1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
|
Rule:
--
Sid:
3147
--
Summary:
This event is generated when an attempt is made to exploit a known
buffer overflow vulnerability affecting "login" via Telnet.
--
Impact:
Serious. Unauthorized administrative access to the target host.
--
Detailed Information:
The login binary is used when establishing an interactive session on a
system. It is used locally and by protocols that allow remote access. A
buffer overflow condition exists in some versions of login that can be
triggered by the manipulation of environment variables.
This event is generated when an attempt is made to overflow login via
telnet by manipulating the TTYPROMPT environment variable.
--
Affected Systems:
Systems using Sys V derived login
--
Attack Scenarios:
An attacker can overflow a buffer by inserting 6 bytes of data followed
by 65 characters and a newline into the TTYPROMPT variable.
--
Ease of Attack:
Simple.
--
False Positives:
None known.
--
False Negatives:
None known.
--
Corrective Action:
Ensure the system is using an up to date version of the software and has
had all vendor supplied patches applied.
--
Contributors:
Sourcefire Vulnerability Research Team
Brian Caswell <bmc@sourcefire.com>
Nigel Houghton <nigel.houghton@sourcefire.com>
--
Additional References:
--
|
