Re: Solaris telnet vulnberability - how many on your network?

To: Darren Reed <avalon@xxxxxxxxxxxxxxxxxxx>
Subject: Re: Solaris telnet vulnberability - how many on your network?
From: Nate Eldredge <nge@xxxxxxxxxx>
Date: Fri, 16 Feb 2007 18:41:33 -0800 (PST)
Cc: greimer@xxxxxxxx, "Anthony R. Nemmer" <intertwingled@xxxxxxxxx>, jf <jf@xxxxxxxxxxxxxxxxxxxx>, thefinn12345@xxxxxxxxx, bugtraq@xxxxxxxxxxxxxxxxx
In-reply-to: <200702162257.l1GMvkDM018807@xxxxxxxxxxxxxxxxxxx>
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
References: <200702162257.l1GMvkDM018807@xxxxxxxxxxxxxxxxxxx>

On Sat, 17 Feb 2007, Darren Reed wrote:

In some mail from greimer@xxxxxxxx, sie said:


1) This seems like a case of "old code" somehow creeping back in to the
current versions, and that's a phenomenon I've seen happen at a couple of
different places that I've worked at over the years. It's kind of a
special case of version control gone bad, and I'm interested in how that
can happen and how to watch out for it.

1a) People have said that this bug was in old versions of SunOS/Solaris
(and AIX I think) but nobody ever nailed down exactly when this was fixed,
versionwise. In fact, did anybody reproduce this in anything other than
Solaris 10? It'd be nice to know the last old version that has the bug, &
the 1st that doesn't.


Solaris's /bin/login has never supported the "-f" command line option
until Solaris 10 (RTFM) so this exploit was just plain not possible.

That is not correct. On a Solaris 8 box the -f option is accepted withouterror. I don't have root so I can't verify that it does the right thing,but at least as a normal user "login -f asdfasdf" does nothing while"login" without arguments presents a prompt. So it exists and has someeffect, notwithstanding the fact the fact that it is not listed in the manpage. (RTFM isn't very helpful when it comes to undocumented features!:-)


$ uname -a
SunOS mybox 5.8 Generic_117350-44 sun4u sparc SUNW,Ultra-2
$ login
login: ^C
$ login -f asdfasdf
$ man login

NAME
     login - sign on to the system

SYNOPSIS
     login [ -p ]  [ -d device ]  [ -h hostname | [ terminal ]  |
     -r hostname ]  [   name  [ environ ]  ...  ]

The other avenue for passing command line args to telnet is through
the TERM telnet option, but Solaris stopped passing that through on
the command line a long time ago (maybe 2.3 or earlier?)

2) Does this have anything to do with the OpenSolaris effort?

No.

In fact, you can look in the OpenSolaris repository and see that theinitial import of usr/src/cmd/cmd-inet/usr.sbin/in.telnetd.c alreadycontained this bug.

Like are people pulling in code from other sources?


More people should go back and read Casper's email where he explained
that it came about with a Kerberos project.


I presume that refers only to the telnetd bug, and not to login -f.

--
Nate Eldredge
nge@xxxxxxxxxx

Follow-Ups:
- RE: Solaris telnet vulnberability - how many on your network?
  - From: Michael Wojcik

References:
- Re: Solaris telnet vulnberability - how many on your network?
  - From: Darren Reed

Prev by Date: RE: Drive-by Pharming Threat
Next by Date: DotClear v1.2.5
Previous by thread: Re: Solaris telnet vulnberability - how many on your network?
Next by thread: RE: Solaris telnet vulnberability - how many on your network?
Index(es):
- Date
- Thread