Shostack + Friends Blog Archive

 

Party like it's 1994

A 0-day in Solaris {10,11} telnetd is reported.
SANS has some details.
Anyone who remembers the AIX “rlogin -froot” vuln will appreciate this one.
(h/t to KK on this one)

9 comments on "Party like it's 1994"

  • Adam says:

    Wait. You’re mentioning a 0 day in telnet?
    I mean, WTF? You’re telling me there’s 0day in an app that sends its auth in the clear, and then is subject to session hijacking?
    Sun should be embarrased to be shipping telnetd in 2007. Is it on by default?

  • Chris says:

    I don’t run Solaris 10, but I understand from folks that have tested this that yes, in.telnetd will be spawned by inetd on a default install, but that root can only login from the console.
    So, out of the box, this would be get you any non-root user over the network (assuming they have a useful shell — I do not know if Solaris 10 is smart about that out of the box)

  • Adam says:

    see alsos:
    http://riosec.com/solaris-telnet-0-day (says it works for root)
    http://erratasec.blogspot.com/2007/02/trivial-remote-solaris-0day-disable.html (says it doesn’t.)

  • Nicko says:

    Those who cannot learn from history are doomed to repeat it.

  • Justin Mason says:

    ah, that brings me back — the first time I read Adam’s online writings on security was back around 1994, too 😉

  • Adam says:

    Justin,
    Are you complaining they haven’t evolved since? 🙂

  • Adam says:

    More links.. a fellow involved in the fix: http://blogs.sun.com/tpenta/entry/the_in_telnetd_vulnerability_exploit

  • Chris says:

    Way cool that Sun let’s us see into the process like this.

  • Chris says:

    s/t’s/ts/g
    (ugh)

Comments are closed.