Linked by Thom Holwerda on Mon 12th Feb 2007 18:30 UTC, submitted by stare
Sun Solaris, OpenSolaris If you've got Solaris with telnet running, you could be in for a big surprise. There is a fairly trivial Solaris telnet 0-day exploit in the wild [.pdf]. "This was posted to Full-Disclosure. Remote root exploit in the Solaris 10/11 telnet daemon. It doesn't require any skill, any exploit knowledge, and can be scripted for mass attacks. Basically if you pass a '-fusername' as an argument to the l option you get full access to the OS as the user specified. In my example I do it as bin but it worked for regular users, just not for root. This combined with a reliable local privilege escalation exploit would be devastating. Expect mass scanning and possibly the widespread exploitation of this vulnerability."
Thread beginning with comment 211949
To read all comments associated with this story, please click here.
Telnet is a requirement...
by cjcox on Mon 12th Feb 2007 21:54 UTC
Member since:

You have to realize that telnet is deeply entrenched into many environments. So... the argument of "don't use telnet", is NOT going to work in many places. While I certainly advocate for the destruction of telnet and ftp, there are many places that have these tools deeply embedded into their INTERNAL infrastructure.

I emphasize INTERNAL because most believe they were relatively safe running those insecure protocols on the inside of a private network.

Second, you DON'T need to use -l"-froot" to be able to compromise a remote host. All you need is a somewhat priv'd user to cause some havoc. Shoot.. do you want somebody logging in as your username? How about the id of the database user? I can think of a million of these. Sure... it's possible that a good administrator has prevented direct logins (e.g. no shell) for these accounts... but still... probably not just because nobody expected there to be a huge gaping hole in the telnet server.

So... to all who say... "ah, this is no big deal"... blurzptz to ya! This is a VERY big deal.

Reply Score: 5

RE: Telnet is a requirement...
by sbergman27 on Mon 12th Feb 2007 22:08 in reply to "Telnet is a requirement..."
sbergman27 Member since:

"""So... to all who say... "ah, this is no big deal"... blurzptz to ya! This is a VERY big deal."""

Indeed. Despite the antics of the "Blame the users! Blame the admins!" crowd, this truly *is* embarrassing.

As a Unix advocate since 1988, consider me suitably humiliated by this one. :-(

Reply Parent Score: 2

fsckit Member since:

Well thanks to you and the previous poster we now know who the retards are that are still running telnet in 2007. You can put me in the "blame the admins" crowd if you like. I am an admin myself and would deserve to be fired if I ever even thought of turning on telnet over an open network.

Reply Parent Score: 1