lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Fri, 16 Feb 2007 18:41:33 -0800 (PST)
From: Nate Eldredge <nge@...hmc.edu>
To: Darren Reed <avalon@...igula.anu.edu.au>
Cc: greimer@...c.edu, "Anthony R. Nemmer" <intertwingled@...st.net>,
	jf <jf@...glingpointers.net>, thefinn12345@...il.com,
	bugtraq@...urityfocus.com
Subject: Re: Solaris telnet vulnberability - how many on your network?

On Sat, 17 Feb 2007, Darren Reed wrote:

> In some mail from greimer@...c.edu, sie said:
>>
>> 1) This seems like a case of "old code" somehow creeping back in to the
>> current versions, and that's a phenomenon I've seen happen at a couple of
>> different places that I've worked at over the years. It's kind of a
>> special case of version control gone bad, and I'm interested in how that
>> can happen and how to watch out for it.
>>
>> 1a) People have said that this bug was in old versions of SunOS/Solaris
>> (and AIX I think) but nobody ever nailed down exactly when this was fixed,
>> versionwise. In fact, did anybody reproduce this in anything other than
>> Solaris 10? It'd be nice to know the last old version that has the bug, &
>> the 1st that doesn't.
>
> Solaris's /bin/login has never supported the "-f" command line option
> until Solaris 10 (RTFM) so this exploit was just plain not possible.

That is not correct.  On a Solaris 8 box the -f option is accepted without 
error.   I don't have root so I can't verify that it does the right thing, 
but at least as a normal user "login -f asdfasdf" does nothing while 
"login" without arguments presents a prompt.  So it exists and has some 
effect, notwithstanding the fact the fact that it is not listed in the man 
page.  (RTFM isn't very helpful when it comes to undocumented features! 
:-)

$ uname -a
SunOS mybox 5.8 Generic_117350-44 sun4u sparc SUNW,Ultra-2
$ login
login: ^C
$ login -f asdfasdf
$ man login

NAME
      login - sign on to the system

SYNOPSIS
      login [ -p ]  [ -d device ]  [ -h hostname | [ terminal ]  |
      -r hostname ]  [   name  [ environ ]  ...  ]

> The other avenue for passing command line args to telnet is through
> the TERM telnet option, but Solaris stopped passing that through on
> the command line a long time ago (maybe 2.3 or earlier?)
>
>> 2) Does this have anything to do with the OpenSolaris effort?
>
> No.

In fact, you can look in the OpenSolaris repository and see that the 
initial import of usr/src/cmd/cmd-inet/usr.sbin/in.telnetd.c already 
contained this bug.

>> Like are people pulling in code from other sources?
>
> More people should go back and read Casper's email where he explained
> that it came about with a Kerberos project.

I presume that refers only to the telnetd bug, and not to login -f.

-- 
Nate Eldredge
nge@...hmc.edu

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