Re: Solaris telnet vulnberability - how many on your network?
On Sat, 17 Feb 2007, Darren Reed wrote:
> In some mail from greimer@fccc.edu, sie said:
>>
>> 1) This seems like a case of "old code" somehow creeping back in to the
>> current versions, and that's a phenomenon I've seen happen at a couple of
>> different places that I've worked at over the years. It's kind of a
>> special case of version control gone bad, and I'm interested in how that
>> can happen and how to watch out for it.
>>
>> 1a) People have said that this bug was in old versions of SunOS/Solaris
>> (and AIX I think) but nobody ever nailed down exactly when this was fixed,
>> versionwise. In fact, did anybody reproduce this in anything other than
>> Solaris 10? It'd be nice to know the last old version that has the bug, &
>> the 1st that doesn't.
>
> Solaris's /bin/login has never supported the "-f" command line option
> until Solaris 10 (RTFM) so this exploit was just plain not possible.
That is not correct. On a Solaris 8 box the -f option is accepted without
error. I don't have root so I can't verify that it does the right thing,
but at least as a normal user "login -f asdfasdf" does nothing while
"login" without arguments presents a prompt. So it exists and has some
effect, notwithstanding the fact the fact that it is not listed in the man
page. (RTFM isn't very helpful when it comes to undocumented features!
:-)
$ uname -a
SunOS mybox 5.8 Generic_117350-44 sun4u sparc SUNW,Ultra-2
$ login
login: ^C
$ login -f asdfasdf
$ man login
NAME
login - sign on to the system
SYNOPSIS
login [ -p ] [ -d device ] [ -h hostname | [ terminal ] |
-r hostname ] [ name [ environ ] ... ]
> The other avenue for passing command line args to telnet is through
> the TERM telnet option, but Solaris stopped passing that through on
> the command line a long time ago (maybe 2.3 or earlier?)
>
>> 2) Does this have anything to do with the OpenSolaris effort?
>
> No.
In fact, you can look in the OpenSolaris repository and see that the
initial import of usr/src/cmd/cmd-inet/usr.sbin/in.telnetd.c already
contained this bug.
>> Like are people pulling in code from other sources?
>
> More people should go back and read Casper's email where he explained
> that it came about with a Kerberos project.
I presume that refers only to the telnetd bug, and not to login -f.
--
Nate Eldredge
nge@cs.hmc.edu
討論串 (同標題文章)
完整討論串 (本文為第 7 之 11 篇):