<<< Date Index >>>     <<< Thread Index >>>

Re: Solaris telnet vulnberability - how many on your network?



Scott,

On Sat, 17 Feb 2007, Cromar Scott wrote:

I have to wonder if the "old bug" complaints are coming in reference to
one of the following:

http://www.securityfocus.com/bid/3064/info
http://www.securityfocus.com/bid/5531/info

I know that my initial reaction was "haven't I seen this before?" but
the above two are what I found in my notes when I looked back.

(Note that the second of the two is reported to actually reference a
problem with login and not in.telnetd.)

The second vulnerability you mention was indeed affecting System V derived login. Furthermore, it was exploitable through a common telnet client (via the TTYPROMPT trick [1], which somehow reminds me of the recent Solaris 10 exploit), locally, or through other attack vectors, such as rlogin [2] and even X.25 pad daemon, without the need to specify TTYPROMPT at all.

[1] http://archive.cert.uni-stuttgart.de/bugtraq/2002/10/msg00020.html
[2] http://www.0xdeadbeef.info/exploits/raptor_rlogin.c

Cheers,

--
Marco Ivaldi
Antifork Research, Inc.   http://0xdeadbeef.info/
3B05 C9C5 A2DE C3D7 4233  0394 EF85 2008 DBFD B707