Solaris Telnet 0day or Embarrassment

johannes ullrich from the sans isc sent this to me and then i saw it on the dshield list:

if you run solaris, please check if you got telnet enabled now. if you
can, block port 23 at your perimeter. there is a fairly trivial solaris
telnet 0-day.

telnet -l “-froot” [hostname]

will give you root on many solaris systems with default installs
we are still testing. please use our contact form at

https://isc.sans.org/contact.html

if you have any details about the use of this exploit.

you mean they still use telnet?!

others mentioned the aix rlogin vulnerability (identical) from 1994:
http://www.cert.org/advisories/ca-1994-09.html

update from hd moore:
“but this bug isnt -froot, its -fanythingbutroot =p”

on the exploits@ mailing list and on dshield this vulnerability was
verified as real.

if sun doesn’t yet block port 23/tcp incoming on their /8, i’d make it a
strong suggestion.

anyone else running solaris?
i made a joke on this being a pr stunt for people to download solaris (to test this vulnerability), as apparently downloads are somewhat slow at the moment. :)

gadi evron,
ge@beyondsecurity.com.

Share
  • Ant

    Doesn’t this date from 1994? …

  • sunshine

    Yep, for another OS. Not a 0day either but rather fully disclosed, but that’s what the definition has become.

  • http://www.xyberpix.com xyberpix

    This is just so amusing, as I recently went on a couple of Solaris 10 courses at Sun, and they we still teaching people to use telnet to get from one host to another!

    I mentioned the security implications and was told that on a secure network, telnet is fine!!

    bwhahahahaha

  • Pingback: dur.ch/

  • Reyco

    Yeap. I tested on a few servers (Solaris X86) and sparc boxes and It works. Tested on Solaris 10 Rel 11/06 Sparc Solaris 10 06/06 X86

  • Mike

    Wow, this is great information. I was wondering if other software was affected by a simular flaw!

    This is very serious, probably the most serious flaw to come out this year.

  • Brad Powell

    Another thing that will help. In Solaris 9 and 10 tcp wrappers are built-in.
    edit /etc/default/inetd
    ENABLE_TCPWRAPPERS=YES

    build a /etc/hosts.allow and /etc/hosts.deny
    At least you can restrict which IP addresses can connect to in.telnetd (and any other inetd service for that matter)

  • Pingback: Weblog de Mauricio (W.O.L.F.) R. Arreola González

  • http://xxxxx.com aloner

    o fuck it was gotton from 1994?
    where is the latest and there is nothing for down