Fun ole exploit. Of course, it doesn't have to be C's. I use numbers 1-9 and 0, repeated so its easier to count 64 characters. It can be nearly any character, as long as you have the spaces in between. It doesn't even have to be 64 characters all the time, but it normally has to be 64 or slightly more. I've even messed up on the end portion, putting a / slash instead of a backward slash, because I'm a Windows guy of course. It works every time the way it is said below (with any character) though, but it is forgiving at times. I've taugh this exploit hundreds of times to students in Foundstone's Ultimate Hacking Expert class, and most students mess it up the first time and it still often works. And of course, you can use root if root is not prevented from doing remote telnet logons. Note, however, if you mess it up the first time, exit all the way back out of telnet, and get back in, to begin again. Roger ******************************************************************* *Roger A. Grimes, Senior Security Consultant *Microsoft Application Consulting and Engineering (ACE) Services *http://blogs.msdn.com/ace_team/default.aspx *CPA, CISSP, MCSE: Security (2000/2003/MVP), CEH, yada...yada... *email: roger@xxxxxxxxxxxxxx or rogrim@xxxxxxxxxxxxx ******************************************************************* -----Original Message----- From: Thierry Zoller [mailto:Thierry@xxxxxxxxx] Sent: Wednesday, February 21, 2007 1:58 PM To: bugtraq@xxxxxxxxxxxxxxxxx Cc: full-disclosure@xxxxxxxxxxxxxxxxx Subject: Re[2]: Solaris telnet vulnberability - how many on your network? Dear Marc, This is hilarious, should there ever be a Top10 of the most weird bugs, this surely is one of them, repost for pure amusement : Solaris 2.6, 7, and 8 /bin/login has a vulnerability involving the environment variable TTYPROMPT. This vulnerability has already been reported to BugTraq and a patch has been released by Sun. However, a very simple exploit, which does not require any code to be compiled by an attacker, exists. The exploit requires the attacker to simply define the environment variable TTYPROMPT to a 6 character string, inside telnet. I believe this overflows an integer inside login, which specifies whether or not the user has been authenticated (just a guess). Once connected to the remote host, you must type the username, followed by 64 " c"s, and a literal "\n". You will then be logged in as the user without any password authentication. This should work with any account except root (unless remote root login is allowed). Example: coma% telnet telnet> environ define TTYPROMPT abcdef telnet> o localhost SunOS 5.8 bin c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c\n Last login: whenever $ whoami bin -- http://secdev.zoller.lu Thierry Zoller Fingerprint : 5D84 BFDC CD36 A951 2C45 2E57 28B3 75DD 0AC6 F1C7
