[kbelanger () logicon ca: [VulnWatch] vuln in login under solaris]

[len () netsys com (Len Rose)]

This is bullshit. I tested this using Solaris 8 just now.

I tested it with both Solaris 8 sparc and Solaris 8 intel.

How can you let this pass, you're a moderated list. 



----- Forwarded message from Keven Belanger <kbelanger () logicon ca> -----

Received: from vikki.vulnwatch.org ([199.233.98.101])
        by netsys.com (8.11.6/8.11.6) with SMTP id g85G2CK19967
        for <len () netsys com>; Thu, 5 Sep 2002 12:02:12 -0400 (EDT)
Received: (qmail 24111 invoked by alias); 5 Sep 2002 16:46:11 -0000
Mailing-List: contact vulnwatch-help () vulnwatch org; run by ezmlm
Precedence: bulk
List-Post: <mailto:vulnwatch () vulnwatch org>
List-Help: <mailto:vulnwatch-help () vulnwatch org>
List-Unsubscribe: <mailto:vulnwatch-unsubscribe () vulnwatch org>
List-Subscribe: <mailto:vulnwatch-subscribe () vulnwatch org>
Delivered-To: mailing list vulnwatch () vulnwatch org
Delivered-To: moderator for vulnwatch () vulnwatch org
Received: (qmail 18991 invoked from network); 5 Sep 2002 16:18:35 -0000
X-Authentication-Warning: avd.Logicon.CA: mail set sender to <kbelanger () logicon ca> using -f
X-MimeOLE: Produced By Microsoft Exchange V6.0.5762.3
content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: multipart/alternative;
        boundary="----_=_NextPart_001_01C254F1.0C94CFE9"
Date: Thu, 5 Sep 2002 11:29:39 -0400
Message-ID: <E32C9069AF5CBC44ABDDDF0D3E1C0735292143 () srv-vd-dc01 logicon ca>
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
Thread-Topic: vuln in login under solaris
Thread-Index: AcJU8QwqfnT+ZTzPTtm8WFZxYxpWuQ==
Sensitivity: Company-Confidential
From: "Keven Belanger" <kbelanger () logicon ca>
To: <vulnwatch () vulnwatch org>
Subject: [VulnWatch] vuln in login under solaris

Name                           : Keven Belanger
 E-mail                         : kbelanger () logicon ca
 Phone / fax                  : (819) 825-8049 x7717
 Affiliation and address: Logicon inc.
                                     100, des Distributeurs
                                     Val-d'Or (Quebec)
                                     Canada J9P 6Y1
 
Have you reported this to the vendor?  yes
 
        If so, please let us know whom you've contacted:
 
            Date of your report         : September 05, 2002
            Vendor contact e-mail    : security-alert () sun com
            
CERT have been advised too...
 
Please describe the vulnerability.
---------------------------------
Unlike other unix based OS, when Solaris authenticate the user it let
the user
came in even if the password is not really "correct" Let me explain:
My username is sysadmin
My password is qwerty
If I log on with sysadmin/qwerty it work
If I log on with sysadmin/qwert123 it work too!
We can add any caracter after the currect password and it work!!
 
What is the impact of this vulnerability?
----------------------------------------
 (For example: local user can gain root/privileged access, intruders 
  can create root-owned files, denial of service attack,  etc.)
 
   a) What is the specific impact:
      User can gain root access
 
   b) How would you envision it being used in an attack scenario:
      User can gain root access via brute force password attack
      If the attacker try 8 caracter brute force attack it will for
      for password that have less that 8 caracter too, so it can gain
      root access faster.
      He don't have to try password with 1, 2, 3, 4... caracteres,
      try something beetween 8 and 10 et voila...
 
 
            System            : SUN Solaris
            OS version        : 8 for Sparc and intel, not tested with other version
            Verified/Guessed: Verified
 
 
For more infoamtion/explanation call me or write a email
 
Kéven Belanger
Analyste en solutions de sécurité
Logicon Inc. - Division Sécurité
819.825.8049 x7717
800.567.6399 x7717
 

----- End forwarded message -----