@lists.grok.org.uk
Subject: Re[2]: Solaris telnet vulnberability - how many on your
network?
Dear Marc,
This is hilarious, should there ever be a Top10 of the most weird bugs,
this surely is one of them, repost for pure amusement :
Solaris 2.6, 7, and 8 /bin/login has a vulnerability involving
Dear Marc,
This is hilarious, should there ever be a Top10 of the most weird bugs,
this surely is one of them, repost for pure amusement :
Solaris 2.6, 7, and 8 /bin/login has a vulnerability involving the
environment variable TTYPROMPT. This vulnerability has already been
reported to BugTraq
Cromar Scott said:
I know that my initial reaction was haven't I seen this before?
but the above two are what I found in my notes when I looked back.
There are at least 20 FTP server implementations that have had buffer
overflows with a long USER command. HTTP GET directory traversals are
Nate Eldredge wrote:
I have now set up a virtual Solaris 8 box to test this with root access,
and it appears you are correct. When run as root, login -f root
presents a login prompt, just like login without arguments. So it is
not supported in the sense of having the Solaris 10 documented
Scott,
On Sat, 17 Feb 2007, Cromar Scott wrote:
I have to wonder if the old bug complaints are coming in reference to
one of the following:
http://www.securityfocus.com/bid/3064/info
http://www.securityfocus.com/bid/5531/info
I know that my initial reaction was haven't I seen this before?
From: Nate Eldredge [mailto:[EMAIL PROTECTED]
Sent: Friday, 16 February, 2007 21:42
On Sat, 17 Feb 2007, Darren Reed wrote:
Solaris's /bin/login has never supported the -f command line
option
until Solaris 10 (RTFM) so this exploit was just plain not possible.
That is not correct.
I believe in the early 90's there was a serious problem discovered in intel
chips that allowed certain standard code to be run to overflow programs
arbitrarily and gain access to operating systems in an administrative capacity.
Also I remember the redhat (back in the day) repository being
On Fri, 16 Feb 2007, jf wrote:
There have also been too many times in the past when they have been proven
correct to ignore the possibility any longer.
Hi, in what instances has the conjecture that a bug was a deliberate
backdoor been proven correct?
If Peter is crying WOLF all the time.
In some mail from [EMAIL PROTECTED], sie said:
1) This seems like a case of old code somehow creeping back in to the
current versions, and that's a phenomenon I've seen happen at a couple of
different places that I've worked at over the years. It's kind of a
special case of version
On Sat, 17 Feb 2007, Darren Reed wrote:
In some mail from [EMAIL PROTECTED], sie said:
1) This seems like a case of old code somehow creeping back in to the
current versions, and that's a phenomenon I've seen happen at a couple of
different places that I've worked at over the years. It's kind
On 16 Feb 2007 [EMAIL PROTECTED] wrote:
I believe in the early 90's there was a serious problem discovered in intel
chips that allowed certain standard code to be run to overflow programs
arbitrarily and gain access to operating systems in an administrative
capacity.
Also I remember the
I have to wonder if the old bug complaints are coming in reference to
one of the following:
http://www.securityfocus.com/bid/3064/info
http://www.securityfocus.com/bid/5531/info
My dejavu was of
http://www.cert.org/advisories/CA-1994-09.html
It wasn't hard to find in old email, google is
http://www.acm.org/classics/sep95/
Thanks to Cromar Scott for the link.
Great anecdotes there.
I especially liked his comments about companies You cannot trust code that you
didn't totally create yourself. (Especially code from companies that employ
people like me).
Exactly the thought that
Dear Casper Dik,
I wasn't crying wolf about a Backdoor, heck I am not Steve Gibson. I
was asking whether somebody will investigate why this hasn't been
caught by audits or simply QA ?
CDSC And one which was too easy to discover;
You said it, it's easy to discover, so who has discovered it? Sun ?
I wonder if that's the attitude the NSA and CIA had before the world trade
centre came down ?
The idea isn't world domination via telnet, but infamy via one malicious act.
You cannot ever really trust code that you don't write yourself.
You can run around with fantasies of world domination via
I believe in the early 90's there was a serious problem discovered in intel
chips that allowed certain standard code to be run
to overflow programs arbitrarily and gain access to operating systems in
an administrative capacity.
