Re: [BLACKLIST] [Full-disclosure] Solaris telnet vulnberability - how many on yournetwork? Feb 12 2007 12:52PM
Thierry Zoller (Thierry Zoller lu) (1 replies)
RE: [BLACKLIST] [Full-disclosure] Solaris telnet vulnberability - how many on yournetwork? Feb 13 2007 01:56PM
Michael Wojcik (Michael Wojcik microfocus com) (2 replies)
Re: [BLACKLIST] [Full-disclosure] Solaris telnet vulnberability - how many on yournetwork? Feb 13 2007 08:15PM
Casper Dik Sun COM

>It's a bug. I recall it being found and fixed in AIX many years ago.
>Embarassing for Sun that it's still in Solaris, though.

It's not "still" in Solaris; it's the first time it occurred in
Solaris; it is stupid it did but it's a typical programming error:
passing unchecked arguments to a program without escaping special
characters.

>A quick Google search found Usenet postings about it from 1994; I'm sure
>it was known well before then.

As far as I remember, the "-f" option to login was a BSDism (4.4?);
it did not exist in platforms derived from earlier BSDs when it came
to rlogin/rshd.

The original rlogind would either run the protocol in in.rlogind and
skip login or the protocol was implemented in login itself.

Later, the protocol processing was put in rlogind but it always went
through login.

This code then was reimplemented by an IBM employee in AIX and later
also, by the same person, for Linux, giving rise to the first occurrence
of the -froot bug.

Solaris did add the -f option to login much later but it wasn't
until a complete integration of ktelnet was done that this bug arose
in Solaris 10.

It's just a very usual (and unfortunate) reimplementation of the same bug.

Casper

[ reply ]
RE: [BLACKLIST] [Full-disclosure] Solaris telnet vulnberability - how many on yournetwork? Feb 13 2007 07:59PM
Gadi Evron (ge linuxbox org) (2 replies)
Re: [BLACKLIST] [Full-disclosure] Solaris telnet vulnberability - Feb 15 2007 03:49AM
Darren Reed (avalon caligula anu edu au)


 

Privacy Statement
Copyright 2010, SecurityFocus