[VulnWatch] vuln in login under solaris

From: Keven Belanger (kbelanger@logicon.ca)
Date: 09/05/02 

Date: Thu, 5 Sep 2002 11:29:39 -0400
From: "Keven Belanger" <kbelanger@logicon.ca>
To: <vulnwatch@vulnwatch.org>

Name : Keven Belanger
 E-mail : kbelanger@logicon.ca
 Phone / fax : (819) 825-8049 x7717
 Affiliation and address: Logicon inc.
                                     100, des Distributeurs
                                     Val-d'Or (Quebec)
                                     Canada J9P 6Y1
 
Have you reported this to the vendor? yes
 
        If so, please let us know whom you've contacted:
 
            Date of your report : September 05, 2002
            Vendor contact e-mail : security-alert@sun.com
            
CERT have been advised too...
 
Please describe the vulnerability.
---------------------------------
Unlike other unix based OS, when Solaris authenticate the user it let
the user
came in even if the password is not really "correct" Let me explain:
My username is sysadmin
My password is qwerty
If I log on with sysadmin/qwerty it work
If I log on with sysadmin/qwert123 it work too!
We can add any caracter after the currect password and it work!!
 
What is the impact of this vulnerability?
----------------------------------------
 (For example: local user can gain root/privileged access, intruders
  can create root-owned files, denial of service attack, etc.)
 
   a) What is the specific impact:
      User can gain root access
 
   b) How would you envision it being used in an attack scenario:
      User can gain root access via brute force password attack
      If the attacker try 8 caracter brute force attack it will for
      for password that have less that 8 caracter too, so it can gain
      root access faster.
      He don't have to try password with 1, 2, 3, 4... caracteres,
      try something beetween 8 and 10 et voila...
 
 
            System : SUN Solaris
            OS version : 8 for Sparc and intel, not tested with other version
            Verified/Guessed: Verified
 
 
For more infoamtion/explanation call me or write a email
 
Kéven Belanger
Analyste en solutions de sécurité
Logicon Inc. - Division Sécurité
819.825.8049 x7717
800.567.6399 x7717
 

Relevant Pages

  • Re: What protects Unices from Virus like attacks ??
    ... >> what protects all Unix machines from such similar problems. ... > If a vulnerability is found for Unixen, ... I met security engineers that were aghast at some of the ... Many MS customers don't know what to do ...
    (comp.unix.questions)
  • Re: What protects Unices from Virus like attacks ??
    ... >> what protects all Unix machines from such similar problems. ... > If a vulnerability is found for Unixen, ... I met security engineers that were aghast at some of the ... Many MS customers don't know what to do ...
    (comp.unix.programmer)
  • Unix Version of the Pi3web DoS
    ... * Unix Version of the Pi3web DoS. ... Pi3Web Server is vulnerable to a denial of Service. ... * VULNERABILITY: ...
    (Bugtraq)
  • [Full-disclosure] IRM Vendor Alerts: Six critical remote vulnerabilities in TIBCO SmartPGM FX
    ... The final vulnerability, a Denial of Service attack, would stop the SmartPGM FX service so that file transfers could not be performed. ... Once TIBCO has produced either workarounds or patches to mitigate these vulnerabilities, IRM will release advisories which will include full technical details. ... Andy Davis | Chief Research Officer ...
    (Full-Disclosure)
  • Re: Unix Version of the Pi3web DoS
    ... The vulnerability exists in Unix version of Pi3Web ... that the configuration file intended to use with ... the buffer with the request string is not finished ...
    (Bugtraq)