Bugtraq mailing list archives

ssh w/ solaris 2.5.[1]

From: aleph1 () dfw net (Aleph One)
Date: Mon, 18 Nov 1996 18:23:32 -0600


It seems that ssh is also affected by the solaris nsl lib hole.  Simply
change execl() to run ssh and your root.

Here is a quick unofficial patch to fix ssh-1.2.17.  I've yet to look into
sshd.

*** ssh.c.orig  Tue Oct 29 20:27:54 1996
--- ssh.c       Mon Nov 18 13:32:42 1996
***************
*** 604,609 ****
--- 604,614 ----
    if (options.hostname != NULL)
      host = options.hostname;

+   if (strlen(host) > 512) {
+     printf("Invalid hostname.\n");
+     exit(-1);
+   }
+
    /* Disable rhosts authentication if not running as root. */
    if (original_effective_uid != 0)
      {


BTW, the exploit wont work on machines other than sun4m's.

Aleph One / aleph1 () underground org
http://underground.org/
KeyID 1024/948FD6B5
Fingerprint EE C9 E8 AA CB AF 09 61  8C 39 EA 47 A8 6A B8 01

Current thread:

Re: BoS: Magic password of some linux-box(Hardware..), (continued)
- - - Re: BoS: Magic password of some linux-box(Hardware..) Sergei A. Golubchik (Nov 19)
    - Irix: root exploit for LicenseManager Yuri Volobuev (Nov 19)
    - Re: BoS: Magic password of some linux-box(Hardware..) moost () xs4all nl (Nov 20)
    - Ascend Killer Program Aleph One (Nov 17)
    - Serious hole in Solaris 2.5[.1] gethostbyname() (exploit included) Jeremy Elson (Nov 18)
    - Re: Serious hole in Solaris 2.5[.1] gethostbyname() (exploit Craig Raskin (Nov 18)
    - Re: Serious hole in Solaris 2.5[.1] gethostbyname() (exploit Paul B. Henson (Nov 18)
    - Re: Serious hole in Solaris 2.5[.1] gethostbyname() (exploit Russell Street (Nov 18)
    - ALERT: Solaris 2.5.1 locks up on TCP connections in Pine 3.9x Todd Vierling (Nov 18)
    - Re: ALERT: Solaris 2.5.1 locks up on TCP connections in Pine 3.9x Brian Harvell (Nov 20)
    - ssh w/ solaris 2.5.[1] Aleph One (Nov 18)
    - Re: Serious hole in Solaris 2.5[.1] gethostbyname() (exploit Mike Battersby (Nov 18)
    - Re: Serious hole in Solaris 2.5[.1] gethostbyname() (exploit Casper Dik (Nov 19)
    - Futile rexecd holes jaeger (Nov 18)
    - Re: Futile rexecd holes Roger Espel Llima (Nov 19)
    - Irix: new LicenseManager is safe? No way Yuri Volobuev (Nov 22)
    - Re: Futile rexecd holes Jon Peatfield (Nov 22)
    - Administratrivia Aleph One (Nov 22)
    - Administratrivia Scriptors of DOOM (Nov 23)
    - A Stupid script. Efrain Torres (Nov 22)
    - A Stupid script. Aleph One (Nov 24)

(Thread continues...)