Bugtraq mailing list archives
Re: Solaris telnet vulnberability - how many on your network?
From: Darren Reed <avalon () caligula anu edu au>
Date: Sat, 17 Feb 2007 09:57:45 +1100 (Australia/ACT)
In some mail from greimer () fccc edu, sie said:
1) This seems like a case of "old code" somehow creeping back in to the current versions, and that's a phenomenon I've seen happen at a couple of different places that I've worked at over the years. It's kind of a special case of version control gone bad, and I'm interested in how that can happen and how to watch out for it. 1a) People have said that this bug was in old versions of SunOS/Solaris (and AIX I think) but nobody ever nailed down exactly when this was fixed, versionwise. In fact, did anybody reproduce this in anything other than Solaris 10? It'd be nice to know the last old version that has the bug, & the 1st that doesn't.
Solaris's /bin/login has never supported the "-f" command line option until Solaris 10 (RTFM) so this exploit was just plain not possible. The other avenue for passing command line args to telnet is through the TERM telnet option, but Solaris stopped passing that through on the command line a long time ago (maybe 2.3 or earlier?)
2) Does this have anything to do with the OpenSolaris effort?
No.
Like are people pulling in code from other sources?
More people should go back and read Casper's email where he explained that it came about with a Kerberos project. Darren
Current thread:
- Re: Re: Solaris telnet vulnberability - how many on your network?, (continued)
- Re: Re: Solaris telnet vulnberability - how many on your network? thefinn12345 (Feb 15)
- RE: Re: Solaris telnet vulnberability - how many on your network? Roger A. Grimes (Feb 15)
- Re: Re: Solaris telnet vulnberability - how many on your network? jf (Feb 15)
- Re: Re: Solaris telnet vulnberability - how many on your network? Hugo van der Kooij (Feb 16)
- RE: Re: Re: Solaris telnet vulnberability - how many on your network? jf (Feb 16)
- Re: RE: Re: Solaris telnet vulnberability - how many on your network? thefinn12345 (Feb 16)
- Re: Re: Re: Solaris telnet vulnberability - how many on your network? thefinn12345 (Feb 16)
- Re: Re: Re: Solaris telnet vulnberability - how many on your network? jf (Feb 16)
- Re: Solaris telnet vulnberability - how many on your network? Anthony R. Nemmer (Feb 16)
- Re: Solaris telnet vulnberability - how many on your network? greimer (Feb 16)
- Re: Solaris telnet vulnberability - how many on your network? Darren Reed (Feb 16)
- Re: Solaris telnet vulnberability - how many on your network? Nate Eldredge (Feb 17)
- RE: Solaris telnet vulnberability - how many on your network? Michael Wojcik (Feb 20)
- RE: Solaris telnet vulnberability - how many on your network? Nate Eldredge (Feb 20)
- Re: Solaris telnet vulnberability - how many on your network? Edsel Adap (Feb 21)
- Re: Re: Re: Solaris telnet vulnberability - how many on your network? jf (Feb 16)
- Re: Re: Solaris telnet vulnberability - how many on your network? thefinn12345 (Feb 15)
- Re: Solaris telnet vulnberability - how many on your network? Cromar Scott (Feb 17)
- Re[2]: Solaris telnet vulnberability - how many on your network? Thierry Zoller (Feb 22)