3198
3199 } else /* default, no auth. info available, login does it all */ {
3200 (void) execl(LOGIN_PROGRAM, “loginâ€Â,
3201 “-pâ€Â, “-hâ€Â, host, “-dâ€Â, slavename,
3202 getenv(â€ÂUSERâ€Â), 0);
3203 }
/usr/src/cmd/login/login.c
1397 break;
1398
1399 case ‘f’:
1400 /*
1401 * Must be root to bypass authentication
1402 * otherwise we exit() as punishment for trying.
1403 */
1404 if (getuid() != 0 || geteuid() != 0) {
1405 audit_error = ADT_FAIL_VALUE_AUTH_BYPASS;
1406
1407 login_exit(1); /* sigh */
1408 /*NOTREACHED*/
1409 }
1410 /* save fflag user name for future use */
1411 SCPYL(user_name, optarg);
1412 fflag = B_TRUE;
As you can see the “Must be root to bypass authentication†should already rise some worries, but what is funnier that because we are requesting a different user than ‘root’ we actually get ‘root’ access, as login thinks we are already ‘root’, when its called by in.telnetd.
»
Reply
I never make stupid mistakes. Only very, very clever ones.
Solaris telnetd Analysis
From Solaris telnetd Analysis - SecuriTeam Blogs
-----------------------------------
kcope has put on a short PDF paper on why the vulnerability in telnetd happens:
/usr/src/cmd/cmd-inet/usr.sbin/in.telnetd.c
3198
3199 } else /* default, no auth. info available, login does it all */ {
3200 (void) execl(LOGIN_PROGRAM, “loginâ€Â,
3201 “-pâ€Â, “-hâ€Â, host, “-dâ€Â, slavename,
3202 getenv(â€ÂUSERâ€Â), 0);
3203 }
/usr/src/cmd/login/login.c
1397 break;
1398
1399 case ‘f’:
1400 /*
1401 * Must be root to bypass authentication
1402 * otherwise we exit() as punishment for trying.
1403 */
1404 if (getuid() != 0 || geteuid() != 0) {
1405 audit_error = ADT_FAIL_VALUE_AUTH_BYPASS;
1406
1407 login_exit(1); /* sigh */
1408 /*NOTREACHED*/
1409 }
1410 /* save fflag user name for future use */
1411 SCPYL(user_name, optarg);
1412 fflag = B_TRUE;
As you can see the “Must be root to bypass authentication†should already rise some worries, but what is funnier that because we are requesting a different user than ‘root’ we actually get ‘root’ access, as login thinks we are already ‘root’, when its called by in.telnetd.