Star Easy Solaris 10 Telnet Exploit Found
Linked by Thom Holwerda on Mon 12th Feb 2007 18:30 UTC, submitted by stare
Sun Solaris, OpenSolaris If you've got Solaris with telnet running, you could be in for a big surprise. There is a fairly trivial Solaris telnet 0-day exploit in the wild [.pdf]. "This was posted to Full-Disclosure. Remote root exploit in the Solaris 10/11 telnet daemon. It doesn't require any skill, any exploit knowledge, and can be scripted for mass attacks. Basically if you pass a '-fusername' as an argument to the –l option you get full access to the OS as the user specified. In my example I do it as bin but it worked for regular users, just not for root. This combined with a reliable local privilege escalation exploit would be devastating. Expect mass scanning and possibly the widespread exploitation of this vulnerability."
E-mail Print r 0   43 Comment(s) http://osne.ws/daw
Thread beginning with comment 211858
To view parent comment, click here.
To read all comments associated with this story, please click here.
RE: This is not an Exploit
by stare on Mon 12th Feb 2007 19:09 UTC in reply to "This is not an Exploit"
stare
Member since:
2005-07-06

Plain simple, although it's a serious BUG on the telnet daemon service, I won't consider it as an "EXPLOIT".
Well, this bug will be exploited :-)

Third, why use Telnet on the wild?
Telnetd is enabled by default on Solaris 10.

Reply Parent Bookmark Score: 4

RE[2]: This is not an Exploit
by fsckit on Mon 12th Feb 2007 19:51 in reply to "RE: This is not an Exploit"
fsckit Member since:
2006-09-24

Ummm no it's not. You have the option of turning it on during install but that is most definately not the same as being on by default.

Reply Parent Bookmark Score: 3

RE[3]: This is not an Exploit
by stare on Mon 12th Feb 2007 20:41 in reply to "RE[2]: This is not an Exploit"
stare Member since:
2005-07-06

Only starting with recent revisions. Solaris 10 u1 and previous versions enabled telnet by default.

Reply Parent Bookmark Score: 4

Read more of this thread... >
RE[2]: This is not an Exploit
by Priest on Tue 13th Feb 2007 09:31 in reply to "RE: This is not an Exploit"
Priest Member since:
2006-05-12

>"Telnetd is enabled by default on Solaris 10."

I don't believe this is the case, but without doing a fresh install I can't be positive.

Can anyone else comment on this?

Reply Parent Bookmark Score: 2

RE[3]: This is not an Exploit
by jziegler on Tue 13th Feb 2007 13:05 in reply to "RE[2]: This is not an Exploit"
jziegler Member since:
2005-07-14

Yes, it is. If you install S10, S10u1 or S10u2, the "full install", in.telnetd is running. Only in the latest release, S10u3, you have the option to install it "secure by default". In that case, the only internet-listening daemon is sshd. All other are either stopped, or are listening on 127.0.0.1 only.

Reply Parent Bookmark Score: 2