lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Mon, 19 Feb 2007 16:31:48 +0100 (CET)
From: Marco Ivaldi <raptor@...eadbeef.info>
To: bugtraq@...urityfocus.com
Subject: Re: Solaris telnet vulnberability - how many on your network?

Scott,

On Sat, 17 Feb 2007, Cromar Scott wrote:

> I have to wonder if the "old bug" complaints are coming in reference to
> one of the following:
> 
> http://www.securityfocus.com/bid/3064/info
> http://www.securityfocus.com/bid/5531/info
> 
> I know that my initial reaction was "haven't I seen this before?" but
> the above two are what I found in my notes when I looked back.
> 
> (Note that the second of the two is reported to actually reference a
> problem with login and not in.telnetd.)

The second vulnerability you mention was indeed affecting System V derived 
login. Furthermore, it was exploitable through a common telnet client (via 
the TTYPROMPT trick [1], which somehow reminds me of the recent Solaris 10 
exploit), locally, or through other attack vectors, such as rlogin [2] and 
even X.25 pad daemon, without the need to specify TTYPROMPT at all.

[1] http://archive.cert.uni-stuttgart.de/bugtraq/2002/10/msg00020.html
[2] http://www.0xdeadbeef.info/exploits/raptor_rlogin.c

Cheers,

-- 
Marco Ivaldi
Antifork Research, Inc.   http://0xdeadbeef.info/
3B05 C9C5 A2DE C3D7 4233  0394 EF85 2008 DBFD B707

Powered by blists - more mailing lists