Re: Solaris telnet vulnberability - how many on your network?
Scott,
On Sat, 17 Feb 2007, Cromar Scott wrote:
> I have to wonder if the "old bug" complaints are coming in reference to
> one of the following:
>
> http://www.securityfocus.com/bid/3064/info
> http://www.securityfocus.com/bid/5531/info
>
> I know that my initial reaction was "haven't I seen this before?" but
> the above two are what I found in my notes when I looked back.
>
> (Note that the second of the two is reported to actually reference a
> problem with login and not in.telnetd.)
The second vulnerability you mention was indeed affecting System V derived
login. Furthermore, it was exploitable through a common telnet client (via
the TTYPROMPT trick [1], which somehow reminds me of the recent Solaris 10
exploit), locally, or through other attack vectors, such as rlogin [2] and
even X.25 pad daemon, without the need to specify TTYPROMPT at all.
[1] http://archive.cert.uni-stuttgart.de/bugtraq/2002/10/msg00020.html
[2] http://www.0xdeadbeef.info/exploits/raptor_rlogin.c
Cheers,
--
Marco Ivaldi
Antifork Research, Inc. http://0xdeadbeef.info/
3B05 C9C5 A2DE C3D7 4233 0394 EF85 2008 DBFD B707
討論串 (同標題文章)
完整討論串 (本文為第 10 之 11 篇):