Full Disclosure mailing list archives
[kbelanger () logicon ca: [VulnWatch] vuln in login under solaris]
From: steve () entrenchtech com (Steve)
Date: Thu, 5 Sep 2002 17:59:09 -0600
Len, Yes, the list is moderated as in we only approve messages that are actual vulnerability announcements and not "other stuff" (for other stuff see; http://lists.netsys.com/pipermail/full-disclosure/). It is not the jobs of the moderators to take the time and verify each vuln report as it will slow down the flow of the list and the moderators are only human and can make mistakes just like everyone else. It has also been discussed on VulnDiscuss that this isn't really a vulnerability in the first place and is a known "issue"/limitation. This in my opinion is the whole point of the discussion list - to weed out the crap in a public forum -- almost like peer review. Regards; Steve Manzuik Moderator - VulnWatch Moderator - VulnDiscuss www.vulnwatch.org ----- Original Message ----- From: "Len Rose" <len () netsys com> To: <full-disclosure () lists netsys com> Sent: Thursday, September 05, 2002 5:11 PM Subject: [Full-disclosure] [kbelanger () logicon ca: [VulnWatch] vuln in login under solaris]
This is bullshit. I tested this using Solaris 8 just now. I tested it with both Solaris 8 sparc and Solaris 8 intel. How can you let this pass, you're a moderated list. ----- Forwarded message from Keven Belanger <kbelanger () logicon ca> ----- Received: from vikki.vulnwatch.org ([199.233.98.101]) by netsys.com (8.11.6/8.11.6) with SMTP id g85G2CK19967 for <len () netsys com>; Thu, 5 Sep 2002 12:02:12 -0400 (EDT) Received: (qmail 24111 invoked by alias); 5 Sep 2002 16:46:11 -0000 Mailing-List: contact vulnwatch-help () vulnwatch org; run by ezmlm Precedence: bulk List-Post: <mailto:vulnwatch () vulnwatch org> List-Help: <mailto:vulnwatch-help () vulnwatch org> List-Unsubscribe: <mailto:vulnwatch-unsubscribe () vulnwatch org> List-Subscribe: <mailto:vulnwatch-subscribe () vulnwatch org> Delivered-To: mailing list vulnwatch () vulnwatch org Delivered-To: moderator for vulnwatch () vulnwatch org Received: (qmail 18991 invoked from network); 5 Sep 2002 16:18:35 -0000 X-Authentication-Warning: avd.Logicon.CA: mail set sender to
<kbelanger () logicon ca> using -f
X-MimeOLE: Produced By Microsoft Exchange V6.0.5762.3 content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01C254F1.0C94CFE9" Date: Thu, 5 Sep 2002 11:29:39 -0400 Message-ID:
<E32C9069AF5CBC44ABDDDF0D3E1C0735292143 () srv-vd-dc01 logicon ca>
X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: vuln in login under solaris Thread-Index: AcJU8QwqfnT+ZTzPTtm8WFZxYxpWuQ== Sensitivity: Company-Confidential From: "Keven Belanger" <kbelanger () logicon ca> To: <vulnwatch () vulnwatch org> Subject: [VulnWatch] vuln in login under solaris Name : Keven Belanger E-mail : kbelanger () logicon ca Phone / fax : (819) 825-8049 x7717 Affiliation and address: Logicon inc. 100, des Distributeurs Val-d'Or (Quebec) Canada J9P 6Y1 Have you reported this to the vendor? yes If so, please let us know whom you've contacted: Date of your report : September 05, 2002 Vendor contact e-mail : security-alert () sun com CERT have been advised too... Please describe the vulnerability. --------------------------------- Unlike other unix based OS, when Solaris authenticate the user it let the user came in even if the password is not really "correct" Let me explain: My username is sysadmin My password is qwerty If I log on with sysadmin/qwerty it work If I log on with sysadmin/qwert123 it work too! We can add any caracter after the currect password and it work!! What is the impact of this vulnerability? ---------------------------------------- (For example: local user can gain root/privileged access, intruders can create root-owned files, denial of service attack, etc.) a) What is the specific impact: User can gain root access b) How would you envision it being used in an attack scenario: User can gain root access via brute force password attack If the attacker try 8 caracter brute force attack it will for for password that have less that 8 caracter too, so it can gain root access faster. He don't have to try password with 1, 2, 3, 4... caracteres, try something beetween 8 and 10 et voila... System : SUN Solaris OS version : 8 for Sparc and intel, not tested with
other version
Verified/Guessed: Verified For more infoamtion/explanation call me or write a email Kéven Belanger Analyste en solutions de sécurité Logicon Inc. - Division Sécurité 819.825.8049 x7717 800.567.6399 x7717 ----- End forwarded message ----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- [kbelanger () logicon ca: [VulnWatch] vuln in login under solaris] Len Rose (Sep 05)
- [kbelanger () logicon ca: [VulnWatch] vuln in login under solaris] Steve (Sep 05)
- [kbelanger () logicon ca: [VulnWatch] vuln in login under solaris] Len Rose (Sep 05)
- [kbelanger () logicon ca: [VulnWatch] vuln in login under solaris] hellNbak (Sep 05)
- [kbelanger () logicon ca: [VulnWatch] vuln in login under solaris] Len Rose (Sep 05)
- [kbelanger () logicon ca: [VulnWatch] vuln in login under solaris] Steve (Sep 05)