Solaris login exploit seen in the wild

A little birdie just told me that the Solaris/Sparc exploit for the buffer overflow in /bin/login is 'in the wild'. I have also received a binary executable of the exploit.

Available now to 'black hats' is a remote exploit overflowing the TTYPROMPT variable. A local exploit should also be expected, allowing anybody who can execute code on an unpatched solaris host to become superuser.

Any internet-accessible Solaris host with port 23 open that has not already been patched should be assumed to have been compromised. Internal hosts are also at risk if not patched.

All of the outsourced hosts with which I am familiar (the ones we audited back in '99) either block telnet entirely, or reject telnet login attempts from arbitrary internet addresses via 'tcp wrappers'. This 'protection' is not an excuse not to apply the Sun patch.