RE: Solaris 2.6, 7, 8

["Morgan" <morgan () sexter com>]

    This is nothing more than a newly disclosed way of exploiting an old
bug, hardly newsworthy unless you're in the dot slash hacking business.  In
the spirit of giving credit where credit is due, I'd like to note that the
bug was originally found by duke (ISS/ADM) of course. This method of
exploitation, to the best of my knowledge, was first used by brian
mcwilliams(bmcw@AOLIM).
    This is very similar too how I exploited it, but instead of using fflag
to force auth, I used malloc.  The problem is in the getargs function inside
login, which is called in multiple places.  A buffer is parsed into a static
char pointer array of size 64. Whitespace is a seperator, and no bounds
checking is done. Patch has been available for a long time, but you dont
need it if you use ISS IDS, because you are automatically protected
according to ISS's statement..
> ISS RealSecure Network Sensor customers are currently protected from
> this vulnerability. Support for this issue was included in X-Press
> Update version 3.3 as the "TelnetExcessiveTabs" signature. This
> signature will be included in the next RealSecure Server Sensor.

> ISS Internet Scanner X-Press Update 6.1 for Internet Scanner version
> 6.2.1 included support for this issue with the TelnetTabBO check.

> ISS BlackICE customers are protected from this vulnerability by the
> "2000902 Telnet login name overflow" signature.

original findings by duke:
http://xforce.iss.net/alerts/advise105.php

my exploit:
http://archives.neohapsis.com/archives/bugtraq/2002-03/0218.html