Home > Privacy, Security > Scary Solaris, AIX Hole Unearthed Scary Solaris, AIX Hole Unearthed Eugenia Loli 2001-12-13 Privacy, Security 3 Comments “Researchers have discovered that hackers are already developing tools to take advantage of a hole that could allow the takeover of key servers in corporations and universities.” Read the rest of the story at ZDNews. About The Author Eugenia Loli Ex-programmer, ex-editor in chief at OSNews.com, now a visual artist/filmmaker. Follow me on Twitter @EugeniaLoli 3 Comments 2001-12-13 8:57 pm I thought that “telnet” was already held in bad favor, and that ssh was much preferred. Anyway, I didn’t see any mention in the article about the same vulnerability in Linux… 2001-12-13 9:18 pm Well, there is no mention about the same vulnerability in Linux, nor in FreeBSD, NetBSD, OpenBSD, Atheos, BeOS, AmigaOS, and so on…. May be because the researchers were more interested about what could allow the takeover of key servers in corporations and universities, servers run by Solaris or AIX ? Telnet is in bad favor, and any system using it is vulnerable. 2001-12-13 10:12 pm The vulnerability is in /bin/login, not in telnet. ssh on most solaris / aix boxes *still* uses /bin/login. The vulnerability only exists in SYSV-derived login, not BSD-derived login, so the *BSDs and Linux are safe, not because of telnet or lack thereof, but simply because their logins don’t have this particular buffer overflow. Use your brains, people. “telnet bad, ssh good” is not a universal solution to all security problems. Sun boxes with telnet disabled and ssh enabled are still likely to be vulnerable (although the particular script in circulation currently relies on telnet, it could be adapted to use ssh instead).