Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Solaris telnet vulnberability - how many on your network?

From: "Oliver Friedrichs" <oliver_friedrichs () symantec com>
Date: Tue, 13 Feb 2007 09:07:11 -0800

Gadi,

It looks like I was confused, this actually affected AIX and Linux in
1994:

http://www.securityfocus.com/bid/458/info
http://www.cert.org/advisories/CA-1994-09.html

Oliver

-----Original Message-----
From: Gadi Evron [mailto:ge () linuxbox org] 
Sent: Tuesday, February 13, 2007 1:46 AM
To: Oliver Friedrichs
Cc: bugtraq () securityfocus com; full-disclosure () lists grok org uk
Subject: RE: Solaris telnet vulnberability - how many on your network?

On Mon, 12 Feb 2007, Oliver Friedrichs wrote:


Am I missing something?  This vulnerability is close to 10 years old.
It was in one of the first versions of Solaris after Sun moved off of 
the SunOS BSD platform and over to SysV.  It has specifically to do 
with how arguments are processed via getopt() if I recall correctly.


Hey Oliver! :)

Well than, I guess it just became new again. And to be honest, I have to
agree with a previous poster and suspect (only suspect) it could somehow
be a backdoor rather than a bug.

The reason why this vulnerability is so critical is the number of
networks and organizations which rely on Solaris for critical production
servers, as well as use telnet for internal communication on their LAN
(now how smart is that? I'd rather use telnet on the Internet than on a
local LAN).

Further, there are quite a few third party appliances (some
infrastructure back-end) that can not easily be patched running on
Solaris (forget fuzzing or VA, people never even NMAP appliances they
buy).

I am unsure of how long we will see this in to-do items of corporate
security teams around the world, but I am sure Sun's /8 is getting a lot
of action recently.



Oliver


        Gadi.



-----Original Message-----
From: Gadi Evron [mailto:ge () linuxbox org]
Sent: Sunday, February 11, 2007 10:01 PM
To: bugtraq () securityfocus com
Cc: full-disclosure () lists grok org uk
Subject: Solaris telnet vulnberability - how many on your network?

Johannes Ullrich from the SANS ISC sent this to me and then I saw it 
on the DSHIELD list:

----
    If you run Solaris, please check if you got telnet enabled NOW. If



you
    can, block port 23 at your perimeter. There is a fairly trivial
    Solaris telnet 0-day.

    telnet -l "-froot" [hostname]

    will give you root on many Solaris systems with default installs
    We are still testing. Please use our contact form at
    https://isc.sans.org/contact.html
    if you have any details about the use of this exploit.
----

You mean they still use telnet?!

Update from HD Moore:
"but this bug isnt -froot, its -fanythingbutroot =P"

On the exploits@ mailing list and on DSHIELD this vulnerability was 
verified as real.

If Sun doesn't yet block port 23/tcp incoming on their /8, I'd make it



a strong suggestion.

Anyone else running Solaris?

      Gadi.
Previous By Date Next
Previous By Thread Next

Current thread: