Party like it's 1994
A 0-day in Solaris {10,11} telnetd is reported.
SANS has some details.
Anyone who remembers the AIX “rlogin -froot” vuln will appreciate this one.
(h/t to KK on this one)
Shostack + Friends Blog Archive
9 comments on "Party like it's 1994"
Comments are closed.
Wait. You’re mentioning a 0 day in telnet?
I mean, WTF? You’re telling me there’s 0day in an app that sends its auth in the clear, and then is subject to session hijacking?
Sun should be embarrased to be shipping telnetd in 2007. Is it on by default?
I don’t run Solaris 10, but I understand from folks that have tested this that yes, in.telnetd will be spawned by inetd on a default install, but that root can only login from the console.
So, out of the box, this would be get you any non-root user over the network (assuming they have a useful shell — I do not know if Solaris 10 is smart about that out of the box)
see alsos:
http://riosec.com/solaris-telnet-0-day (says it works for root)
http://erratasec.blogspot.com/2007/02/trivial-remote-solaris-0day-disable.html (says it doesn’t.)
Those who cannot learn from history are doomed to repeat it.
ah, that brings me back — the first time I read Adam’s online writings on security was back around 1994, too 😉
Justin,
Are you complaining they haven’t evolved since? 🙂
More links.. a fellow involved in the fix: http://blogs.sun.com/tpenta/entry/the_in_telnetd_vulnerability_exploit
Way cool that Sun let’s us see into the process like this.
s/t’s/ts/g
(ugh)