Linked by Thom Holwerda on Mon 12th Feb 2007 18:30 UTC, submitted by stare
If you've got Solaris with telnet running, you could be in for a big surprise. There is a fairly trivial Solaris telnet 0-day exploit in the wild [.pdf]. "This was posted to Full-Disclosure. Remote root exploit in the Solaris 10/11 telnet daemon. It doesn't require any skill, any exploit knowledge, and can be scripted for mass attacks. Basically if you pass a '-fusername' as an argument to the l option you get full access to the OS as the user specified. In my example I do it as bin but it worked for regular users, just not for root. This combined with a reliable local privilege escalation exploit would be devastating. Expect mass scanning and possibly the widespread exploitation of this vulnerability."
Thread beginning with comment 211862
To read all comments associated with this story, please click here.
To read all comments associated with this story, please click here.
RE: Nothing here, move along ...
by Jimbo on Mon 12th Feb 2007 19:29
in reply to "Nothing here, move along ..."
Member since:2005-07-22
"Solaris does not allow root logins from remote consoles in the first place regardless of protocol. In order for this to be a remote root exploit, the /etc/default/login file would have to be changed to allow remote root logins."
Or you exploit an account with passwordless sudo access...
RE[2]: Nothing here, move along ...
by Robert Escue on Mon 12th Feb 2007 19:34
in reply to "RE: Nothing here, move along ..."
Member since:2005-07-08
Member since:
2005-07-08
Solaris does not allow root logins from remote consoles in the first place regardless of protocol. In order for this to be a remote root exploit, the /etc/default/login file would have to be changed to allow remote root logins.
Build 56 of Solaris Express disables telnet by default, and it is a trivial matter to disable telnet:
svcadm disable telnet
Or for the ultra paranoid:
pkgrm SUNWtnetc
pkgrm SUNWtnetd
pkgrm SUNWtnetr
According to a message sent out by David Comay Sun should be releasing an Interim Patch for this issue later today.