| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <Pine.BSO.4.63.0702191552080.24507@shinobi.blackhats.it> Date: Mon, 19 Feb 2007 16:31:48 +0100 (CET) From: Marco Ivaldi <raptor@...eadbeef.info> To: bugtraq@...urityfocus.com Subject: Re: Solaris telnet vulnberability - how many on your network? Scott, On Sat, 17 Feb 2007, Cromar Scott wrote: > I have to wonder if the "old bug" complaints are coming in reference to > one of the following: > > http://www.securityfocus.com/bid/3064/info > http://www.securityfocus.com/bid/5531/info > > I know that my initial reaction was "haven't I seen this before?" but > the above two are what I found in my notes when I looked back. > > (Note that the second of the two is reported to actually reference a > problem with login and not in.telnetd.) The second vulnerability you mention was indeed affecting System V derived login. Furthermore, it was exploitable through a common telnet client (via the TTYPROMPT trick [1], which somehow reminds me of the recent Solaris 10 exploit), locally, or through other attack vectors, such as rlogin [2] and even X.25 pad daemon, without the need to specify TTYPROMPT at all. [1] http://archive.cert.uni-stuttgart.de/bugtraq/2002/10/msg00020.html [2] http://www.0xdeadbeef.info/exploits/raptor_rlogin.c Cheers, -- Marco Ivaldi Antifork Research, Inc. http://0xdeadbeef.info/ 3B05 C9C5 A2DE C3D7 4233 0394 EF85 2008 DBFD B707
Powered by blists - more mailing lists