[kbelanger () logicon ca: [VulnWatch] vuln in login under solaris]

[steve () entrenchtech com (Steve)]

Len,

Yes, the list is moderated as in we only approve messages that are actual
vulnerability announcements and not "other stuff" (for other stuff see;
http://lists.netsys.com/pipermail/full-disclosure/).

It is not the jobs of the moderators to take the time and verify each vuln
report as it will slow down the flow of the list and the moderators are only
human and can make mistakes just like everyone else.

It has also been discussed on VulnDiscuss that this isn't really a
vulnerability in the first place and is a known "issue"/limitation.  This in
my opinion is the whole point of the discussion list - to weed out the crap
in a public forum -- almost like peer review.


Regards;

Steve Manzuik
Moderator - VulnWatch
Moderator - VulnDiscuss
www.vulnwatch.org



----- Original Message -----
From: "Len Rose" <len () netsys com>
To: <full-disclosure () lists netsys com>
Sent: Thursday, September 05, 2002 5:11 PM
Subject: [Full-disclosure] [kbelanger () logicon ca: [VulnWatch] vuln in login
under solaris]


> This is bullshit. I tested this using Solaris 8 just now.
>
> I tested it with both Solaris 8 sparc and Solaris 8 intel.
>
> How can you let this pass, you're a moderated list.
>
>
>
> ----- Forwarded message from Keven Belanger <kbelanger () logicon ca> -----
>
> Received: from vikki.vulnwatch.org ([199.233.98.101])
> by netsys.com (8.11.6/8.11.6) with SMTP id g85G2CK19967
> for <len () netsys com>; Thu, 5 Sep 2002 12:02:12 -0400 (EDT)
> Received: (qmail 24111 invoked by alias); 5 Sep 2002 16:46:11 -0000
> Mailing-List: contact vulnwatch-help () vulnwatch org; run by ezmlm
> Precedence: bulk
> List-Post: <mailto:vulnwatch () vulnwatch org>
> List-Help: <mailto:vulnwatch-help () vulnwatch org>
> List-Unsubscribe: <mailto:vulnwatch-unsubscribe () vulnwatch org>
> List-Subscribe: <mailto:vulnwatch-subscribe () vulnwatch org>
> Delivered-To: mailing list vulnwatch () vulnwatch org
> Delivered-To: moderator for vulnwatch () vulnwatch org
> Received: (qmail 18991 invoked from network); 5 Sep 2002 16:18:35 -0000
> X-Authentication-Warning: avd.Logicon.CA: mail set sender to
<kbelanger () logicon ca> using -f
> X-MimeOLE: Produced By Microsoft Exchange V6.0.5762.3
> content-class: urn:content-classes:message
> MIME-Version: 1.0
> Content-Type: multipart/alternative;
> boundary="----_=_NextPart_001_01C254F1.0C94CFE9"
> Date: Thu, 5 Sep 2002 11:29:39 -0400
> Message-ID:
<E32C9069AF5CBC44ABDDDF0D3E1C0735292143 () srv-vd-dc01 logicon ca>
> X-MS-Has-Attach:
> X-MS-TNEF-Correlator:
> Thread-Topic: vuln in login under solaris
> Thread-Index: AcJU8QwqfnT+ZTzPTtm8WFZxYxpWuQ==
> Sensitivity: Company-Confidential
> From: "Keven Belanger" <kbelanger () logicon ca>
> To: <vulnwatch () vulnwatch org>
> Subject: [VulnWatch] vuln in login under solaris
>
> Name                           : Keven Belanger
>  E-mail                         : kbelanger () logicon ca
>  Phone / fax                  : (819) 825-8049 x7717
>  Affiliation and address: Logicon inc.
>                                      100, des Distributeurs
>                                      Val-d'Or (Quebec)
>                                      Canada J9P 6Y1
>
> Have you reported this to the vendor?  yes
>
>         If so, please let us know whom you've contacted:
>
>             Date of your report         : September 05, 2002
>             Vendor contact e-mail    : security-alert () sun com
>
> CERT have been advised too...
>
> Please describe the vulnerability.
> ---------------------------------
> Unlike other unix based OS, when Solaris authenticate the user it let
> the user
> came in even if the password is not really "correct" Let me explain:
> My username is sysadmin
> My password is qwerty
> If I log on with sysadmin/qwerty it work
> If I log on with sysadmin/qwert123 it work too!
> We can add any caracter after the currect password and it work!!
>
> What is the impact of this vulnerability?
> ----------------------------------------
>  (For example: local user can gain root/privileged access, intruders
>   can create root-owned files, denial of service attack,  etc.)
>
>    a) What is the specific impact:
>       User can gain root access
>
>    b) How would you envision it being used in an attack scenario:
>       User can gain root access via brute force password attack
>       If the attacker try 8 caracter brute force attack it will for
>       for password that have less that 8 caracter too, so it can gain
>       root access faster.
>       He don't have to try password with 1, 2, 3, 4... caracteres,
>       try something beetween 8 and 10 et voila...
>
>
>             System            : SUN Solaris
>             OS version        : 8 for Sparc and intel, not tested with
other version
>             Verified/Guessed: Verified
>
>
> For more infoamtion/explanation call me or write a email
>
> Kéven Belanger
> Analyste en solutions de sécurité
> Logicon Inc. - Division Sécurité
> 819.825.8049 x7717
> 800.567.6399 x7717
>
>
> ----- End forwarded message -----
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html