Party like it's 1994
(Posted by cwalsh)
A 0-day in Solaris {10,11} telnetd is reported.
SANS has some details.
Anyone who remembers the AIX "rlogin -froot" vuln will appreciate this one.
(h/t to KK on this one)
Bookmark this post: Posted by cwalsh on February 11, 2007 at 11:30 PM
in Security
, SysAdmin
. You can:
comment, view comments (9),
see trackbacks (0) or
search Technorati.
Comments
Wait. You're mentioning a 0 day in telnet?
I mean, WTF? You're telling me there's 0day in an app that sends its auth in the clear, and then is subject to session hijacking?
Sun should be embarrased to be shipping telnetd in 2007. Is it on by default?
Posted by: Adam | February 12, 2007 1:11 AM
I don't run Solaris 10, but I understand from folks that have tested this that yes, in.telnetd will be spawned by inetd on a default install, but that root can only login from the console.
So, out of the box, this would be get you any non-root user over the network (assuming they have a useful shell -- I do not know if Solaris 10 is smart about that out of the box)
Posted by: Chris | February 12, 2007 1:32 AM
see alsos:
http://riosec.com/solaris-telnet-0-day (says it works for root)
http://erratasec.blogspot.com/2007/02/trivial-remote-solaris-0day-disable.html (says it doesn't.)
Posted by: Adam | February 12, 2007 2:33 AM
Those who cannot learn from history are doomed to repeat it.
Posted by: Nicko | February 12, 2007 11:33 AM
ah, that brings me back -- the first time I read Adam's online writings on security was back around 1994, too ;)
Posted by: Justin Mason | February 12, 2007 12:33 PM
Justin,
Are you complaining they haven't evolved since? :)
Posted by: Adam | February 13, 2007 2:33 AM
More links.. a fellow involved in the fix: http://blogs.sun.com/tpenta/entry/the_in_telnetd_vulnerability_exploit
Posted by: Adam | February 13, 2007 2:34 AM
Way cool that Sun let's us see into the process like this.
Posted by: Chris | February 13, 2007 11:07 AM
s/t's/ts/g
(ugh)
Posted by: Chris | February 13, 2007 11:11 AM