[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <Pine.LNX.4.64.0702161821150.29233@knuth.cs.hmc.edu>
Date: Fri, 16 Feb 2007 18:41:33 -0800 (PST)
From: Nate Eldredge <nge@...hmc.edu>
To: Darren Reed <avalon@...igula.anu.edu.au>
Cc: greimer@...c.edu, "Anthony R. Nemmer" <intertwingled@...st.net>,
jf <jf@...glingpointers.net>, thefinn12345@...il.com,
bugtraq@...urityfocus.com
Subject: Re: Solaris telnet vulnberability - how many on your network?
On Sat, 17 Feb 2007, Darren Reed wrote:
> In some mail from greimer@...c.edu, sie said:
>>
>> 1) This seems like a case of "old code" somehow creeping back in to the
>> current versions, and that's a phenomenon I've seen happen at a couple of
>> different places that I've worked at over the years. It's kind of a
>> special case of version control gone bad, and I'm interested in how that
>> can happen and how to watch out for it.
>>
>> 1a) People have said that this bug was in old versions of SunOS/Solaris
>> (and AIX I think) but nobody ever nailed down exactly when this was fixed,
>> versionwise. In fact, did anybody reproduce this in anything other than
>> Solaris 10? It'd be nice to know the last old version that has the bug, &
>> the 1st that doesn't.
>
> Solaris's /bin/login has never supported the "-f" command line option
> until Solaris 10 (RTFM) so this exploit was just plain not possible.
That is not correct. On a Solaris 8 box the -f option is accepted without
error. I don't have root so I can't verify that it does the right thing,
but at least as a normal user "login -f asdfasdf" does nothing while
"login" without arguments presents a prompt. So it exists and has some
effect, notwithstanding the fact the fact that it is not listed in the man
page. (RTFM isn't very helpful when it comes to undocumented features!
:-)
$ uname -a
SunOS mybox 5.8 Generic_117350-44 sun4u sparc SUNW,Ultra-2
$ login
login: ^C
$ login -f asdfasdf
$ man login
NAME
login - sign on to the system
SYNOPSIS
login [ -p ] [ -d device ] [ -h hostname | [ terminal ] |
-r hostname ] [ name [ environ ] ... ]
> The other avenue for passing command line args to telnet is through
> the TERM telnet option, but Solaris stopped passing that through on
> the command line a long time ago (maybe 2.3 or earlier?)
>
>> 2) Does this have anything to do with the OpenSolaris effort?
>
> No.
In fact, you can look in the OpenSolaris repository and see that the
initial import of usr/src/cmd/cmd-inet/usr.sbin/in.telnetd.c already
contained this bug.
>> Like are people pulling in code from other sources?
>
> More people should go back and read Casper's email where he explained
> that it came about with a Kerberos project.
I presume that refers only to the telnetd bug, and not to login -f.
--
Nate Eldredge
nge@...hmc.edu
Powered by blists - more mailing lists