private networks, it's not uncommon to find accounts with predictable passwords. Therefore, sometimes an actual authentication bypass exploit is not even needed;)


Marco Ivaldi, OPST
Chief Security Officer    Data Security Division
@ Mediaservice.net Srl    http://mediaservice.net/

This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!


  By Date           By Thread  

Current thread:
  • Re: Bypassing Authentication through Telnet / SSH Marco Ivaldi (Jan 08)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]