Solaris Telnet 0day or Embarrassment

johannes ullrich from the sans isc sent this to me and then i saw it on the dshield list:

if you run solaris, please check if you got telnet enabled now. if you
can, block port 23 at your perimeter. there is a fairly trivial solaris
telnet 0-day.

telnet -l “-froot” [hostname]

will give you root on many solaris systems with default installs
we are still testing. please use our contact form at

if you have any details about the use of this exploit.

you mean they still use telnet?!

others mentioned the aix rlogin vulnerability (identical) from 1994:

update from hd moore:
“but this bug isnt -froot, its -fanythingbutroot =p”

on the exploits@ mailing list and on dshield this vulnerability was
verified as real.

if sun doesn’t yet block port 23/tcp incoming on their /8, i’d make it a
strong suggestion.

anyone else running solaris?
i made a joke on this being a pr stunt for people to download solaris (to test this vulnerability), as apparently downloads are somewhat slow at the moment. :)

gadi evron,

  • Ant

    Doesn’t this date from 1994? …

  • sunshine

    Yep, for another OS. Not a 0day either but rather fully disclosed, but that’s what the definition has become.

  • xyberpix

    This is just so amusing, as I recently went on a couple of Solaris 10 courses at Sun, and they we still teaching people to use telnet to get from one host to another!

    I mentioned the security implications and was told that on a secure network, telnet is fine!!


  • Pingback:

  • Reyco

    Yeap. I tested on a few servers (Solaris X86) and sparc boxes and It works. Tested on Solaris 10 Rel 11/06 Sparc Solaris 10 06/06 X86

  • Mike

    Wow, this is great information. I was wondering if other software was affected by a simular flaw!

    This is very serious, probably the most serious flaw to come out this year.

  • Brad Powell

    Another thing that will help. In Solaris 9 and 10 tcp wrappers are built-in.
    edit /etc/default/inetd

    build a /etc/hosts.allow and /etc/hosts.deny
    At least you can restrict which IP addresses can connect to in.telnetd (and any other inetd service for that matter)

  • Pingback: Weblog de Mauricio (W.O.L.F.) R. Arreola González

  • aloner

    o fuck it was gotton from 1994?
    where is the latest and there is nothing for down