From: Marco Ivaldi (raptor@mediaservice.net)
Date: Sat Jan 05 2008 - 15:45:14 EST
Sachin,
On Sat, 29 Dec 2007, Chadha, Sachin wrote:
> HI All,
>
> How can we bypass Authentication (with out giving password) in
> Solaris/Linux server using Telnet/SSH and gaining root privileges.
>
> Is there any Exploit Available.?
>
> I know one for Solaris 10. Any other?
Just a couple of hints off the top of my head:
http://milw0rm.com/exploits/3293 <- probably the one you mention
http://milw0rm.com/exploits/57 <- one of my personal all time favs;)
Beside these obvious examples, there are dozens of different tricks to
bypass authentication with Telnet, SSH, and other services as well,
depending on target configuration: think about PAM (i recall a nasty bug
specific to OpenSSH 3.7.1p1 that allowed remote authentication bypass, if
some simple conditions were met), Kerberos, hosts.equiv and .rhosts, SSH
pubkeys, and all kinds of implicit or explicit trusts... Not to mention
pre-authentication overflows and the like.
Finally, specially on private networks, it's not uncommon to find accounts
with predictable passwords. Therefore, sometimes an actual authentication
bypass exploit is not even needed;)
Cheers,
-- Marco Ivaldi, OPST Chief Security Officer Data Security Division @ Mediaservice.net Srl http://mediaservice.net/ ------------------------------------------------------------------------ This list is sponsored by: Cenzic Need to secure your web apps NOW? Cenzic finds more, "real" vulnerabilities fast. Click to try it, buy it or download a solution FREE today! http://www.cenzic.com/downloads ------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:58:18 EDT