On Wed, Oct 02, 2002 at 12:13:09PM -0400, Jonathan S wrote:
> Hello,
>
> Solaris 2.6, 7, and 8 /bin/login has a vulnerability involving the
> environment variable TTYPROMPT. This vulnerability has already been
> reported to BugTraq and a patch has been released by Sun.
> However, a very simple exploit, which does not require any code to be
> compiled by an attacker, exists. The exploit requires the attacker to
> simply define the environment variable TTYPROMPT to a 6 character string,
> inside telnet. I believe this overflows an integer inside login, which
> specifies whether or not the user has been authenticated (just a guess).
> Once connected to the remote host, you must type the username, followed by
> 64 " c"s, and a literal "\n". You will then be logged in as the user
> without any password authentication. This should work with any account
> except root (unless remote root login is allowed).
>
Looks like Solaris 9 is not vulnerable to this:
[idubraws@elrond idubraws]
6 $ telnet
telnet> environ define TTYPROMPT abcdef
telnet> o 192.168.155.2
Trying 192.168.155.2...
Connected to 192.168.155.2.
Escape character is '^]'.
SunOS 5.9
login:
It automatically drops you to the login prompt. Perhaps this is fixed by a
patch that got rolled into 9?
Ido
--
===============================================================================
|Ido Dubrawsky E-mail: idubraws@cisco.com
| | |Network Consulting Engineer
:|: :|: |VSEC Technical Marketing, SAFE Architecture
:|||: :|||: |Cisco Systems, Inc.
.:|||||||:..:|||||||:. |Austin, TX. 78759
===============================================================================
Attachment:
pgp00215.pgp
Description: PGP signature