Also I remember the redhat (back in the day) repository being
Let's taper off this thread. It's getting downright boring.
Thanks,
Anthony Nemmer
We are kind of going around and around, but there's a couple of
aspects to this that haven't even been talked about:
1) This seems like a case of old code somehow creeping back in to the
current versions,
Let's taper off this thread. It's getting downright boring.
Thanks,
Anthony Nemmer
jf wrote:
I believe in the early 90's there was a serious problem discovered in intel
chips that allowed certain standard code to be run
to overflow programs arbitrarily and gain access to operating systems in
: ***PossibleSPAM*** Re: Re: Solaris telnet vulnberability - how
many on your network?
Ken Thompson pulled a famous prank back in the old days. He refers to
it in the following:
http://www.acm.org/classics/sep95/
I've heard a few different versions of this story, some of which would
fit your
On Tue, 13 Feb 2007, Gadi Evron wrote:
We all agree it is not a very likely possibility, but I wouldn't rule it
out completely just yet until more information from Sun becomes
available.
What more information do you need? You have an advisory, access to the
source code, access to the change
wow reminds me of back in the day ... haven't seen one of these in years.
Thefinn
On Tue, 13 Feb 2007, Gadi Evron wrote:
We all agree it is not a very likely possibility, but I wouldn't rule it
out completely just yet until more information from Sun becomes
available.
What more information do you need? You have an advisory, access to the
source code, access to the change
In some mail from Joe Shamblin, sie said:
How about just uncommenting the following from /etc/default/login
# If CONSOLE is set, root can only login on that device.
# Comment this line out to allow remote login by root.
#
CONSOLE=/dev/console
Not a fix to be sure, but at least prevents a
PROTECTED]
Sent: Thursday, February 15, 2007 1:49 AM
To: [EMAIL PROTECTED]
Cc: bugtraq@securityfocus.com
Subject: Re: Re[2]: Solaris telnet vulnberability - how many on your
network?
In some mail from Thierry Zoller, sie said:
CDSC real back doors are better
I like that tautologie, real backdoors
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
Sent: Thursday, February 15, 2007 10:07 AM
To: bugtraq@securityfocus.com
Subject: Re: Re: Solaris telnet vulnberability - how many on your
network?
On Tue, 13 Feb 2007, Gadi Evron wrote:
IMO fixing security bugs at short
There have also been too many times in the past when they have been proven
correct to ignore the possibility any longer.
Hi, in what instances has the conjecture that a bug was a deliberate
backdoor been proven correct?
The simplest possible fix on such short notice:
http://cvs.opensolaris.org/source/diff/onnv/onnv-gate/usr/src/cmd/cmd-inet/usr.sbin/in.telnetd.c
?r2=3629r1=2923
Casper
How about just uncommenting the following from /etc/default/login
# If CONSOLE is set, root can only login on that
[EMAIL PROTECTED] wrote:
On Tue, 13 Feb 2007 [EMAIL PROTECTED] wrote:
On Tue, 13 Feb 2007 [EMAIL PROTECTED] wrote:
Am I missing something? This vulnerability is close to 10 years old.
It was in one of the first versions of Solaris after Sun moved off of
the SunOS BSD platform and over to
updates.
Roger A. Grimes
-Original Message-
From: Thierry Zoller [mailto:[EMAIL PROTECTED]
Sent: Tuesday, February 13, 2007 7:32 PM
To: bugtraq@securityfocus.com
Subject: Re[2]: Solaris telnet vulnberability - how many on your
network?
Dear Casper Dik,
I wasn't crying wolf about
On Monday 12 February 2007 07:00, Gadi Evron wrote:
Update from HD Moore:
but this bug isnt -froot, its -fanythingbutroot =P
Confirmed.
If the server permits logins from outside (maybe via SSH only - protection
provided by a local or network) and has telnetd enabled any user can login
as
To: Oliver Friedrichs
Cc: bugtraq@securityfocus.com; full-disclosure@lists.grok.org.uk
Subject: RE: Solaris telnet vulnberability - how many on your network?
On Mon, 12 Feb 2007, Oliver Friedrichs wrote:
Am I missing something? This vulnerability is close to 10 years old.
