Solaris Telnet 0day or Embarrassment

johannes ullrich from the sans isc sent this to me and then i saw it on the dshield list:

if you run solaris, please check if you got telnet enabled now. if you
can, block port 23 at your perimeter. there is a fairly trivial solaris
telnet 0-day.

telnet -l “-froot” [hostname]

will give you root on many solaris systems with default installs
we are still testing. please use our contact form at
https://isc.sans.org/contact.html
if you have any details about the use of this exploit.

you mean they still use telnet?!

others mentioned the aix rlogin vulnerability (identical) from 1994:
http://www.cert.org/advisories/ca-1994-09.html

update from hd moore:
“but this bug isnt -froot, its -fanythingbutroot =p”

on the exploits@ mailing list and on dshield this vulnerability was
verified as real.

if sun doesn’t yet block port 23/tcp incoming on their /8, i’d make it a
strong suggestion.

anyone else running solaris?
i made a joke on this being a pr stunt for people to download solaris (to test this vulnerability), as apparently downloads are somewhat slow at the moment. :)

gadi evron,
ge@beyondsecurity.com.

DiggRedditSlashdotTwitThisSphinnStumbleUpondel.icio.usFacebookGoogleTechnoratiE-mail this story to a friend!

-

Is your site safe from SQL Injection attaks? Sign up for Beyond Security’s Automated Vulnerability Detection Service today!

9 Comments:

  1. Doesn’t this date from 1994? …

  2. Yep, for another OS. Not a 0day either but rather fully disclosed, but that’s what the definition has become.

  3. This is just so amusing, as I recently went on a couple of Solaris 10 courses at Sun, and they we still teaching people to use telnet to get from one host to another!

    I mentioned the security implications and was told that on a secure network, telnet is fine!!

    bwhahahahaha

  4. Solaris: Root-Passwort vergessen? Nicht so schlimm……

    Wer das Root-Passwort zu seiner Solaris-Kiste vergessen hat, braucht keinen Reboot zu machen. Da telnet per Default eingeschaltet ist und dieses einen üblen 0-day Bug hat kann man einfach mit telnet -l “-froot” hostname einloggen. Ok, bei neueren Ve…

  5. Yeap. I tested on a few servers (Solaris X86) and sparc boxes and It works. Tested on Solaris 10 Rel 11/06 Sparc Solaris 10 06/06 X86

  6. Wow, this is great information. I was wondering if other software was affected by a simular flaw!

    This is very serious, probably the most serious flaw to come out this year.

  7. Another thing that will help. In Solaris 9 and 10 tcp wrappers are built-in.
    edit /etc/default/inetd
    ENABLE_TCPWRAPPERS=YES

    build a /etc/hosts.allow and /etc/hosts.deny
    At least you can restrict which IP addresses can connect to in.telnetd (and any other inetd service for that matter)

  8. Boletín 00085 - 22/02/2007…

    1.- Dos nuevas fallas de seguridad en Firefox2.- Borrado no autorizado de archivos a través de rm en……

  9. o fuck it was gotton from 1994?
    where is the latest and there is nothing for down

Leave a Comment


Vulnerability Scanner