Linked by Thom Holwerda on Mon 12th Feb 2007 18:30 UTC, submitted by stare
If you've got Solaris with telnet running, you could be in for a big surprise. There is a fairly trivial Solaris telnet 0-day exploit in the wild [.pdf]. "This was posted to Full-Disclosure. Remote root exploit in the Solaris 10/11 telnet daemon. It doesn't require any skill, any exploit knowledge, and can be scripted for mass attacks. Basically if you pass a '-fusername' as an argument to the l option you get full access to the OS as the user specified. In my example I do it as bin but it worked for regular users, just not for root. This combined with a reliable local privilege escalation exploit would be devastating. Expect mass scanning and possibly the widespread exploitation of this vulnerability."
Permalink for comment 211853
To read all comments associated with this story, please click here.
To read all comments associated with this story, please click here.
Member since:
2005-08-10
Plain simple, although it's a serious BUG on the telnet daemon service, I won't consider it as an "EXPLOIT".
First, you don't exploit anything, just run the plain telnet client with the right argument.
Second, in order to get r00t, you gotta EXPLOIT sthg on the system ala local privilege escalation, since logging as root won't get you nowhere..
Third, why use Telnet on the wild? Why use OpenSSH or SunSSH on port 22 tcp on the wild?
Easy admins, next->next->next->ok