Linked by Thom Holwerda on Mon 12th Feb 2007 18:30 UTC, submitted by stare
If you've got Solaris with telnet running, you could be in for a big surprise. There is a fairly trivial Solaris telnet 0-day exploit in the wild [.pdf]. "This was posted to Full-Disclosure. Remote root exploit in the Solaris 10/11 telnet daemon. It doesn't require any skill, any exploit knowledge, and can be scripted for mass attacks. Basically if you pass a '-fusername' as an argument to the l option you get full access to the OS as the user specified. In my example I do it as bin but it worked for regular users, just not for root. This combined with a reliable local privilege escalation exploit would be devastating. Expect mass scanning and possibly the widespread exploitation of this vulnerability."
Thread beginning with comment 211851
To read all comments associated with this story, please click here.
To read all comments associated with this story, please click here.
Recent Original Stories
Recent Comments
Headlines
Random Comments
Random Stories
Random OS Link
Member since:
2006-02-12
I'm not sure if there are many Solaris servers hooked up directly to the Internet *and* running telnetd so the public impact of this might be relatively minor. The situation might be different on Uni campuses though as they usually have plenty of Sun boxes which might not be properly secured (running telnet).
As stated in the article you can't use this exploit to become root on a default install, but of course regular user accounts and daemon accounts are useful in different ways (private docs, DOS attacks or data logging).
Edited 2007-02-12 18:46