| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 13 Feb 2007 21:15:37 +0100 From: Casper.Dik@....COM To: Michael Wojcik <Michael.Wojcik@...rofocus.com> Cc: bugtraq@...urityfocus.com Subject: Re: [BLACKLIST] [Full-disclosure] Solaris telnet vulnberability - how many on yournetwork? >It's a bug. I recall it being found and fixed in AIX many years ago. >Embarassing for Sun that it's still in Solaris, though. It's not "still" in Solaris; it's the first time it occurred in Solaris; it is stupid it did but it's a typical programming error: passing unchecked arguments to a program without escaping special characters. >A quick Google search found Usenet postings about it from 1994; I'm sure >it was known well before then. As far as I remember, the "-f" option to login was a BSDism (4.4?); it did not exist in platforms derived from earlier BSDs when it came to rlogin/rshd. The original rlogind would either run the protocol in in.rlogind and skip login or the protocol was implemented in login itself. Later, the protocol processing was put in rlogind but it always went through login. This code then was reimplemented by an IBM employee in AIX and later also, by the same person, for Linux, giving rise to the first occurrence of the -froot bug. Solaris did add the -f option to login much later but it wasn't until a complete integration of ktelnet was done that this bug arose in Solaris 10. It's just a very usual (and unfortunate) reimplementation of the same bug. Casper
Powered by blists - more mailing lists