It was in one
hi,
I tested with SunOS 5.7, 5.8,5.9 and 5.10 . Only SunOS 5.19 and
Solaris 10(Sparc) seems to be vulnerable with my systems.
On 2/12/07, Vincent Archer [EMAIL PROTECTED] wrote:
On Mon, Feb 12, 2007 at 12:00:30AM -0600, Gadi Evron wrote:
Johannes Ullrich from the SANS ISC sent this to me and
Gadi.
-Original Message-
From: Gadi Evron [mailto:[EMAIL PROTECTED]
Sent: Sunday, February 11, 2007 10:01 PM
To: bugtraq@securityfocus.com
Cc: full-disclosure@lists.grok.org.uk
Subject: Solaris telnet vulnberability - how many on your network?
Johannes Ullrich from
.
Gadi.
Oliver
-Original Message-
From: Gadi Evron [mailto:[EMAIL PROTECTED]
Sent: Tuesday, February 13, 2007 1:46 AM
To: Oliver Friedrichs
Cc: bugtraq@securityfocus.com; full-disclosure@lists.grok.org.uk
Subject: RE: Solaris telnet vulnberability - how many on your network
Am I missing something? This vulnerability is close to 10 years old.
It was in one of the first versions of Solaris after Sun moved off of
the SunOS BSD platform and over to SysV. It has specifically to do w=
ith
how arguments are processed via getopt() if I recall correctly.
You're confused
On Tue, 13 Feb 2007, Gadi Evron wrote:
I have to agree with a previous poster and suspect (only suspect) it
could somehow be a backdoor rather than a bug.
You're attributing malice to what could be equally well (or better!)
explained by incompetence or gross negligence. The latter two haunt
Hi,
Solaris is now Open Source, so you can see yourself at
http://cvs.opensolaris.org/source/diff/onnv/onnv-gate/usr/src/cmd/cmd-in
et/usr.sbin/in.telnetd.c?r2=3629r1=2923
what the problem and its resolution are.
There are also the blogs by Alan Hargreaves from SUN Australia at
On Tue, 13 Feb 2007 [EMAIL PROTECTED] wrote:
Am I missing something? This vulnerability is close to 10 years old.
It was in one of the first versions of Solaris after Sun moved off of
the SunOS BSD platform and over to SysV. It has specifically to do w=
ith
how arguments are processed
On Tue, 13 Feb 2007, Gadi Evron wrote:
On Tue, 13 Feb 2007 [EMAIL PROTECTED] wrote:
On Tue, 13 Feb 2007 [EMAIL PROTECTED] wrote:
Am I missing something? This vulnerability is close to 10 years old.
It was in one of the first versions of Solaris after Sun moved off of
the
On Tue, 13 Feb 2007 [EMAIL PROTECTED] wrote:
On Tue, 13 Feb 2007 [EMAIL PROTECTED] wrote:
Am I missing something? This vulnerability is close to 10 years old.
It was in one of the first versions of Solaris after Sun moved off of
the SunOS BSD platform and over to SysV. It has
Yeah, a backdoor is a remote possibility. But it's also an arbitrary and
needlessly complex one. Maybe it's a nefarious plot by our UFO-appointed
shadow government, but chances are, it's not (they have better things to
do today).
And one which was too easy to discover; real back doors are better
On Mon, Feb 12, 2007 at 12:00:30AM -0600, Gadi Evron wrote:
Johannes Ullrich from the SANS ISC sent this to me and then I saw it on
the DSHIELD list:
Tested around, and it does indeed work, on all solaris 10 (sparc x86).
Update from HD Moore:
but this bug isnt -froot, its -fanythingbutroot
funny, that bug seems to have been around for some time ^^
http://osvdb.org/displayvuln.php?osvdb_id=1007
--
best rgds, armin walland
focus market research
IT :: development, administration
http://www.focusmr.com
maculangasse 8
1220 wien
+43 (0)1-258 97 01 291
please try not to send me HTML
Johannes Ullrich from the SANS ISC sent this to me and then I saw it on
the DSHIELD list:
If you run Solaris, please check if you got telnet enabled NOW. If you
can, block port 23 at your perimeter. There is a fairly trivial
Solaris telnet 0-day.
telnet -l -froot [hostname]
44 matches
Mail list logo