Bugtraq mailing list archives
ssh w/ solaris 2.5.[1]
From: aleph1 () dfw net (Aleph One)
Date: Mon, 18 Nov 1996 18:23:32 -0600
It seems that ssh is also affected by the solaris nsl lib hole. Simply change execl() to run ssh and your root. Here is a quick unofficial patch to fix ssh-1.2.17. I've yet to look into sshd. *** ssh.c.orig Tue Oct 29 20:27:54 1996 --- ssh.c Mon Nov 18 13:32:42 1996 *************** *** 604,609 **** --- 604,614 ---- if (options.hostname != NULL) host = options.hostname; + if (strlen(host) > 512) { + printf("Invalid hostname.\n"); + exit(-1); + } + /* Disable rhosts authentication if not running as root. */ if (original_effective_uid != 0) { BTW, the exploit wont work on machines other than sun4m's. Aleph One / aleph1 () underground org http://underground.org/ KeyID 1024/948FD6B5 Fingerprint EE C9 E8 AA CB AF 09 61 8C 39 EA 47 A8 6A B8 01
Current thread:
- Re: BoS: Magic password of some linux-box(Hardware..), (continued)
- Re: BoS: Magic password of some linux-box(Hardware..) Sergei A. Golubchik (Nov 19)
- Irix: root exploit for LicenseManager Yuri Volobuev (Nov 19)
- Re: BoS: Magic password of some linux-box(Hardware..) moost () xs4all nl (Nov 20)
- Ascend Killer Program Aleph One (Nov 17)
- Serious hole in Solaris 2.5[.1] gethostbyname() (exploit included) Jeremy Elson (Nov 18)
- Re: Serious hole in Solaris 2.5[.1] gethostbyname() (exploit Craig Raskin (Nov 18)
- Re: Serious hole in Solaris 2.5[.1] gethostbyname() (exploit Paul B. Henson (Nov 18)
- Re: Serious hole in Solaris 2.5[.1] gethostbyname() (exploit Russell Street (Nov 18)
- ALERT: Solaris 2.5.1 locks up on TCP connections in Pine 3.9x Todd Vierling (Nov 18)
- Re: ALERT: Solaris 2.5.1 locks up on TCP connections in Pine 3.9x Brian Harvell (Nov 20)
- ssh w/ solaris 2.5.[1] Aleph One (Nov 18)
- Re: Serious hole in Solaris 2.5[.1] gethostbyname() (exploit Mike Battersby (Nov 18)
- Re: Serious hole in Solaris 2.5[.1] gethostbyname() (exploit Casper Dik (Nov 19)
- Futile rexecd holes jaeger (Nov 18)
- Re: Futile rexecd holes Roger Espel Llima (Nov 19)
- Irix: new LicenseManager is safe? No way Yuri Volobuev (Nov 22)
- Re: Futile rexecd holes Jon Peatfield (Nov 22)
- Administratrivia Aleph One (Nov 22)
- Administratrivia Scriptors of DOOM (Nov 23)
- A Stupid script. Efrain Torres (Nov 22)
- A Stupid script. Aleph One (Nov 24)