Re: [BLACKLIST] [Full-disclosure] Solaris telnet vulnberability - how many on yournetwork?

[Casper.Dik () Sun COM]

> It's a bug.  I recall it being found and fixed in AIX many years ago.
> Embarassing for Sun that it's still in Solaris, though.

It's not "still" in Solaris; it's the first time it occurred in
Solaris; it is stupid it did but it's a typical programming error:
passing unchecked arguments to a program without escaping special
characters.

> A quick Google search found Usenet postings about it from 1994; I'm sure
> it was known well before then.

As far as I remember, the "-f" option to login was a BSDism (4.4?);
it did not exist in platforms derived from earlier BSDs when it came
to rlogin/rshd.

The original rlogind would either run the protocol in in.rlogind and
skip login or the protocol was implemented in login itself.

Later, the protocol processing was put in rlogind but it always went
through login.

This code then was reimplemented by an IBM employee in AIX and later
also, by the same person, for Linux, giving rise to the first occurrence
of the -froot bug.

Solaris did add the -f option to login much later but it wasn't
until a complete integration of ktelnet was done that this bug arose
in Solaris 10.

It's just a very usual (and unfortunate) reimplementation of the same bug.

Casper