patch to Bro to detect the newly announced Solaris Telnet remote exploit

Vern Paxson vern at icir.org
Wed Oct 2 21:37:37 PDT 2002


The following patch creates a new event, login_prompt, which you can then
examine in your policy script.  The "right" approach would be to modify
Bro to send up the entire Telnet environment, since it's already extracting
$DISPLAY and $TERM as well as now $TTYPROMPT; but for expediency I just
added $TTYPROMPT as a separate event, similar to the other two.

This will be incorporated in the next "current" release.

		Vern


*** Login.cc	2002/09/15 16:14:31	1.11
--- Login.cc	2002/10/03 00:13:16
***************
*** 348,353 ****
--- 348,363 ----
  
  			mgr.QueueEvent(login_display, vl);
  			}
+ 
+ 		else if ( login_prompt && streq(name, "TTYPROMPT") )
+ 			{
+ 			val_list* vl = new val_list;
+ 
+ 			vl->append(BuildConnVal());
+ 			vl->append(new StringVal(val));
+ 
+ 			mgr.QueueEvent(login_prompt, vl);
+ 			}
  		}
  
  	delete name;
*** NetVar.h	2002/10/01 23:45:17	1.68
--- NetVar.h	2002/10/03 00:13:46
***************
*** 134,139 ****
--- 134,140 ----
  extern Func* login_confused_text;
  extern Func* login_terminal;
  extern Func* login_display;
+ extern Func* login_prompt;
  extern Func* excessive_line;
  
  extern Func* authentication_accepted;
*** NetVar.cc	2002/10/01 23:45:17	1.72
--- NetVar.cc	2002/10/03 00:13:54
***************
*** 130,135 ****
--- 130,136 ----
  Func* login_confused_text;
  Func* login_terminal;
  Func* login_display;
+ Func* login_prompt;
  Func* excessive_line;
  
  Func* authentication_accepted;
***************
*** 393,398 ****
--- 394,400 ----
  	login_confused_text = internal_func("login_confused_text");
  	login_terminal = internal_func("login_terminal");
  	login_display = internal_func("login_display");
+ 	login_prompt = internal_func("login_prompt");
  	excessive_line = internal_func("excessive_line");
  
  	authentication_accepted = internal_func("authentication_accepted");
*** bro.init	2002/10/01 23:38:16	1.127
--- bro.init	2002/10/03 00:13:28
***************
*** 573,578 ****
--- 573,579 ----
  global login_confused_text: event(c: connection, line: string);
  global login_terminal: event(c: connection, terminal: string);
  global login_display: event(c: connection, display: string);
+ global login_prompt: event(c: connection, prompt: string);
  global excessive_line: event(c: connection);
  
  global authentication_accepted: event(name: string, c: connection);
*** login.bro	2002/09/23 22:23:01	1.26
--- login.bro	2002/10/03 00:17:39
***************
*** 407,412 ****
--- 407,418 ----
  		hot_login(c, fmt("%s term %s", id_string(c$id), terminal), "trb");
  	}
  
+ event login_prompt(c: connection, prompt: string)
+ 	{
+ 	# Could check length >= 6, per Solaris exploit ...
+ 	hot_login(c, fmt("%s $TTYPROMPT %s", id_string(c$id), prompt), "trb");
+ 	}
+ 
  event excessive_line(c: connection)
  	{
  	if ( is_login_conn(c) )



More information about the Bro mailing list