Re: Bypassing Authentication through Telnet / SSH

[Marco Ivaldi <raptor () mediaservice net>]

Sachin,

On Sat, 29 Dec 2007, Chadha, Sachin wrote:

> HI All,
>
> How can we bypass Authentication (with out giving password) in
> Solaris/Linux server using Telnet/SSH and gaining root privileges.
>
> Is there any Exploit Available.?
>
> I know one for Solaris 10. Any other?

Just a couple of hints off the top of my head:

http://milw0rm.com/exploits/3293 <- probably the one you mention
http://milw0rm.com/exploits/57 <- one of my personal all time favs;)

Beside these obvious examples, there are dozens of different tricks to 
bypass authentication with Telnet, SSH, and other services as well, 
depending on target configuration: think about PAM (i recall a nasty bug 
specific to OpenSSH 3.7.1p1 that allowed remote authentication bypass, if 
some simple conditions were met), Kerberos, hosts.equiv and .rhosts, SSH 
pubkeys, and all kinds of implicit or explicit trusts... Not to mention 
pre-authentication overflows and the like.

Finally, specially on private networks, it's not uncommon to find accounts 
with predictable passwords. Therefore, sometimes an actual authentication 
bypass exploit is not even needed;)

Cheers,

--
Marco Ivaldi, OPST
Chief Security Officer    Data Security Division
@ Mediaservice.net Srl    http://mediaservice.net/


------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------