Linked by Thom Holwerda on Mon 12th Feb 2007 18:30 UTC, submitted by stare
If you've got Solaris with telnet running, you could be in for a big surprise. There is a fairly trivial Solaris telnet 0-day exploit in the wild [.pdf]. "This was posted to Full-Disclosure. Remote root exploit in the Solaris 10/11 telnet daemon. It doesn't require any skill, any exploit knowledge, and can be scripted for mass attacks. Basically if you pass a '-fusername' as an argument to the l option you get full access to the OS as the user specified. In my example I do it as bin but it worked for regular users, just not for root. This combined with a reliable local privilege escalation exploit would be devastating. Expect mass scanning and possibly the widespread exploitation of this vulnerability."
Permalink for comment 211862
To read all comments associated with this story, please click here.
To read all comments associated with this story, please click here.
Recent Original Stories
Recent Comments
Headlines
Random Comments
Random Stories
Random OS Link
Member since:
2005-07-08
Solaris does not allow root logins from remote consoles in the first place regardless of protocol. In order for this to be a remote root exploit, the /etc/default/login file would have to be changed to allow remote root logins.
Build 56 of Solaris Express disables telnet by default, and it is a trivial matter to disable telnet:
svcadm disable telnet
Or for the ultra paranoid:
pkgrm SUNWtnetc
pkgrm SUNWtnetd
pkgrm SUNWtnetr
According to a message sent out by David Comay Sun should be releasing an Interim Patch for this issue later today.