[VulnWatch] vuln in login under solaris
From: Keven Belanger (kbelanger@logicon.ca)Date: 09/05/02
- Previous message: Roy Hills: "[VulnWatch] SecuRemote usernames can be guessed or sniffed using IKE exchange"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 5 Sep 2002 11:29:39 -0400 From: "Keven Belanger" <kbelanger@logicon.ca> To: <vulnwatch@vulnwatch.org>
Name : Keven Belanger
E-mail : kbelanger@logicon.ca
Phone / fax : (819) 825-8049 x7717
Affiliation and address: Logicon inc.
100, des Distributeurs
Val-d'Or (Quebec)
Canada J9P 6Y1
Have you reported this to the vendor? yes
If so, please let us know whom you've contacted:
Date of your report : September 05, 2002
Vendor contact e-mail : security-alert@sun.com
CERT have been advised too...
Please describe the vulnerability.
---------------------------------
Unlike other unix based OS, when Solaris authenticate the user it let
the user
came in even if the password is not really "correct" Let me explain:
My username is sysadmin
My password is qwerty
If I log on with sysadmin/qwerty it work
If I log on with sysadmin/qwert123 it work too!
We can add any caracter after the currect password and it work!!
What is the impact of this vulnerability?
----------------------------------------
(For example: local user can gain root/privileged access, intruders
can create root-owned files, denial of service attack, etc.)
a) What is the specific impact:
User can gain root access
b) How would you envision it being used in an attack scenario:
User can gain root access via brute force password attack
If the attacker try 8 caracter brute force attack it will for
for password that have less that 8 caracter too, so it can gain
root access faster.
He don't have to try password with 1, 2, 3, 4... caracteres,
try something beetween 8 and 10 et voila...
System : SUN Solaris
OS version : 8 for Sparc and intel, not tested with other version
Verified/Guessed: Verified
For more infoamtion/explanation call me or write a email
Kéven Belanger
Analyste en solutions de sécurité
Logicon Inc. - Division Sécurité
819.825.8049 x7717
800.567.6399 x7717
- Previous message: Roy Hills: "[VulnWatch] SecuRemote usernames can be guessed or sniffed using IKE exchange"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
