|
Replies:
8
-
Last Post:
Feb 13, 2007 11:04 AM
by: danx
|
|
|
Posts:
6
From:
Registered:
2/11/07
|
|
|
|
telnetd exploit
Posted:
Feb 11, 2007 9:35 AM
To: Communities » security » discuss
|
|
who is 'coder' of code overviewd in this article? :) tinyurl.com/3dx8xg
|
|
|
Posts:
511
From:
US
Registered:
3/9/05
|
|
|
|
Re: telnetd exploit
Posted:
Feb 11, 2007 11:45 AM
in response to: skunsul
To: Communities » security » discuss
|
|
I thought I'd sent an e-mail about this, but in case I forgot to Cc: the list...
1.) I've filed bug 6523815.
2.) You need both CONSOLE=/dev/console *commented out* and telnet enabled on a system for
it to be vulnerable. We ship telnet disabled AND CONSOLE=/dev/console UNCOMMENTED.
3.) Thanks for reporting this.
Dan
|
|
|
|
|
Posts:
136
From:
US
Registered:
3/9/05
|
|
|
|
Re: Re: telnetd exploit
Posted:
Feb 11, 2007 11:45 AM
in response to: danmcd
|
|
Dan McDonald wrote:
> I thought I'd sent an e-mail about this, but in case I forgot to Cc: the list...
>
> 1.) I've filed bug 6523815.
Oops. I have already filed 6523816 for this myself.
> 2.) You need both CONSOLE=/dev/console *commented out* and telnet enabled on a system for
> it to be vulnerable. We ship telnet disabled AND CONSOLE=/dev/console UNCOMMENTED.
This is not entirely accurate. telnet is disabled only in Nevada by
default. In Solaris 10, it is only disabled if SBD was selected in
Solaris 10 11/06. Prior to Solaris 10 11/06, telnet was enabled by
default. The code being exploited was introduced long before
Solaris 10 11/06.
Further, this attack is not just targeting root. This attack will
work with any user known to the system being attacked. You are
correct that it will not permit access to root unless the CONSOLE
parameter is commented (which it is not by default).
Dan - do you want to take a look at our respective filings to see
which should be closed as a dup of which?
> 3.) Thanks for reporting this.
Definitely +1! Thank you!
g
>
> Dan
>
>
> This message posted from opensolaris.org
> _______________________________________________
> security-discuss mailing list
> security-discuss at opensolaris dot org
--
Glenn Brunette
Distinguished Engineer
Director, GSS Security Office
Sun Microsystems, Inc.
_______________________________________________
security-discuss mailing list
security-discuss at opensolaris dot org
|
|
|
|
|
Posts:
48
From:
Bay Area, CA
Registered:
8/25/06
|
|
|
|
Re: Re: telnetd exploit
Posted:
Feb 11, 2007 12:07 PM
in response to: danmcd
|
|
|
|
Dan McDonald wrote on 02/11/07 11:45 AM:
> I thought I'd sent an e-mail about this, but in case I forgot to Cc: the list...
>
> 1.) I've filed bug 6523815.
>
> 2.) You need both CONSOLE=/dev/console *commented out*
For root login, you mean? With CONSOLE set, someone could still gain
access as a user (without any authentication), which is still quite bad.
> and telnet enabled on a system for it to be vulnerable. We ship telnet disabled
Yay for SBD :)
~Iain
_______________________________________________
security-discuss mailing list
security-discuss at opensolaris dot org
|
|
|
|
|
Posts:
511
From:
US
Registered:
3/9/05
|
|
|
|
Re: telnetd exploit
Posted:
Feb 11, 2007 7:45 PM
in response to: skunsul
To: Communities » security » discuss
|
|
Here, have a patch! This way, the garbage gets passed in verbatim to login(1), where it can log
the bogus username appropriately.
Dan
-----
*** 3190,3207 ****
*/
(void) execl(LOGIN_PROGRAM, "login",
"-p",
"-d", slavename,
"-h", host,
! "-s", pam_svc_name,
(AuthenticatingUser != NULL ? AuthenticatingUser :
! getenv("USER")),
! 0);
} else /* default, no auth. info available, login does it all */ {
(void) execl(LOGIN_PROGRAM, "login",
! "-p", "-h", host, "-d", slavename,
getenv("USER"), 0);
}
fatalperror(netfd, LOGIN_PROGRAM, errno);
/*NOTREACHED*/
--- 3190,3206 ----
*/
(void) execl(LOGIN_PROGRAM, "login",
"-p",
"-d", slavename,
"-h", host,
! "-s", pam_svc_name, "--",
(AuthenticatingUser != NULL ? AuthenticatingUser :
! getenv("USER")), 0);
} else /* default, no auth. info available, login does it all */ {
(void) execl(LOGIN_PROGRAM, "login",
! "-p", "-h", host, "-d", slavename, "--",
getenv("USER"), 0);
}
fatalperror(netfd, LOGIN_PROGRAM, errno);
/*NOTREACHED*/
|
|
|
|
|
| |
